ACS 5.3 should consider local database, if AD is unreachable

Answered Question
May 28th, 2012

Dear Support Team

We have ACS 5.x, integrated with AD and members are authenticated using either AD username or local username

configured on ACS.

is it possible that ACS checks Local database only when AD is unreachable, customer does not want ACS local database to be used as long as AD is available. it is to fulfill accounting requirements from their System department.

Thanks in Advance for your time.

Ahad

I have this problem too.
0 votes
Correct Answer by mauzamor about 1 year 10 months ago

You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.

The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.

Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.

Rate if it helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
mauzamor Mon, 05/28/2012 - 11:33

Hi there,

The ACS 5.x has two ways to contact the internal or external databases:

1. Using only one specific DB, this can be AD, internal, LDAP, RSA, etc. But the ACS will try to contact only one DB in the Access Policy Rule.

2. Using Identity Store Sequence option, this option allows you to use more than one DB and it will work like this: The ACS will try to use the DB top on the list, if the user doesn't exist on this DB the ACS will try to use the next DB in the list. If the communication with the DB located top on the list goes down the ACS will try to use the second DB in the list.

So unless using option 1, you cannot force the ACS to only use one specific DB, it all depends where the user that's trying to authenticate exists. For example if "aaauser" exists only on ACS internal DB then the ACS will search the user in AD (if this one DB is top of the list), the search will fail and the ACS will try to use internal AD.

Rate if it helps.

MANSOORQ123 Mon, 05/28/2012 - 12:19

Hello Mauricio

Many Thanks for your response, i have understood your reply, so in order to achieve client requirement, is he following sequence justified ?

1: Create 2 Service selection Rule.

Service Selection Rule 1 -> it then assigns the access service "Device Admin 1"

'Device Admin' identity store just selects "AD1"

2: Service Selection Rule 2-> it then assigns the Access Service "Device Admin2"

Device Admin identity Store Selects "Local Database"

As such "Device Admin 1" & "Device Admin2" are exactly same except, their selection of database.

now Service Selection Rule 1 is on the top, therefore it will always be preferred, connection lands on service selection rule 1, now user has to use his AD username/password, if user does not exist there, authentication attempt will be denied, because there is only one store.

however 

if AD is down, then it might be possible that "Service Selection Rule 1" will not be in effect and connection attempt will be landing on Service Selection Rue 2, which will use the local database.

it should work in this way.

Can i have your feedback plz.

Ahad

Correct Answer
mauzamor Mon, 05/28/2012 - 13:05

You are right about everything except the last part, Device Admin 1 and 2 are "Service Selection Rules" so they are going to be matched depending on their Conditions, if the authentication requests is mathing the Device Admin 1 rule then the ACS will stick with this service it doesn't matter if the DB is down or not, ACS is not going to fallback to the Device Admin 2.

The only option to use a second database in case the primary is down is with Identity Store Sequence, however this option will also use the second database if the primary DB cannot find the user.

Unfortunately there is not an option at the moment to accomplish this goal with the specific detail that you need.

Rate if it helps.

jrabinow Mon, 05/28/2012 - 13:11

All the above is correct. One additional point

If you have the same / subset of users in internal database that you have in AD then can set the following option on the identity sequence:

Under advanced Options

If access to the current identity store failed
Break Sequence
Continue to next identity store in the sequence

Therefore if AD is up

- if user is found in AD it will be authenticated and will not continue to next store in the sequence

If AD is down

- will continue to check the user in teh internal DB

This can be used to keep a subset of the accounts in the internal DB to be used in the case when AD is down. Note these wil have separate password policies etc

MANSOORQ123 Mon, 05/28/2012 - 13:11

Hello  Mauricio

Thanks for your time, same we can convey to the customer.

Ahad

Actions

Login or Register to take actions

This Discussion

Posted May 28, 2012 at 5:24 AM
Stats:
Replies:5 Avg. Rating:5
Views:729 Votes:0
Shares:0

Related Content

Discussions Leaderboard