I have one set of ASA's with users who need to hit two different identity stores on the ACS. One group is normal users hitting Active Directory via LDAP, which currently works perfectly. I need to add a group of users that will be application based for auth purposes only, I am trying to store the users on the ACS rather than Active Directory because the current AD password policy breaks the application we are using and we have a 2003 AD which wont allow seperate password policies. Regardless of the Identity Store Sequence being set to internal first the users that log in always hit the LDAP AD attempt. bug? I am on current code.
I thought we could use identity store sequence to hit the local user DB first and the LDAP AD second but its not working. I was poking around in "Access Policies > *My ASA* > identity > advanced options" and it has a blurb that says...
"Note For authentications using PEAP, LEAP, EAP-FAST, or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, reuqest will be rejected."
This statement seems to trump the concept of an "Identity Store Sequence", obviously if your user isnt in your first sequence you can't *continue* on two your second sequence.
Does anyone know how to get one source to talk to two identity stores? If we cant find a solution I'll probably have to try and get another set of ASA's to complete this project.