ACS 5.1 integration with Active Directory [Part II]

In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.

Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below.  You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image  worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.

Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.

ACS Installation Start

ACS 5.x will start the installation

ACS Package installation

If everything goes well, you should see a screen asking to type the keyword “setup”

ACS Setup

Next, ACS 5.x will ask for some mandatory information:

ACS Settings

Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:

ACS Login

Default username: acsadmin and password: default. The system will require to change the default password:

ACS Change password

Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.

ACS License

If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x  on VirtualBox.

He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.

Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.

OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.

I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.

On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:

ACS Active Directory

Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.

Let’s add ACS 5.x to the AD:

ACS AD setup

Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed  and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!

It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.

Next part will be about using the AD Groups and Users together with ACS 5.x.

[adsense_id=”3″]

ACS 5.1 integration with Active Directory [Part 1]

If sometime you need to test a configuration regarding ACS integration with Microsoft Active Directory, or if you think that this is something that you want to try, then continue reading:

Part 1 – Active Directory installation

Part 2 – ACS 5.1 integration with AD

Part 3 – Some basic testing to prove that everything is working

I really hope that I’ll have sufficient time to complete this tutorial in the next weeks. As you probably saw already, in last months there were just some articles posted here due to the fact I’m very busy (daily business, CCIE learning, some new projects…). Anyway, let’s proceed….

My scenario is based on 2 virtual machines (VirtualBox) and 2 switches (C3560) for testing. I’ll add a topology design in Part 2 of this tutorial. One of the virtual machines is hosting the ACS system and the other one a Windows server (2003 / 2008) with Active Directory.

Let’s start with Active Directory installation. You need a Windows 2003 or 2008 system installed on one virtual machine, or if you afford physical hardware then you can use one. Windows 2003 / 2008 can be a trial from Microsoft website, as you can use that trial up to 240 days. Much more than the ACS trial (90 days). I have a 2003 distribution and I really recommend it because you need less resources than with Win 2008. Be aware that latest version of 2008, called R2 support only 64 bit processor. If you have an older machine, just stick with Win 2003 or some early version of 2008 than R2 release.

After you have a fresh machine with Windows 2003 / 2008 installation, please follow the next steps:

1. Click Start, click Run, type dcpromo.exe, and then click OK. You should see something like this:

2. Click Next and you can start the Active Directory installation

3. Choose Domain controller for a new domain. I assume, that you will not try this in a productive AD environment, as it can break things. Just resume to your virtual machines or close test environment and everything will be fine

4. Pick Domain in a new forest.

5. This domain can be whatever you want. Really! Just remember what you type in there. I have there testdomain.local

6. The NetBIOS field will be automatically completed. If for some reason it is empty, add there whatever you have in from of your . (dot) in the FQDN. I have here TESTDOMAIN

7. The location where AD will be install on your hard drive. It is automatically completed and for this test I think is the best to let it default

8.Again, a default location that you better not touch

9. If you really want to test something, you can choose a different option below, but again for this test is the best to let AD Wizard to install the DNS server also. The best thing here is that if you let the Wizard install it then you don’t have to worry that you are missing some entries there, as everything will be in place.

10. I’m using in the example below a Windows 2003 distribution. If you have a 2008 one, then the next screen might look different. Just keep in mind to choose the highest possible option. Anyway you will not need backward compatibility with older systems.

11. Choose a password and remember it

12. You have a summary there. Check it to see that everything is as you want.

13. Let it work for some minutes and you’re done.

You’re done setting up the Active Directory. Come back for Part 2 where we will connect ACS 5.1 to AD and for Part 3  where we will add some users on AD and do a little testing.