Authenticating user with tacacs and Active directory

amb1s1amb1s1 Member Posts: 408
We have like 200 branches that we are going to have Access point just for special users. The way we have those user authenticate when trying to connect to the AP is via Tacacs, but it will be nice if those user can bee authenticate with Activate directory using Tacacs as the intermedia.
David G.
http://gomezd.com <
My Tshoot test Blog
http://twitter.com/ipnet255

Comments

  • brocbroc Member Posts: 167
    So... what's your question?

    Do you want to know if it is possible? yes

    How to do it? as you are already using tacacs, what product are you currently using?
    "Not everything that counts can be counted, and not everything that can be counted counts.”
  • amb1s1amb1s1 Member Posts: 408
    When you saying product, what you mean with that? I just started as Jr engineer 2 weeks ago and the security is one of my weakest knowledge.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
  • brocbroc Member Posts: 167
    You said that when your users connect to the AP, they get authenticated via tacacs. In order to do that, you need a Tacacs server somewhere in your network. Based on which server/product you are using for the authentication, I should be able to direct you on how to get it configured so that it gets it's information from AD.
    "Not everything that counts can be counted, and not everything that can be counted counts.”
  • amb1s1amb1s1 Member Posts: 408
    I'm not sure because I'm not at work, but we cisco acs, but don't know what version. I would VPN in later on an find out what version and what the appliance model.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
  • jason_lundejason_lunde Member Posts: 567
    You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.
  • amb1s1amb1s1 Member Posts: 408
    You can indeed do this. Basically in ACS there is a section called "external user databases" (in my version at least). If you go in there you can map you domain to a user group (we do this dynamically for some users). You want to make sure to do your group permissions correct though, so that your AP users dont have permissions on your network devices. There is some planning that needs to go into such a deployment, and make sure to test thoroughly.

    I'm using ACS 4.1 and yes I have that option for external user database. I would look around to see if I find any documentation how to set it up. Before we implement any changes we always test in 3 QA labs that we have to make sure that everything is working fine.
    David G.
    http://gomezd.com <
    My Tshoot test Blog
    http://twitter.com/ipnet255
  • brocbroc Member Posts: 167
    "Not everything that counts can be counted, and not everything that can be counted counts.”
  • jason_lundejason_lunde Member Posts: 567
Sign In or Register to comment.