In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.
Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below. You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.
Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.
ACS 5.x will start the installation
If everything goes well, you should see a screen asking to type the keyword “setup”
Next, ACS 5.x will ask for some mandatory information:
Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:
Default username: acsadmin and password: default. The system will require to change the default password:
Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.
If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x on VirtualBox.
He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.
Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.
OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.
I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.
On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:
Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.
Let’s add ACS 5.x to the AD:
Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!
It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.
Next part will be about using the AD Groups and Users together with ACS 5.x.
[adsense_id=”3″]
Great post!
I get in trouble with ACS+AD when deploying 802.1x whit PEAP authentication
Looking forward for your third part !
Same here! When does this part 3 get posted?
this steps works fine but I cannot restrict access to my equipments.domain users with an All Computers access can connect to my routers and switches
Hello guys and sorry for late reply. I was really / really busy in the last weeks so I needed to stay away from my blog. I hope I'll get back on track ASAP.
Hi when will part 3 be ready?
I've been getting this error in the log "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate".
I really don't know why the client's rejecting the certificate because it was generated by the CA.
I dont' think it needs to be domain admin…
OK dru, but if you're not a domain admin how can you add a new member / machine to the domain?
I did the test Connection part of joining my domain from ACS and got a success message back. Looks good. I'll now just save that. Aaaaargh. The save fails with a message saying;
Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the –verbose option or run 'adinfo –diag' to diagnose the problem.Join to domain 'mydomain.local', zone 'null' failed
I've checked the time and timezones on both ACS and AD and they match.
Can anyone suggest any possible solutions
What is your scenario there? You use AD or LDAP? Or AD integrated with LDAP. I have never seen this kind of error, but seems like a problem somewhere at AD / LDAP rather than ACS.
I have a problem on next step, using the AD Groups and Users together with ACS 5.x
PC can authenticate with ACS by using internal DB but with AD didn’t. also my ACS joined to domain and connected
hello guys
when i press the test connection button i receive the below error
Further information on status: – Clock Skew error.
plz help me
From the above article:
“Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error.”
Do you have the AD and ACS time synchronize to the NTP server? Possible the same NTP server.
If the time difference between AD and ACS is larger than some msec (I don’t remember exactly how much) then you’ll get this error.