is there a detailed explanation of advanced options?

Answered Question
Mar 8th, 2010

ACS-advanced-options.JPG

I was wondering if there is a document that further details the advanced options.  The defaults are selected Reject, Reject, Drop.  However, if the user is not found and you select continue instead of reject, what is the next step in authentication.

Here is my exact question:

If you select continue, where does the ACS look next?

Does it look for the next rule in that access-policy or does it go to the next access-policy?

Correct Answer by jrabinow about 6 years 11 months ago

Do not have a dcoument but can try explaining in this post


There are three cases to which this configuration can apply and for each case three options to control the behavior


The three behavior options are:

- Reject: send a reject response for the request

- Drop: send no response to the request

- Continue: continue to evaluate the authorization policy conditions


The three cases for which the options can be configured are:

- Authentication failed: User name was found in ID store but either password is incorrect or user is disabled

- User not found: User name was not found in any of the ID stores that were evaluated

- Process failed: Could not get a response from ID store


As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.


Note that within the authorization policy there is an additional attribute that can be used to determine the specific case that occured during authentication. The attribute is "Authentication Status" and can take values of "AuthenicationPassed", "AuthenticationFailed", "ProcessError", "UnknwonUser"

So within the authorization policy can define different results depending on "Authentication Status" result; eg to put in default VLAN

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jrabinow Mon, 03/08/2010 - 11:46

Do not have a dcoument but can try explaining in this post


There are three cases to which this configuration can apply and for each case three options to control the behavior


The three behavior options are:

- Reject: send a reject response for the request

- Drop: send no response to the request

- Continue: continue to evaluate the authorization policy conditions


The three cases for which the options can be configured are:

- Authentication failed: User name was found in ID store but either password is incorrect or user is disabled

- User not found: User name was not found in any of the ID stores that were evaluated

- Process failed: Could not get a response from ID store


As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.


Note that within the authorization policy there is an additional attribute that can be used to determine the specific case that occured during authentication. The attribute is "Authentication Status" and can take values of "AuthenicationPassed", "AuthenticationFailed", "ProcessError", "UnknwonUser"

So within the authorization policy can define different results depending on "Authentication Status" result; eg to put in default VLAN

Alex Pfeil Tue, 03/09/2010 - 04:19

jrabinow wrote:




As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.


This is the info I was specifically looking for.


Thanks,

I appreciate your time,


Alex Pfeil

Actions

This Discussion