Filter
Top Products
8-43
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
If there is a firewall between ACS and AD, certain ports need to be opened in order to allow ACS to
communicate with AD. The following are the default ports to be opened:
Note Dial-in users are not supported by AD in ACS.
This section contains the following topics:
• Machine Authentication, page 8-43
• Attribute Retrieval for Authorization, page 8-44
• Group Retrieval for Authorization, page 8-44
• Certificate Retrieval for EAP-TLS Authentication, page 8-44
• Concurrent Connection Management, page 8-44
• User and Machine Account Restrictions, page 8-44
• Machine Access Restrictions, page 8-45
• Dial-in Permissions, page 8-46
• Callback Options for Dial-in users, page 8-46
• Joining ACS to an AD Domain, page 8-48
• Configuring an AD Identity Store, page 8-48
• Selecting an AD Group, page 8-50
• Configuring AD Attributes, page 8-51
Machine Authentication
Machine authentication provides access to network services to only these computers that are listed in
Active Directory. This becomes very important for wireless networks because unauthorized users can try
to access your wireless access points from outside your office building.
Machine authentication happens while starting up a computer or while logging in to a computer.
Supplicants, such as Funk Odyssey perform machine authentication periodically while the supplicant is
running.
If you enable machine authentication, ACS authenticates the computer before a user authentication
request comes in. ACS checks the credentials provided by the computer against the Windows user
database. If the credentials match, the computer is given access to the network.
Protocol Port number
LDAP 389/udp
SMB 445/tcp
KDC 88/(tcp/udp)
Global catalog 3268/tcp
KPASS 464/tcp
NTP 123/udp