Identity Store Sequence from one Source

Unanswered Question
Jul 20th, 2010

I have one set of ASA's with users who need to hit two different identity stores on the ACS.  One group is normal users hitting Active Directory via LDAP, which currently works perfectly.  I need to add a group of users that will be application based for auth purposes only, I am trying to store the users on the ACS rather than Active Directory because the current AD password policy breaks the application we are using and we have a 2003 AD which wont allow seperate password policies.  Regardless of the Identity Store Sequence being set to internal first the users that log in always hit the LDAP AD attempt.  bug?  I am on current code.

I thought we could use identity store sequence to hit the local user DB first and the LDAP AD second but its not working.  I was poking around in "Access Policies > *My ASA* > identity > advanced options" and it has a blurb that says...

"Note For authentications using PEAP, LEAP, EAP-FAST, or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found.  If continue option is selected in these cases, reuqest will be rejected."

This statement seems to trump the concept of an "Identity Store Sequence", obviously if your user isnt in your first sequence you can't *continue* on two your second sequence.

what gives?

Does anyone know how to get one source to talk to two identity stores?  If we cant find a solution I'll probably have to try and get another set of ASA's to complete this project. 


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mansrini Fri, 07/30/2010 - 15:13

Hi Eric,

That note you have mentioned has a different meaning to my knowledge and that means continue to the authorization portion of it. In any case, you configuration choice is correct and it maybe a matter of a minor config error that you are running into. Under "Access Policies > *My ASA* > identity, did you chose the identity sequence you created or did you by mistake chose the LDAP server ? What does it say when you go to monitoring and reports and chose the failed entry and click on the magnifying glass ? It tells you the step by step processing and that may be of some help to troubleshoot




This Discussion