Guides
Secure Access Help Center

not-used-Connect Active Directory to Secure Access

The Cisco Active Directory (AD) Connector integrates Cisco Secure Access with your instance of Microsoft Active Directory (AD). Before you can provision users and groups from AD to Secure Access, register the AD Components in the environment (domain controller or domain) to Secure Access. Then, download the Cisco AD Connector software package and install the AD Connector in the organization's environment.

This guide describes the steps to install the Cisco AD Connector for LDAP or LDAPS, and provision users and groups from your instance of Microsoft AD to Secure Access.

How to Connect Active Directory to Secure Access

The deployment of the AD Connector has various components. You can configure the Cisco AD Connector to provision users and groups from Microsoft AD using LDAP or LDAPS (domain controller or domain), or LDAP Interchange Format (LDIF) source files.

  1. Add domain controllers in Secure Access for LDAP or LDAPS deployments. For more information, see Add AD Components to Secure Access.
  2. (Optional) Configure authentication for the AD Connectors in your environment. For more information, see Configure Authentication for AD Connectors.
  3. Download the AD Connector ZIP file from Secure Access.
  4. Install and configure the AD Connector on your server.
  5. View the installed AD Connector in Secure Access and verify that users and groups begin to Secure Access.

Table of Contents

Prerequisites

(Optional) Specify AD Groups

Optionally, you can specify the AD Groups for the purpose of creating access rules in Secure Access.

  1. Identify the AD Groups of interest. Users and computers belonging to these Groups synchronize to Secure Access.
    For each sub-tree, only the parent group needs to be specified. All AD groups, users, and computers that are part of this parent group are automatically included.
    Note: If you enabled Selective Sync, AD Users and Computers that are not members of Groups specified in CiscoADGroups.dat or their subgroups are not synchronized to Secure Access and are completely exempt from Secure Access access rules and reports.
  2. Create a CiscoADGroups.dat file in the C:\ drive of each machine where the connector is installed.
    The connector only reads the C:\CiscoADGroups.dat file. If the file is incorrectly named or is not present in the C:\ drive, all groups are imported to Secure Access.
  3. List the AD groups that need to be synchronized in distinguished name (DN) format in this file.
  4. Ensure that there are no blank lines anywhere in the file.
    Note: If you are running multiple AD Connectors, the file C:\CiscoADGroups.dat should be present on each system running the AD Connector and should be identical on each system.

Supported Organizational Units

CN=My Group,OU=Organizational Unit,DC=sample,DC=local

Unsupported Organizational Units

OU=My OU,OU=Organizational Unit,DC=sample,DC=local

Sample File Entries

CN=Engineering,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Sales,CN=Builtin,DC=ciscoumbrella,DC=com

CN=Marketing,CN=Builtin,DC=ciscoumbrella,DC=com

Total Number of Groups Selected for Synchronization

Groups specified in the selective sync file and all of their subgroups should not exceed 15,000. Also, these Groups should not be nested within more than five OU levels. Selective synchronization fails in both cases.

Note: If you can not meet either of these requirements, we recommend that you do not use the selective sync file. Instead, you can do a full AD tree synchronization.

Procedure

Download, install, and configure the Cisco AD Connector.

Step 1 – Set Up AD Components

Step 2 – Download the Active Directory Connector

Download the Cisco AD Connector from Secure Access to your server.

Note: When you download the Cisco AD Connector software package, and if you did not configure API key credentials for the AD Connectors, Secure Access displays a warning message. We recommend that you configure API keys for your AD Connectors. For more information, see Configure Authentication for AD Connectors and VAs.

  1. Configure a server to run the Cisco AD Connector, and then sign in to Secure Access on that server.

  2. Navigate to Connect > Users and Groups > Users and click Provision Users, or navigate to Connect > Users and Groups > Groups and click Provision Groups.

  3.  For Provisioning Method, click Active Directory or expand Active Directory.

  4. For Active Directory Connector, click  Download to save the Cisco AD connector deployment package to the server. The deployment package is named: CiscoAuditClient_vX.X.X.zip.

Note: You must download the ZIP file to the local machine where you plan to run it, or copy it locally from another machine. We do not recommend that you install the Cisco AD Connector from a network drive or run the setup.msi directly from the compressed file.

Step 3 - Install the Active Directory Connector

As an administrator, extract the contents of the Cisco AD Connector ZIP file to a folder on the server, and then navigate to that folder.
Note: If you run the AD Connector installer from the root directory of your server, you may encounter installation errors.

  1. Run setup.msi, and then in the Cisco AD Connector Setup wizard, click Next.


  2. Choose the directory on the server to install the Cisco AD Connector.


  3. Confirm that you permit your AD Users and Groups to sync to Secure Access from the Cisco AD Connector.


  4. Add your Active Directory credentials. Enter the Username of the Connector user (Cisco_Connector or custom username) and the Password.

  5. Follow the remaining prompts in the setup, and when finished click Finish.

Step 4 – View the Installed AD Components in Secure Access

Change Connector Account Password


Add AD Components to Secure Access < Connect Active Directory to Secure Access > Configure Updates on AD Connectors

Updated 2 months ago