ACS 4.2 & external authentication DBs

Unanswered Question
Dec 18th, 2008

If ACS is configured to authenticate to two backed external authentication DBs, namely Windows A/D and RSA SecureID, is it possible to send the authentication request received by ACS from a AAA client to one or the other rather than only having the option to send it to the list that contains both external authentication servers.

ACS doco makes it clear that the order of these external DBS is important.

I want a policy to override this and ensure that a request from a AAA client goes to a particular external DB and does not rely on the order of the ext. DBs in the list.

i.e. auth request comes from wlan controller, authenticate straight to windows A/D; auth request comes from

ASA for VPN users, authenticate straight to RSA secureID

??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
franklinb Tue, 03/31/2009 - 21:44

Thanks for that jhillend. By using NAPs can I then ensure that VPN authentication always goes to the RSA DB, and TACACS+ always goes to Windows?

I have a current issue at the moment where random users that are not in the ACS user cache are not being correctly mapped to their RSA group (no log entry is showing up on the RSA server either) and being dumped in the default group.

Actions

This Discussion