Filter
Top Products
8-42
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
• Maximum password age is N days.
• Minimum password age is N days.
• Minimum password length is N characters.
• Password must meet complexity requirements.
AD uses the “Maximum password age is N days” rule to detect password expiry. All other rules are used
during attempts to change a password.
ACS supports these AD domains:
• Windows Server 2003
• Windows Server 2003 R2
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012 from patch 2 onwards
ACS machine access restriction (MAR) features use AD to map machine authentication to user
authentication and authorization, and sets a the maximal time allowed between machine authentication
and an authentication of a user from the same machine.
Most commonly, MAR fails authentication of users whose host machine does not successfully
authenticate or if the time between machine and user authentication is greater than the specified aging
time. You can add MAR as a condition in authentication and authorization rules as required.
While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is
set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by
the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays
a clock skew error. Using the command line interface on your appliance, you must configure the NTP
client to work with the same NTP server that the AD domain is synchronized with.
The NTP process restarts automatically when it is down. You can check the NTP process status in two
ways:
• Use the sh app status acs command in CLI interface.
• Choose Monitoring and Reports > Reports > Catalog > ACS Instance > ACS_Health_Summary in
the ACS web interface.
For more information, refer to this URL:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/command/
reference/cli.html
The ACS appliance uses different levels of caching for AD groups, to optimize performance. AD groups
are identified with a unique identifier, the Security Identifier (SID). ACS retrieves the SID that belongs
to the user, and uses the cached mapping of the SID with the full name and path of the group. The AD
client component caches the mapping for 24 hours. The run-time component of ACS queries the AD
client and caches the results, as long as ACS is running.
ACS 5.4 provides AD client troubleshooting tools to troubleshoot AD connectivity issues. You can use
the commands adinfo, adcheck, and ldapsearch to troubleshoot AD connectivity issues. ACS provides
these CLI commands with the exact same parameters, flags, and conditions that are required for their
operation. ACS also redirects the output of these CLI commands to ACSADAgent.log.
For more information on these commands, see CLI Reference Guide for Cisco Secure Access Control
System 5.4.