Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1727
Views
0
Helpful
5
Replies

ACS 5.3 should consider local database, if AD is unreachable

Go to solution
MANSOORQ123
Level 1
Level 1

‎05-28-2012 05:24 AM - edited ‎03-10-2019 07:07 PM

Dear Support Team

We have ACS 5.x, integrated with AD and members are authenticated using either AD username or local username

configured on ACS.

is it possible that ACS checks Local database only when AD is unreachable, customer does not want ACS local database to be used as long as AD is available. it is to fulfill accounting requirements from their System department.

Thanks in Advance for your time.

Ahad

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mauzamor
Level 1
Level 1
In response to MANSOORQ123

‎05-28-2012 01:05 PM

You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.

The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.

Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.

Rate if it helps.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mauzamor
Level 1
Level 1

‎05-28-2012 11:33 AM

Hi there,

The ACS 5.x has two ways to contact the internal or external databases:

1. Using only one specific DB, this can be AD, internal, LDAP, RSA, etc. But the ACS will try to contact only one DB in the Access Policy Rule.

2. Using Identity Store Sequence option, this option allows you to use more than one DB and it will work like this: The ACS will try to use the DB top on the list, if the user doesn't exist on this DB the ACS will try to use the next DB in the list. If the communication with the DB located top on the list goes down the ACS will try to use the second DB in the list.

So unless using option 1, you cannot force the ACS to only use one specific DB, it all depends where the user that's trying to authenticate exists. For example if "aaauser" exists only on ACS internal DB then the ACS will search the user in AD (if this one DB is top of the list), the search will fail and the ACS will try to use internal AD.

Rate if it helps.

0 Helpful

Go to solution
MANSOORQ123
Level 1
Level 1
In response to mauzamor

‎05-28-2012 12:19 PM

Hello Mauricio

Many Thanks for your response, i have understood your reply, so in order to achieve client requirement, is he following sequence justified ?

1: Create 2 Service selection Rule.

Service Selection Rule 1 -> it then assigns the access service "Device Admin 1"

'Device Admin' identity store just selects "AD1"

2: Service Selection Rule 2-> it then assigns the Access Service "Device Admin2"

Device Admin identity Store Selects "Local Database"

As such "Device Admin 1" & "Device Admin2" are exactly same except, their selection of database.

now Service Selection Rule 1 is on the top, therefore it will always be preferred, connection lands on service selection rule 1, now user has to use his AD username/password, if user does not exist there, authentication attempt will be denied, because there is only one store.

however 

if AD is down, then it might be possible that "Service Selection Rule 1" will not be in effect and connection attempt will be landing on Service Selection Rue 2, which will use the local database.

it should work in this way.

Can i have your feedback plz.

Ahad

0 Helpful

Go to solution
mauzamor
Level 1
Level 1
In response to MANSOORQ123

‎05-28-2012 01:05 PM

You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.

The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.

Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.

Rate if it helps.

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to mauzamor

‎05-28-2012 01:11 PM

All the above is correct. One additional point

If you have the same / subset of users in internal database that you have in AD then can set the following option on the identity sequence:

Under advanced Options

If access to the current identity store failed
Break Sequence
Continue to next identity store in the sequence

Therefore if AD is up

- if user is found in AD it will be authenticated and will not continue to next store in the sequence

If AD is down

- will continue to check the user in teh internal DB

This can be used to keep a subset of the accounts in the internal DB to be used in the case when AD is down. Note these wil have separate password policies etc

0 Helpful

Go to solution
MANSOORQ123
Level 1
Level 1
In response to mauzamor

‎05-28-2012 01:11 PM

Hello  Mauricio

Thanks for your time, same we can convey to the customer.

Ahad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents