Users in CSACS Internal Database and External Database

mmelbourne · ‎09-28-2007

We have CSACS 3.2(3) where users are configured with an internal SecurID account, with the unknown user policy set up to query our Windows 2000 AD for wireless users. A user might have two entries in the database: a static "matt.melbourne" RSA SecurID username in the internal database (for VPN access) and a MYDOMAIN\matt.melbourne user created through a dynamic group mapping for wireless authentication.

The Cisco wireless client prepends the domain name to the username and passes this to ACS for authentication, which then queries the AD through the Unknown User Policy. However, some wireless clients (including the Cisco Secure Services Client) don't appear to prepend the domain name and when authenticating wirelessly, the username e.g. "matt.melbourne" only is presented. This matches the SecurID user in the internal database and the authentication fails.

Is there a way around this? Ideally, I like to say if the request comes from this group of NASes (e.g. APs) then only query the Windows 2000 AD database.

darpotter · ‎10-02-2007

If you had ACS v4.x you could create a Network Access Policy (NAP) for wireless and VPN.

These can be triggered off the device ip, or network device group or even an attribute in the access request - basically anything that id's the request as either wlan or vpn.

Each NAP can have its own external db config and group mappings.

The net result being the WLAN users get directed to windows regardless of domain mark-ups and vice versa for RSA.

ACS 4.x implements this horribly (ie you might see the same userid several times in the ACS user db), but if you can get past the UI it should work!

mmelbourne · ‎10-02-2007

Thanks for that; I'd seen NAPs in the 4.x documentation which looked like it may work. We have ordered ACS 4.1, so I'll be going through a tortuous process to upgrade from ACS 3.2(3) :)