Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
1
Replies

Identity Store Sequence from one Source

Eric Hansen
Level 1
Level 1

‎07-20-2010 11:34 AM - edited ‎03-10-2019 05:16 PM

I have one set of ASA's with users who need to hit two different identity stores on the ACS.  One group is normal users hitting Active Directory via LDAP, which currently works perfectly.  I need to add a group of users that will be application based for auth purposes only, I am trying to store the users on the ACS rather than Active Directory because the current AD password policy breaks the application we are using and we have a 2003 AD which wont allow seperate password policies.  Regardless of the Identity Store Sequence being set to internal first the users that log in always hit the LDAP AD attempt.  bug?  I am on current code.

I thought we could use identity store sequence to hit the local user DB first and the LDAP AD second but its not working.  I was poking around in "Access Policies > *My ASA* > identity > advanced options" and it has a blurb that says...

"Note For authentications using PEAP, LEAP, EAP-FAST, or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found.  If continue option is selected in these cases, reuqest will be rejected."

This statement seems to trump the concept of an "Identity Store Sequence", obviously if your user isnt in your first sequence you can't *continue* on two your second sequence.

what gives?

Does anyone know how to get one source to talk to two identity stores?  If we cant find a solution I'll probably have to try and get another set of ASA's to complete this project. 

e-

Labels:
Preview file
39 KB
0 Helpful
1 Reply 1

mansrini
Level 1
Level 1

‎07-30-2010 03:13 PM

Hi Eric,

That note you have mentioned has a different meaning to my knowledge and that means continue to the authorization portion of it. In any case, you configuration choice is correct and it maybe a matter of a minor config error that you are running into. Under "Access Policies > *My ASA* > identity, did you chose the identity sequence you created or did you by mistake chose the LDAP server ? What does it say when you go to monitoring and reports and chose the failed entry and click on the magnifying glass ? It tells you the step by step processing and that may be of some help to troubleshoot

Thanks,

Mani

0 Helpful
Customers Also Viewed These Support Documents