Prepare Your AD Environment

The integration of Active Directory (AD) with the Cisco Secure Access Virtual Appliance requires that you add your domain controllers in Secure Access. Also, for each domain controller, configure the Cisco AD Connector to read logon events from the domain controller. This guide describes the steps to add domain controllers to Secure Access and configure login events.

Table of Contents

Prerequisites

Support for Multiple AD Domains and AD Forests

To integrate multiple AD domains or AD forests with Secure Access through integrations with domain controllers, deploy a Connector (with an additional Connector for redundancy) for each AD domain that integrates with Secure Access.

Procedure

Add your domain controllers to Secure Access and then integrate AD with these domain controllers. After you add the domain controllers, view the domain controllers in Secure Access.

Verify Auditing of Logon Events on Domain Controllers

The AD integration with domain controllers requires each domain controller to audit logon events.

  1. On each domain controller (excluding read-only domain controllers), enable the Audit account logon events to include Success and Failure if it is set to No Auditing.

By default, this group policy is set to log Success logon events and you should not modify it. Secure Access requires the Audit account logon events setting so that it knows whether a user has logged in successfully and can then compare that login to subsequent events generated by that user.

If the Audit Policy is not set is, the Windows Configuration Script for Domain Controller displays this error message:

"ERROR: " 

 

----------------------------------------------------------------------------- 

Your Group Policy for this Domain Controller is set to NOT audit successful logon events! 

You MUST edit the following Group Policy for all DCs: 

 

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events 

 

Define that policy to audit Success attempts, gpupdate, and re-run this script!

Download the Windows Configuration Script for Domain Controllers

The Windows Configuration Script automates the permissions for the Cisco_Connector user.

In Secure Access, download the Windows Configuration Script for Domain Controller to the domain controllers in your environments.

  1. Navigate to Connect > Users and Groups > Users, click Provision Users, and then click Active Directory.
    After an initial AD deployment, navigate to Connect > Users and Groups > Users, click Configuration Management, and expand Active Directory.
  2. For Windows Configuration Script for Domain Controller, click Download.
  1. Download and save the configuration script to a location on the machine where you plan to run it.
    Note: The configuration script is written in Visual Basic Script and is in plain text.

Run the Windows Configuration Script for the Domain Controllers

Run the Windows Configuration Script for Domain Controller on all of the domain controllers at each site, (excluding read-only domain controllers (RODCs)) for each domain that will integrate with Secure Access. The configuration script prepares the domain controllers to communicate with the AD Connector.

  1. As an administrator, open an elevated command prompt.
    Important: Before running the script, you must create the Cisco_Connector. Also, there are several Group Policies that affect system operation that may need manual configuration. The script displays the status of these settings and, if needed, provides instructions on how to change them.
  2. Locate the Windows Configuration Script for Domain Controller file and run the script in the command prompt.
    Note:  Substitute the Windows configuration script filename (including the .wsf file extension) in the cscript command.
cscript <Windows Configuration Script filename with extension> or cscript <Windows Configuration Script filename with extension> --username <sAMAccountName for custom user>

Important: The script displays your current configuration, then offers to auto-configure the domain controller. If the auto-configure steps are successful, the script offers to registers the domain controller with Secure Access. Registration only occurs if you accept this offer.

Repeat the steps to add your domain controllers in Secure Access. It is essential that each domain controller in each AD domain environment has the configuration script run on it in order for the service to work as expected, both for high availability and overall reliability.

Add a Domain Controller in Secure Access

Choose the domain controller component type and set up the domain controller to sync with Secure Access.

  1. Navigate to Connect > Users and Groups > Users, click Provision Users, and then click Active Directory.
    After an initial AD deployment, navigate to Connect > Users and Groups > Users, click Configuration Management, and expand Active Directory.
  2. Click Next.
  3. Choose Domain Controller to register the AD domain controller in Secure Access.
  1. Enter the hostname, internal IP address, and domain of the domain controller.
  2. For Active Directory tag, choose a Site to associate with the AD component.
  1. Click Next, and then follow the instructions to install the AD Connector. For more information, see Connect Active Directory to VAs.

View the Registered AD Components in Secure Access

The hostname of the domain controller that you ran the configuration script on appears in the Inactive state. If you have configured multiple Secure Access Sites and have deployed Virtual Appliances, make sure that the AD server is in the same Secure Access Site as the VAs that will receive DNS queries from the Users in that AD domain.

For information about viewing the deployed AD components, see View AD Components in Secure Access.


Prerequisites for AD Connectors and VAs < Prepare Your Active Directory Environment > Connect Active Directory to VAs