Cisco ACS external database order

Unanswered Question
Feb 2nd, 2007

We are having conflicts with group membership in ACS due to using the same ID format for both Active Directory accounts and RSA tokens. We use the tokens for corporate wireless access - this account is then cached - then the same user will attempt to execute administration activities and be blocked because the user is in the wrong group.

Has anyone experienced issues with this type of conflict?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
darpotter Mon, 02/05/2007 - 00:58

This kind of scenario is a problem for ACS because once an external user has been authenticated once... ACS sets the database type to the external DB that worked. Every subsequent authentication will goto the same external db

If you have ACS 4.0 you might be able to make it work by creating a NAP for each service - wired and wireless.

Inside each NAP you setup auth protocols and group mappings etc. Each NAP effectively has its own external db config.

At this stage users get multiple (yuck) entries in the ACS DB (one for each NAP) that can have its own password type.

ACS will automatically select the right one by virtue of the NAP. The trick is to make sure the correct NAP is activated. Each NAP has a set of rules to match incoming requests, eg by NFG or NAF, or by something in the request packet, eg a particular atribute value.

This last bit can be quite hard because sometimes the same device can ask for two different things. Cisco are still in a mess here an its down to the end user to try and find something in the packet they can trigger off.

Darran

nicolas.papin Tue, 02/13/2007 - 02:32

Hello,

I reply to this post because my problem is quite the same.

I have on my ACS 4.0, two types of users wireless and remote access.

Wireless authentication is done by EAP-TLS (machine certificate) and remote users by RSA through a VPN concentrator.

The problem is about External user databases, they are not the same for Wireless (Windows) and for Remote (ACE).

So I search to specify with NAS Ip add or protocol used, to ask ACE or windows database.

It is probably possible with NAP but I'm not used to.

Perhaps it is more simple that I think but I am not very skilled with ACS technology :p

So in brief, is it possible to map a user to an external database according to NAS ip address or protocol used ?

Thanks in advance.

darpotter Tue, 02/13/2007 - 10:35

Yes, but you'll have to use NAP.

The UI for it sucks big time but if you struggle with it long enough you'll make it.

I would start by making a very simple NAP that maybe just does PAP or something really simple. Get that working then add in more complexity.

dpatkins Tue, 04/24/2007 - 07:26

Is there a NAP/NAC for dummies example out there that will help people through this? Do you think this will be the answer for Remote Access with Vista?

THanks

Dwane

Actions

This Discussion