Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

8-22

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Managing External Identity Stores

ACS 5.3 integrates with external identity systems in a number of ways. You can leverage an external

authentication service or use an external system to obtain the necessary attributes to authenticate a

principal, as well to integrate the attributes into an ACS policy.

For example, ACS can leverage Microsoft AD to authenticate a principal, or it could leverage an LDAP

bind operation to find a principal in the database and authenticate it. ACS can obtain identity attributes

such as AD group affiliation to make an ACS policy decision.

Note ACS 5.3 does not have a built-in check for the dial-in permission attribute for Windows users. You must

set the msNPAllowDialin attribute through LDAP or Windows AD. For information on how to set this

attribute, refer to Microsoft documentation at:

http://msdn.microsoft.com/en-us/library/ms678093%28VS.85%29.aspx

This section provides an overview of the external identity stores that ACS 5.3 supports and then

describes how you can configure them.

This section contains the following topics:

• LDAP Overview, page 8-22

• Leveraging Cisco NAC Profiler as an External MAB Database, page 8-34

• Microsoft AD, page 8-41

• RSA SecurID Server, page 8-54

• RADIUS Identity Stores, page 8-60

LDAP Overview

Lightweight Directory Access Protocol (LDAP), is a networking protocol for querying and modifying

directory services that run on TCP/IP and UDP. LDAP is a lightweight mechanism for accessing an

x.500-based directory server. RFC 2251 defines LDAP.

ACS 5.3 integrates with an LDAP external database, which is also called an identity store, by using the

LDAP protocol. See Creating External LDAP Identity Stores, page 8-26 for information about

configuring an LDAP identity store.

This section contains the following topics:

• Directory Service, page 8-23

• Authentication Using LDAP, page 8-23

• Multiple LDAP Instances, page 8-23

• Failover, page 8-24

• LDAP Connection Management, page 8-24

• Authenticating a User Using a Bind Connection, page 8-24

• Group Membership Information Retrieval, page 8-25

• Attributes Retrieval, page 8-25

• Certificate Retrieval, page 8-26

• Creating External LDAP Identity Stores, page 8-26

previous next