I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.
Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.
Thanks a lot in advance and best regards?
You should be able to accomplish this in the configuration of your tunnel group on your ASA.
The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.
This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)
An identity store sequence allows you to access multiple databases in sequence until user authenticates
Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy