Cisco Systems OL-24201-01 manual Joining ACS to Domain Controllers

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

•If AD is already configured and you want to delete it, click Clear Configuration after you verify that there are no policy rules that use custom conditions based on the AD dictionary.

AD Deployments with Users Belonging to Large Number of Groups

In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the user belongs to a large number of groups (more than 50 groups). But, the subsequent authentication of the same user or another user belongs to the same group works properly. This is due to the adclient.get.builtin.membership parameter in ACS AD agent configuration. This parameter, when set as true, performs a lot of additional requests and takes a lot of time for the users who belong to large number of groups. You can observe that the AD built-in groups are not available for usage in ACS policies after the adclient.get.builin.membership parameter is set as true. So, to overcome this issue, you should set the adclient.get.builtin.membership parameter as false.

To set adclient.get.builin.membership parameter, perform the following steps in ACS CLI:

Step 1 Log into ACS CLI in configuration mode.

Step 2 Enter the following commands:

acs-config

ad-agent-configuration adclient.get. builtin.membership false

Note The first authentication of a user belongs to the large number of groups may fail with a timeout error. But, the subsequent authentications of the same user or another user belongs to the same group works properly.

Joining ACS to Domain Controllers

When ACS needs to connect to a domain controller or a global catalog, it sends SRV requests to the configured DNS servers to find out the available list of domain controllers for a domain and the global catalogs for a forest.

If the Active Directory configuration on ACS machine is assigned to a subnet, which in turn is assigned to a site, then ACS sends the DNS queries scoped to the site. That is the DNS server is supposed to return the domain controllers and the global catalogs serving that particular site to which the subnet is assigned to.

If the ACS machine is not assigned to a site, then ACS does not send the DNS queries scoped to the site. That is the DNS server is supposed to return all available domain controllers and global catalogs with no regard to the sites.

ACS iterates the available list of domain controllers or global catalogs and tries to establish the connection according to the order of the domain controllers or the global catalogs in the DNS response received from the DNS server.