In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.
Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below. You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.
Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.
ACS 5.x will start the installation
If everything goes well, you should see a screen asking to type the keyword “setup”
Next, ACS 5.x will ask for some mandatory information:
Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:
Default username: acsadmin and password: default. The system will require to change the default password:
Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.
If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x on VirtualBox.
He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.
Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.
OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.
I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.
On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:
Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.
Let’s add ACS 5.x to the AD:
Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!
It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.
Next part will be about using the AD Groups and Users together with ACS 5.x.