Filter
Top Products
8-53
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
• If AD is already configured and you want to delete it, click Clear Configuration after you verify
that there are no policy rules that use custom conditions based on the AD dictionary.
AD Deployments with Users Belonging to Large Number of Groups
In ACS 5.3, when you move between AD domains, the user authentications show a timeout error if the
user belongs to a large number of groups (more than 50 groups). But, the subsequent authentication of
the same user or another user belongs to the same group works properly. This is due to the
adclient.get.builtin.membership parameter in ACS AD agent configuration. This parameter, when set as
true, performs a lot of additional requests and takes a lot of time for the users who belong to large number
of groups. You can observe that the AD built-in groups are not available for usage in ACS policies after
the adclient.get.builin.membership parameter is set as true. So, to overcome this issue, you should set
the adclient.get.builtin.membership parameter as false.
To set adclient.get.builin.membership parameter, perform the following steps in ACS CLI:
Step 1 Log into ACS CLI in configuration mode.
Step 2 Enter the following commands:
acs-config
ad-agent-configuration adclient.get. builtin.membership false
Note The first authentication of a user belongs to the large number of groups may fail with a timeout
error. But, the subsequent authentications of the same user or another user belongs to the same
group works properly.
Joining ACS to Domain Controllers
When ACS needs to connect to a domain controller or a global catalog, it sends SRV requests to the
configured DNS servers to find out the available list of domain controllers for a domain and the global
catalogs for a forest.
If the Active Directory configuration on ACS machine is assigned to a subnet, which in turn is assigned
to a site, then ACS sends the DNS queries scoped to the site. That is the DNS server is supposed to return
the domain controllers and the global catalogs serving that particular site to which the subnet is assigned
to.
If the ACS machine is not assigned to a site, then ACS does not send the DNS queries scoped to the site.
That is the DNS server is supposed to return all available domain controllers and global catalogs with
no regard to the sites.
ACS iterates the available list of domain controllers or global catalogs and tries to establish the
connection according to the order of the domain controllers or the global catalogs in the DNS response
received from the DNS server.