Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1882
Views
0
Helpful
5
Replies

ACS 5.1 - Evaluating Exception Authorization Policy

Go to solution
fschramke
Level 1
Level 1

‎08-04-2010 06:43 AM - edited ‎03-10-2019 05:18 PM

Hi,

I'm getting the error 'No rule was matched'.

The authentication itself passes; the 'Radius Identity Servers' are sending back the accept.

Tcpdump shows that the ACS is not asking the AD as defined in the compound condition.

What am I missing?

ScreenShot015.jpg

Any help would be appreciated.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎08-04-2010 11:44 PM

Can you please clarify what you have selected as the result of the identity policy. If you are still using the default defined access services you will see this at the following location:

Access Policies > Access Services > Default Network Access > Identity

In order to use the attributes from AD in the authorization decision Active Directory must be included in the results for the identity policy. This can be done in one of two ways:
- Select the database directly

- Define and select an identity sequence that includes Active Directory

View solution in original post

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to fschramke

‎08-05-2010 01:24 AM

Was just writing that to respond but you got there first while I was in the middle

Interesting use case using some of the more adavnced capabilities

View solution in original post

0 Helpful
5 Replies 5

Go to solution
jrabinow
Level 7
Level 7

‎08-04-2010 11:44 PM

Can you please clarify what you have selected as the result of the identity policy. If you are still using the default defined access services you will see this at the following location:

Access Policies > Access Services > Default Network Access > Identity

In order to use the attributes from AD in the authorization decision Active Directory must be included in the results for the identity policy. This can be done in one of two ways:
- Select the database directly

- Define and select an identity sequence that includes Active Directory

0 Helpful

Go to solution
fschramke
Level 1
Level 1
In response to jrabinow

‎08-05-2010 01:11 AM

Thanks for getting back to me.

The AD is part of the selected Identity Store.

I'm trying to migrate our our old Steelbelted Radius with a Vasco Plugin to the ACS with a new ActivIdentity OTP Token Server.

So I setup those two as Radius Identity Servers and placed them with the AD in an Identity Store. A reject of the first server will be treated as a user not found, if the second server sends a reject the ACS will treat it as an authentication failed.

I don't want to authenticate against the AD I just want the attribute in the user object as it contains the VPN Group Policy that needs to be applied to the user.

0 Helpful

Go to solution
fschramke
Level 1
Level 1
In response to fschramke

‎08-05-2010 01:21 AM

Argh...never mind; found it.

I had to add the AD in the Identity Store Sequence to the 'Additional Attribute Retrieval Search List Group'.

Thanks for the help, put me on the right track.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to fschramke

‎08-05-2010 01:24 AM

Was just writing that to respond but you got there first while I was in the middle

Interesting use case using some of the more adavnced capabilities

0 Helpful

Go to solution
fschramke
Level 1
Level 1
In response to jrabinow

‎08-05-2010 01:34 AM

Yeah...took a while to get all the little pieces clicked together, but now i got the last piece of the puzzle and can run some final tests today and then start migrating some test users.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents