Filter
Top Products
8-48
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
Joining ACS to an AD Domain
After you configure the AD identity store in ACS through the ACS web interface, you must submit the
configuration to join ACS to the AD domain. For more information on how to configure an AD identity
store, see Configuring an AD Identity Store, page 8-48.
Note The Windows AD account, which joins ACS to the AD domain, can be placed in its own organizational
unit (OU). It resides in its own OU either when the account is created or later on, with a restriction that
the appliance name must match the name of the AD account.
Note ACS does not support user authentication in AD when a user name is supplied with an alternative UPN
suffix configured in OU level. The authentication works fine if the UPN suffix is configured in domain
level.
Related Topic
• Machine Authentication, page B-34
Configuring an AD Identity Store
When you configure an AD identity store, ACS also creates:
• A new dictionary for that store with two attributes: ExternalGroups and another attribute for any
attribute retrieved from the Directory Attributes page.
• A new attribute, IdentityAccessRestricted. You can manually create a custom condition for this
attribute.
• A custom condition for group mapping from the ExternalGroup attribute; the custom condition
name is AD1:ExternalGroups and another custom condition for each attribute selected in the
Directory Attributes page (for example, AD1:cn).
You can edit the predefined condition name, and you can create a custom condition from the Custom
condition page. See Creating, Duplicating, and Editing a Custom Session Condition, page 9-5.
To authenticate users and join ACS with an AD domain:
Step 1 Select Users and Identity Stores > External Identity Stores > Active Directory.
The Active Directory page appears.
Step 2 Modify the fields in the General tab as described in Table 8-10.
Table 8-10 Active Directory: General Page
Option Description
Connection Details
Active Directory Domain
Name
Name of the AD domain to join ACS to.