View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0085 - ACS 5.4 LDAP Integration and Identity Store Sequences

Average: 5 (2 votes)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video walks you through steps for LDAP integration on Cisco ACS 5.4. We will connect our ACS to Active Directory LDAP service, and perform Subject and Group search. We will also touch on the function of Identity Store Sequences as a way to perform multiple user authentication database lookup.
  • LDAP Integration
  • LDAP Subject and Group Search
  • Identity Store Sequences

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hi guys! thanks a lot for this videos, i have a question about LDAP or AD groups, i chose to use LDAP groups for authorization, but i am not sure how i can configure ACS to authenticate only certain groups. right now they all authenticate correctly and they will get the deny all command set. i want them not to be able to authenticate.

You won't know which AD groups users belong untill they are authenticated so it is not possible to deny user authentication by AD group. What supposes to happen is once they are authenticated, you can fail their exec authorization (ie. deny access) based on the AD group and users won't get pass the login prompt. 

thanks and i am sorry to bother again but i looked at the autorization part and there is either command sets or shell profile or both but in either i can't find a way to say deny access, there is deny all. can you show me where it is?
i was thinking that you can specify in the identity store the ADs group and who ever doesn't match will be denied access. i think i found how i can choose those groups however i am not sure about the local users(internal users).

Thanks a lot for you help

Deny All is what you want. If you only permit the matching AD group and have the default (Bottom) rule set to "Deny", that should do the trick as well instead of denying specific AD groups. For internal user, add users to a User Identity Group and set it as part of the conditions in the authorization rule.

yes that solves, just to be more clear, it's under the access policies, you'll need to customize it to add shell profile, then edit the default and choose deny access(shell profile).
Thanks a lot for your help and the wonderful videos, i shared with my coworkers and they all like them.

We are glad to help.. :-)

Lab Minutes Classifieds