Link to home
Start Free TrialLog in
Avatar of mukundarao
mukundarao

asked on

ACS Integration

I wanted to forward Authentication request of my Application Server to Cisco ACS Server. My Application Server doesnot understand AAA,TACACS,RADIUS kind of protocols. Basically I wanted to use Cisco ACS User Database for Authenticating.To make my Application Server Single Sign-on.
Any suggestion most appreciated.
Mukunda Rao
Avatar of scraig84
scraig84

The only thing I can think of would be to put a firewall between the users and the app.  The firewall could block access until authentication against the ACS server is used.  We do this at my work for some Internet apps.
Avatar of mukundarao

ASKER

Thanks Scraig,
Application Server and the ACS Server both exists inside the Fire wall. I am looking for Single Sign-on solution.
Mukunda Rao
I understand that your current environment probably doesn't have a firewall between the app server and its users.  However, since you have an app that doesn't understand common authentication protocols, but you want the app to use ACS which is based on common authentication protocols, you will probably need to put something between the server and its users to intercept requests and forward them to the ACS box.  I don't think there is any way to magically force the ACS box to work with an app that doesn't use any of the protocols it's designed to handle as an alternative.
Avatar of Les Moore
What operating system is your application server running?
ACS can forward authentication to an NT domain controller, and your application should be able to authenticate with NT domain users. This would give you single sign-on using the NT domain user database.
I wanted to use ACS User database for authenticating our Application server users. Or in other words we wanted to just store the user name in our Application server and store the passwords in ACS user database and when our Application user tries to Log-in I wanted to forward the Authentication request to ACS Server.
     ACS Documentation says how to use external user database for forwarding the request from ACS to external application not the otherway around.

    Any suggestions???

Mukunda Rao
Let me see if I am understanding what you are saying.  Basically, the user logs into an App Server and you want the server to forward the login request to the ACS user database so that you have a single username and password to maintain.

Based on the assumption that what I've said above is true, I think that LRMoore is on the right track.  What OS are you running?  ACS can authenticate users against several "third-party" directories (e.g. LDAP, NT/2000, NDS, etc).  For example, if your servers are running NT, then you could have a single sign-on because your ACS password would be the same as your NT password.

What SCraig84 is saying is that if you place a firewall or router between the App servers and the users, then you could force the firewall to authenticate the users before allowing them through to the servers.  Unfortunately, for this to work as a single sign-on, you would have to leave the server wide open so the users could access them without having to re-authenticate.

If neither of the options given by SCraig84 or LRMoore work for you, then your only hope would be to find some third party software plug-in for your App server that would allow it to authenticate against a RADIUS / TACACS+ server.  Other than that, I can't think of any way to make this happen.  

If you want us to help you look for a RADIUS / TACACS+ plug-in, then we will need to know the OS the App servers are running.

Hope it helps.  Good luck!
Probably off the wall, but I've seen mod_tacacs and mod_radius for the Apache web server (if that's what your app server is)
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

I recommend: PAQ or, delete, no refund

If you would like to keep this question open for more expert input, this cleanup effort will get it closer to the top of the list where it will get more visibility for the experts.

if there is any objection or other expert commentary to this recommendation then please post in here within 7 days.
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. https://www.experts-exchange.com/Community_Support/

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

thanks,
lrmoore
EE Cleanup Volunteer
---------------------
ASKER CERTIFIED SOLUTION
Avatar of SpideyMod
SpideyMod

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial