I am using ACS 5.1 and have an ASA using RADIUS towards ACS. Useres are authenticated using Certificates, but should still get a Class ID from AD via ACS 5.1. ACS 5.1 has an LDAP Connection to AD to read out the specific Attribute.
Everything works fine so far, as long as the user is not only authorized, but also authenticated using this LDAP connection. But since the Users have a valid Certificate, I do not want them also to use in addition to that the username and password from AD.
I have created a SSP to handle the radius from ASA in a separe Rule. The identity I set to do LDAP and tell if not user found and/or authentication invalid to continue. So it will continue to go for authorization.In this scenario I get in trouble, since AD will disable the user account after 5 unsuccessful authentication tries. So this is not the way I can go for production environment. So my try was to change from LDAP to the internal DB instead.
But in this case the ACS does not do authorization using LDAP (I put a sniffer in the path and saw no LDAP Traffic at all). But in the monitoring it tell to take the apropriate rule, but finds no dynamic attribute.
My question is: Is this per Design or could this be a bug in ACS 5.1?
Many thanks for any help or comments.