I was wondering if there is a document that further details the advanced options. The defaults are selected Reject, Reject, Drop. However, if the user is not found and you select continue instead of reject, what is the next step in authentication.
Here is my exact question:
If you select continue, where does the ACS look next?
Does it look for the next rule in that access-policy or does it go to the next access-policy?
Do not have a dcoument but can try explaining in this post
There are three cases to which this configuration can apply and for each case three options to control the behavior
The three behavior options are:
- Reject: send a reject response for the request
- Drop: send no response to the request
- Continue: continue to evaluate the authorization policy conditions
The three cases for which the options can be configured are:
- Authentication failed: User name was found in ID store but either password is incorrect or user is disabled
- User not found: User name was not found in any of the ID stores that were evaluated
- Process failed: Could not get a response from ID store
As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.
Note that within the authorization policy there is an additional attribute that can be used to determine the specific case that occured during authentication. The attribute is "Authentication Status" and can take values of "AuthenicationPassed", "AuthenticationFailed", "ProcessError", "UnknwonUser"
So within the authorization policy can define different results depending on "Authentication Status" result; eg to put in default VLAN