Guides
Secure Access Help Center

Connect Active Directory to Secure Access

The Cisco Active Directory (AD) Connector integrates Cisco Secure Access with your instance of Microsoft Active Directory (AD). Before you can provision users and groups from AD to Secure Access, register the AD Components in the environment (domain controller or domain) to Secure Access. Then, download the Cisco AD Connector software package and install the AD Connector in the organization's environment.

This guide describes the steps to install the Cisco AD Connector for LDAP or LDAPS, and provision users and groups from your instance of Microsoft AD to Secure Access.

Table of Contents

Prerequisites

Procedure

Download the software package for the Cisco AD Connector and install an AD Connector in your environment.

Step 1 – Download the Active Directory Connector

Download the Cisco AD Connector from Secure Access to your server.

Note: When you download the Cisco AD Connector software package, and if you did not configure API key credentials for the AD Connectors, Secure Access displays a warning message. We recommend that you configure API keys for your AD Connectors. For more information, see Configure Authentication for AD Connectors and VAs.

  1. Configure a server to run the Cisco AD Connector, and then sign in to Secure Access on that server.

  2. Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.

  3.  For Provisioning Method, click Active Directory or expand Active Directory.

  4. For Active Directory Connector, click  Download to save the Cisco AD connector software package to the server. The deployment package is named: CiscoAuditClient_vX.X.X.zip.

Note: You must download the ZIP file to the local machine where you plan to run it, or copy it locally from another machine. We do not recommend that you install the Cisco AD Connector from a network drive or run the setup.msi directly from the compressed file.

Step 2 - Install the Active Directory Connector

As an administrator, extract the contents of the Cisco AD Connector ZIP file to a folder on the server, and then navigate to that folder.
Note: If you run the AD Connector installer from the root directory of your server, you may encounter installation errors.

  1. Run setup.msi, and then in the Cisco AD Connector Setup wizard, click Next.


  2. Choose the directory on the server to install the Cisco AD Connector.


  3. Confirm that you permit your AD Users and Groups to sync to Secure Access from the Cisco AD Connector.


  4. Add your Active Directory credentials. Enter the Username of the Connector user (Cisco_Connector or custom username) and the Password.

  5. Follow the remaining prompts in the setup, and when finished click Finish.

(Optional) Specify AD Groups in Selective Sync File

You can specify the AD Groups for the purpose of creating Access rules in Secure Access. Users and computers belonging to these Groups synchronize to Secure Access.

Rename Selective Sync File After Upgrading to AD Connector v1.14.4

If you use selective sync and upgrade the Cisco AD Connectors to v1.14.4 or later, you must rename the current selective sync file C:\CiscoUmbrellaADGroups.dat to C:\CiscoADGroups.dat.

Note: The selective sync file—previously named CiscoUmbrellaADGroups.dat—is not recognized by the Cisco AD Connector v1.1.4.4 or later.

After you rename the selective sync file, Secure Access automatically reads the selective sync file (C:\CiscoADGroups.dat) and syncs the Users in the specific Groups from AD to Secure Access. You are not required to restart the AD Connector service.

Create AD Groups in a Selective Sync File

  1. Identify the AD Groups of interest. Users and computers belonging to these Groups synchronize to Secure Access.
    For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group are automatically included.
    Note: If you enabled Selective Sync, AD Users and Computers that are not members of Groups specified in CiscoADGroups.dat or their subgroups are not synchronized to Secure Access and are completely exempt from Secure Access access rules and reports.
  2. Create a CiscoADGroups.dat file in the C:\ drive of each machine where the connector is installed.
    The connector only reads the C:\CiscoADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups are imported to Secure Access.
  3. List the AD groups that need to be synchronized in distinguished name (DN) format in this file.
  4. Ensure that there are no blank lines anywhere in the file.
    Note: If you are running multiple AD Connectors, the file C:\CiscoADGroups.dat should be present on each system running the AD Connector and should be identical on each system.

Supported Organizational Units

CN=My Group,OU=Organizational Unit,DC=sample,DC=local

Unsupported Organizational Units

OU=My OU,OU=Organizational Unit,DC=sample,DC=local

Sample File Entries

CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com

Total Number of Groups Selected for Synchronization

Groups specified in the selective sync file and all of their subgroups should not exceed 15,000. Also, these Groups should not be nested within more than five OU levels. Selective synchronization fails in both cases.

Note: If you can not meet either of these requirements, we recommend that you do not use the selective sync file. Instead, you can do a full AD tree synchronization.

Configure Updates on AD Connectors < Connect Active Directory to Secure Access > Deploy LDIF Files for AD Connector

Updated 9 days ago