Steps to integrate ACS with AD

• Windows Server 2008 configuration
  • Synchronize with time server using NTP
  • Create Cisco Administrators security group
  • Assign users to created security group
• Cisco ACS configuration
  • Synchronize with time server using NTP
  • Define correct DNS
  • Define AD connection and Security Group mapping
  • Define Shell Profile
  • Define Access Policy – Edit Default Device Admin
  • Identity
  • Authorization
  • Define Access Policy – Define Service Selection Rule
• Cisco router configuration for AAA support
• Windows Server 2008 configuration - Synchronize with time server using NTP
  • Log into your PDC Server and open the command prompt
  • Stop the W32Time service: (C:\net stop w32time)
  • Configure the external time sources: (c:\w32tm /config /syncfromflags:manual /manualpeerlist:â€192.168.1.5â€)
  • Make your PDC a reliable time source for the clients (c:/w32tm /config /reliable:yes)
  • Start the W32Time Service: (C:\net start w32time)
  • The windows time service should begin synchronizing the time. You can check the external NTP servers in the time configuration by typing: c:\w32tm /query /configuration
  • Check the Event Viewer for any errors

• Windows Server 2008 configuration - Create Cisco Administrators security group

  Windows Server 2008 configuration - Assign users to created security group

  • Click on user and then click on Member of Tab
  • Click Add
  • Type in the created security group
  • Click on Check Names to verify then click OK and OK again to close user.
  Cisco ACS configuration - Synchronize with time server using NTP
  • enter on ACS CLI: clock timezone US/Eastern (verify by typing: show clock)

    US/Indiana-Starke

    US/Pacific

    US/Michigan

    US/Mountain

    US/Central

    US/Samoa

    US/Arizona

    US/Eastern

    US/Alaska

    US/East-Indiana

    US/Hawaii

    US/Aleutian

  • enter on ACS CLI: ntp server 192168.1.5 (verify by typing: show ntp)
  Cisco ACS configuration - Define correct DNS
  • enter on ACS CLI: ip name-server 192.168.2.6 (verify by typing: ping dc.mywiseguys.com)
  Cisco ACS configuration - Define AD connection and Security Group mapping
  • browse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin

• browse to Users and Identity Stores - External Identity Stores - Active Directory
• Enter:
  • General Tab: Active Directory Domain Name
  • General Tab: Credentials used to join this machine to the AD domain (username and password) - Click Test Connection to verify (NOTE1: password must not contain certain special characters like # or $ or " , etc , which does not work on cisco devices.)(NOTE2: Predefined user in AD. AD account required for domain access in ACS should have either of the following: Add workstations to domain user right in corresponding domain OR Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain). We recommend that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the admin if a wrong password is used for that account. This is because if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.)
  • General Tab: Click Save
  • General Tab: Look at bottom under Connection Status and verify it says CONNECTED
  • Directory Groups: click Select and place checkmark in created security group and click OK
  • Directory Groups: click Save

• Cisco ACS configuration - Define Shell Profile
  • browse to the web interface: [url=http://192.168.1.201/acsadmin]http://192.168.1.201/acsadmin
• browse to Policy Elements - Authorization & Permissions - Device Administratrion - Shell Profiles
• click Create
  • General Tab: Name = ENABLE
  • Common Tasks Tab: Default Privilege = Static Value = 15
  • Click Submit
• browse to Access Policies - Default Device Admin - Identity
  • Click Select and choose AD1 (gets created automatically once the connection to AD was established)
  • Click OK
  • Click Save Changes
• browse to Access Policies - Default Device Admin - Authorization
  • Click on Customize
  • Select Compound Condition and click on arrow to move to the right (Compound Condition allows us to select AD group during policy/rule creation)
  • Click OK
  • Place a checkmark next to a rule and click Edit
  • Uncheck any checkmarks and place a checkmark next to Compound Condition
  • Now you can select AD-AD1 from the Dictionary
  • Select attribute: External Groups
  • Select Value: your security group you created earlier and click OK
  • Under Current Condition Set click on Add V
  • Under Results click Select and choose the Shell Policy you created earlier (ENABLE) and click OK and click OK again to close
  • Click Save Changes
• browse to Access Policies - Service Selection Rules
  • Select Rule based result selection and click OK to warning if it pops up
  • Click Create (notice you only have Compound Condition) click Cancel
  • Click Customize
  • Click Protocol and click on the arrow to move it to the right then click OK
  • Click Create
  • place checkmark next to protocol, match and click Select and choose TACACS and click OK
  • Change Results to Default Device Admin and Click OK
  • Click Save Changes
• browse to Network Resources - Network Devices and AAA Clients
  • Click Create
  • Enter a Name
  • Place a checkmark next to TACACS and enter shared secret
  • Enter IP Address
  • Click Submit
• Configure Cisco IOS to connect
  • enter: aaa new-model
  • enter: aaa authentication login default group tacacs+ local
  • enter: aaa authorization exec default group tacacs+ local
  • enter: aaa authorization console
  • enter: tacacs-server host 192.168.2.201
  • enter: tacacs-server key cisco
  • enter: debug aaa authentication
  • enter: debug tacacs

Cisco ACS require ports to function:

Service Name	UDP	TCP
DHCP	68	-
RADIUS Authentication and Authorization (original draft RFC)	1645	-
RADIUS Accounting (original draft RFC)	1646	-
RADIUS Authentication and Authorization (revised draft RFC)	1812	-
RADIUS Accounting (revised draft RFC)	1813	-
TACACS+ AAA	-	49
Replication and RDBMS Synchronization	-	2000
Cisco Secure ACS Remote Logging	-	2001
Cisco Secure ACS Distributed Logging (appliance only)	-	2003
HTTP Administrative Access (at login)	-	2002
Administrative Access (after login) Port Range	-	Configurable (default 1024-65535)*

If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with.

If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to communicate with AD. The following are the default ports to be opened:

 

Protocol	Port number
LDAP	389/udp
SMB	445/tcp
KDC	88/tcp
Global catalog	3268/tcp
KPASS	464/tcp
NTP	123/udp