02-08-2010 12:38 PM - edited 03-10-2019 04:56 PM
Currently I use ACS4.1 to authenticate network admin access to routers and switches. Users credentials are authenticated against an Microsoft AD domain but group membership is handled via ACS due to us not wanting to deal with the corporate AD bureaucracy regarding AD groups.
I am trying to migrate to ACS 5.1 due to its much more efficient and flexible policy but am having issues trying to get the external users to be members of internal groups?
I REALLY don't want to have to create AD groups and do the whole group mappings things. Am I missing something obvious or am I overthinking it?
Thanks
Nathan Spitzer
Sr. Network Communications Analyst
Lockheed Martin
Solved! Go to Solution.
02-09-2010 03:34 AM
This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences
1) select "Password Based" as Authentication Methode
2) In "Authentication and Attribute Retrieval Search List" select AD1
3) In "Additional Attribute Retrieval Search List" select InternalUsers
4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"
02-09-2010 03:34 AM
This can be done by creating an indetity sequeuence:Users and Identity Stores > ... > Identity Store Sequences
1) select "Password Based" as Authentication Methode
2) In "Authentication and Attribute Retrieval Search List" select AD1
3) In "Additional Attribute Retrieval Search List" select InternalUsers
4) Select the Advanced Option 'If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
This can then selected as the result in an indentity policy. What this does is authenticate use in Active Directory. If authentication fails will be treated as authentication failure. If authentication passes it will then look up the user in the internal user database. If there is no active user in the internal user database then identity sequence will be treated as if it failed with "Authentication Status" of "UnknownUser"
02-09-2010 03:43 AM
Now we are coking with gas!!! Thanks a bunch this is just what I wanted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide