Configuring multiple Identity Sources in the Identity Policy (ACS 5.3)

Answered Question
Aug 29th, 2012
User Badges:

Hi,


I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.


It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.


Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.


- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working

- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.

- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.


Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the      MAC address.

- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).


Any suggestions on how to get this configured?


Thank you,

Sami Abunasser

Correct Answer by jrabinow about 4 years 11 months ago

The reason why the current definition is not working is because there is the same condition in both rules in the policy. Once a condition is matched in a policy it will not move to any subsequent rules in the policy. It is a first match policy.


The way to resolve this is to use an identity sequence.


An identity sequence can hunt through a series of databases until the username is found and authentication can be performed


To do this for the scenario above do the following:

- Users and Identity Stores > Identity Store Sequences

- Create an identity sequence. Select "Password Based" option and then in "Authentication and Attribute Retrieval Search List" out first AD1 and then "Internal Users"

This identity sequence can now be selected as the result in the identity policy rule

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jagdeep Gambhir Wed, 08/29/2012 - 14:30
User Badges:
  • Red, 2250 points or more

Hi Sami,

Have you configured Mac-address in Internal user or Internal hosts? If it is host then we need to choose internal host in the identity policy.




Regards,

~JG



Do rate helpful posts!

Correct Answer
jrabinow Wed, 08/29/2012 - 21:40
User Badges:
  • Cisco Employee,

The reason why the current definition is not working is because there is the same condition in both rules in the policy. Once a condition is matched in a policy it will not move to any subsequent rules in the policy. It is a first match policy.


The way to resolve this is to use an identity sequence.


An identity sequence can hunt through a series of databases until the username is found and authentication can be performed


To do this for the scenario above do the following:

- Users and Identity Stores > Identity Store Sequences

- Create an identity sequence. Select "Password Based" option and then in "Authentication and Attribute Retrieval Search List" out first AD1 and then "Internal Users"

This identity sequence can now be selected as the result in the identity policy rule

Tarik Admani Wed, 08/29/2012 - 22:47
User Badges:
  • Green, 3000 points or more

Thanks for clearing this up Jonny!



Tarik Admani
*Please rate helpful posts*

Sami Abunasser Fri, 08/31/2012 - 06:42
User Badges:

Thanks, that was exactly what I was looking for and it worked perfectly.

Actions

This Discussion

Related Content