I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
Any suggestions on how to get this configured?
The reason why the current definition is not working is because there is the same condition in both rules in the policy. Once a condition is matched in a policy it will not move to any subsequent rules in the policy. It is a first match policy.
The way to resolve this is to use an identity sequence.
An identity sequence can hunt through a series of databases until the username is found and authentication can be performed
To do this for the scenario above do the following:
- Users and Identity Stores > Identity Store Sequences
- Create an identity sequence. Select "Password Based" option and then in "Authentication and Attribute Retrieval Search List" out first AD1 and then "Internal Users"
This identity sequence can now be selected as the result in the identity policy rule