ACS 5.1 - Can external users be members of internal groups?

Answered Question
Feb 8th, 2010

Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureaucracy regarding  AD groups.

I am trying to migrate to ACS 5.1 due to its much more efficient and flexible policy but am having issues trying to get the external users to be members of internal groups?

I REALLY don't want to have to create AD groups and do the whole group mappings things. Am I missing something obvious or am I overthinking it?

Thanks

Nathan Spitzer

Sr. Network Communications Analyst

Lockheed Martin

I have this problem too.
0 votes
Correct Answer by jrabinow about 6 years 10 months ago

This can be done by creating an indetity sequeuence:

Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option '

If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jrabinow Tue, 02/09/2010 - 03:34

This can be done by creating an indetity sequeuence:

Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option '

If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

Actions

This Discussion