Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Joining ACS to an AD Domain

After you configure the AD identity store in ACS through the ACS web interface, you must submit the configuration to join ACS to the AD domain. For more information on how to configure an AD identity store, see Configuring an AD Identity Store, page 8-48.

Note The Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational unit (OU). It resides in its own OU either when the account is created or later on, with a restriction that the appliance name must match the name of the AD account.

Note ACS does not support user authentication in AD when a user name is supplied with an alternative UPN suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain level.

Related Topic

Machine Authentication, page B-34

Configuring an AD Identity Store

When you configure an AD identity store, ACS also creates:

A new dictionary for that store with two attributes: ExternalGroups and another attribute for any attribute retrieved from the Directory Attributes page.

A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this attribute.

A custom condition for group mapping from the ExternalGroup attribute; the custom condition name is AD1:ExternalGroups and another custom condition for each attribute selected in the Directory Attributes page (for example, AD1:cn).

You can edit the predefined condition name, and you can create a custom condition from the Custom condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.

To authenticate users and join ACS with an AD domain:

Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory.

The Active Directory page appears.

Step 2 Modify the fields in the General tab as described in Table 8-10.

Table 8-10 Active Directory: General Page

Option

Description

Connection Details

Active Directory Domain Name

Name of the AD domain to join ACS to.

 

User Guide for Cisco Secure Access Control System 5.3

8-48

OL-24201-01

Page 199 Page 201
Page 200
Image 200
Cisco Systems OL-24201-01 Joining ACS to an AD Domain, Configuring an AD Identity Store, Machine Authentication, page B-34
Page 199 Page 201
Top Page Image Contents