Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
2
Replies

ACS 5.1 - Can external users be members of internal groups?

Go to solution
Nathan Spitzer
Level 1
Level 1

‎02-08-2010 12:38 PM - edited ‎03-10-2019 04:56 PM

Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureaucracy regarding  AD groups.

I am trying to migrate to ACS 5.1 due to its much more efficient and flexible policy but am having issues trying to get the external users to be members of internal groups?

I REALLY don't want to have to create AD groups and do the whole group mappings things. Am I missing something obvious or am I overthinking it?

Thanks

Nathan Spitzer

Sr. Network Communications Analyst

Lockheed Martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎02-09-2010 03:34 AM

This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jrabinow
Level 7
Level 7

‎02-09-2010 03:34 AM

This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences

1) select "Password Based" as Authentication Methode

2) In "Authentication and Attribute Retrieval Search List" select AD1

3) In "Additional Attribute Retrieval Search List" select InternalUsers

4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"

0 Helpful

Go to solution
Nathan Spitzer
Level 1
Level 1
In response to jrabinow

‎02-09-2010 03:43 AM

Now we are coking with gas!!! Thanks a bunch this is just what I wanted.

0 Helpful
Customers Also Viewed These Support Documents