[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2361
  • Last Modified:

ACS 5.2 wit multiple Active directory and dynamic vlan

Hello,

I´m about to install a wireless installation. Im using an acs 5.2 appliance and PEAP authentication.
The problem is, there are two AD´s. How do you set up CA with two AD and acs 5.1

Is there any difference in acs 5.1 and 5.2 in the matter of the number of ad that you can connect to an ACS?

I also want to assign vlan´s dynamic to user that authenticate.How do you set this up in the ACS?
I have created the Authorization Profiles with the vlan´s, but how do i tie them to users, in either one of the two AD´s.

Thanks in advance.

0
regnander
Asked:
regnander
  • 4
  • 3
1 Solution
 
erdelgadCommented:
Hello,

You can only integrate the ACS with one single domain but you can authenticate to many domains.

This can be possible by using a 2 way relationship between all require AD servers.

Please make sure that the domain that you are going to use for bind the ACS with AD is a domain account and has read permissions to all the require domains.

In regards of DVLAN this can be done with an authorization profile as you say. As ACS is a policy based server you have to create some policies for this matter.

Example.

Under network access you configure a policy with the following conditions.

AD1 external groups: xxxxxx a result will be the authorization profile with the DVLAN information.

Hope this makes sense to you if not just let me know and I can try to be more clear. With ACS 5 is hard to explain the things some times.

Erick Delgado
ACS specialist.
0
 
regnanderAuthor Commented:
If I upgrade to ACS 5.2 does this solution stil apply?

What is the major differnce between 5.1 and 5.2 ?
0
 
erdelgadCommented:
Hello,

The only main differences between those 2 versions are the features.
The most important new feature is that ACS 5.2 support windows 2008 R2.
If you want to see the full features please see link below
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp71092
Unless you have windows 2008 R2 I strongly suggest stay in ACS 5.1 path 6.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
regnanderAuthor Commented:
Hi Eric,

I cant seem to find how to configure the AD1 external groups under Policy Elements > Authorization and Permissons > Network Access > Authorization Profiles.

Am I looking in the wrong place?

Can yoy please advise me or maybe explain this in more detail.

Also, What features in 2008 R2 is it that 5.2 support in more detail.

Thx in advance.
0
 
erdelgadCommented:
Hello,

The AD1 external groups are disable by default. You have to go to customize that is on the right side bottom and move AD1 to the right.


Please notice that AD integration has to be done prior to this.

No features. Any version prior to ACS 5.2 does not support windows 2008 R2 for authentication.


Please do not hesitate to contact me if you have more questions.

Erick Delgado
ACS specialist.
0
 
regnanderAuthor Commented:
Thanks.

I will try this as soon as possible to see if it does the trick.

//Gregor Regnander
0
 
regnanderAuthor Commented:
I have set up one connection to the first AD using the ACS´s AD connector and one connection to the second AD using LDAP.

Based on this I could build a access policy verifying access on either AD or LDAP connection, right?
Its not a clean and neat solution. I know.

I might go with setting up a second LDAP connection and just using one type of external identity store.

What are the pro´s and cons with my approach? Comments please.

//regnander
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now