ACS 5.2 wit multiple Active directory and dynamic vlan

Hello,

I´m about to install a wireless installation. Im using an acs 5.2 appliance and PEAP authentication.
The problem is, there are two AD´s. How do you set up CA with two AD and acs 5.1

Is there any difference in acs 5.1 and 5.2 in the matter of the number of ad that you can connect to an ACS?

I also want to assign vlan´s dynamic to user that authenticate.How do you set this up in the ACS?
I have created the Authorization Profiles with the vlan´s, but how do i tie them to users, in either one of the two AD´s.

Thanks in advance.

regnanderAsked:
Who is Participating?
 
erdelgadConnect With a Mentor Commented:
Hello,

You can only integrate the ACS with one single domain but you can authenticate to many domains.

This can be possible by using a 2 way relationship between all require AD servers.

Please make sure that the domain that you are going to use for bind the ACS with AD is a domain account and has read permissions to all the require domains.

In regards of DVLAN this can be done with an authorization profile as you say. As ACS is a policy based server you have to create some policies for this matter.

Example.

Under network access you configure a policy with the following conditions.

AD1 external groups: xxxxxx a result will be the authorization profile with the DVLAN information.

Hope this makes sense to you if not just let me know and I can try to be more clear. With ACS 5 is hard to explain the things some times.

Erick Delgado
ACS specialist.
0
 
regnanderAuthor Commented:
If I upgrade to ACS 5.2 does this solution stil apply?

What is the major differnce between 5.1 and 5.2 ?
0
 
erdelgadCommented:
Hello,

The only main differences between those 2 versions are the features.
The most important new feature is that ACS 5.2 support windows 2008 R2.
If you want to see the full features please see link below
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp71092
Unless you have windows 2008 R2 I strongly suggest stay in ACS 5.1 path 6.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
regnanderAuthor Commented:
Hi Eric,

I cant seem to find how to configure the AD1 external groups under Policy Elements > Authorization and Permissons > Network Access > Authorization Profiles.

Am I looking in the wrong place?

Can yoy please advise me or maybe explain this in more detail.

Also, What features in 2008 R2 is it that 5.2 support in more detail.

Thx in advance.
0
 
erdelgadCommented:
Hello,

The AD1 external groups are disable by default. You have to go to customize that is on the right side bottom and move AD1 to the right.


Please notice that AD integration has to be done prior to this.

No features. Any version prior to ACS 5.2 does not support windows 2008 R2 for authentication.


Please do not hesitate to contact me if you have more questions.

Erick Delgado
ACS specialist.
0
 
regnanderAuthor Commented:
Thanks.

I will try this as soon as possible to see if it does the trick.

//Gregor Regnander
0
 
regnanderAuthor Commented:
I have set up one connection to the first AD using the ACS´s AD connector and one connection to the second AD using LDAP.

Based on this I could build a access policy verifying access on either AD or LDAP connection, right?
Its not a clean and neat solution. I know.

I might go with setting up a second LDAP connection and just using one type of external identity store.

What are the pro´s and cons with my approach? Comments please.

//regnander
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.