ACS Integration

I wanted to forward Authentication request of my Application Server to Cisco ACS Server. My Application Server doesnot understand AAA,TACACS,RADIUS kind of protocols. Basically I wanted to use Cisco ACS User Database for Authenticating.To make my Application Server Single Sign-on.
Any suggestion most appreciated.
Mukunda Rao
Who is Participating?

Improve company productivity with a Business Account.Sign Up

SpideyModConnect With a Mentor Commented:
PAQ'd and points NOT refunded.

Community Support Moderator @Experts Exchange
The only thing I can think of would be to put a firewall between the users and the app.  The firewall could block access until authentication against the ACS server is used.  We do this at my work for some Internet apps.
mukundaraoAuthor Commented:
Thanks Scraig,
Application Server and the ACS Server both exists inside the Fire wall. I am looking for Single Sign-on solution.
Mukunda Rao
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

I understand that your current environment probably doesn't have a firewall between the app server and its users.  However, since you have an app that doesn't understand common authentication protocols, but you want the app to use ACS which is based on common authentication protocols, you will probably need to put something between the server and its users to intercept requests and forward them to the ACS box.  I don't think there is any way to magically force the ACS box to work with an app that doesn't use any of the protocols it's designed to handle as an alternative.
What operating system is your application server running?
ACS can forward authentication to an NT domain controller, and your application should be able to authenticate with NT domain users. This would give you single sign-on using the NT domain user database.
mukundaraoAuthor Commented:
I wanted to use ACS User database for authenticating our Application server users. Or in other words we wanted to just store the user name in our Application server and store the passwords in ACS user database and when our Application user tries to Log-in I wanted to forward the Authentication request to ACS Server.
     ACS Documentation says how to use external user database for forwarding the request from ACS to external application not the otherway around.

    Any suggestions???

Mukunda Rao
Let me see if I am understanding what you are saying.  Basically, the user logs into an App Server and you want the server to forward the login request to the ACS user database so that you have a single username and password to maintain.

Based on the assumption that what I've said above is true, I think that LRMoore is on the right track.  What OS are you running?  ACS can authenticate users against several "third-party" directories (e.g. LDAP, NT/2000, NDS, etc).  For example, if your servers are running NT, then you could have a single sign-on because your ACS password would be the same as your NT password.

What SCraig84 is saying is that if you place a firewall or router between the App servers and the users, then you could force the firewall to authenticate the users before allowing them through to the servers.  Unfortunately, for this to work as a single sign-on, you would have to leave the server wide open so the users could access them without having to re-authenticate.

If neither of the options given by SCraig84 or LRMoore work for you, then your only hope would be to find some third party software plug-in for your App server that would allow it to authenticate against a RADIUS / TACACS+ server.  Other than that, I can't think of any way to make this happen.  

If you want us to help you look for a RADIUS / TACACS+ plug-in, then we will need to know the OS the App servers are running.

Hope it helps.  Good luck!
Probably off the wall, but I've seen mod_tacacs and mod_radius for the Apache web server (if that's what your app server is)
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

I recommend: PAQ or, delete, no refund

If you would like to keep this question open for more expert input, this cleanup effort will get it closer to the top of the list where it will get more visibility for the experts.

if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points.


EE Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.