- Cisco Employee,
The purpose of this document is to make you aware of how to configure Identity Store Sequences in ACS 5.x.
In ACS 4.x we had a feature, where we could define Unknown User Processing. I.e. where is the users will be looked up if the user is not present in the internal database of the ACS. This sequence defined the sequential order in which ACS would look for the user in the defined databases.
Note: If the connectivity to a particular database fails then ACS 4.x would not go to the next database in the sequence. Only shall the user be not found in that database, next database is consulted.
Functionality mentioned above is provided in ACS 5.x by using Identity Store Sequences.
An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional sequence to retrieve additional attributes.
An identity store sequence can contain a definition for certificate-based authentication or password-based authentication or both.
[a] If you select to perform authentication based on a certificate, you specify a single Certificate Authentication Profile, which you have already defined in ACS.
[b] If you select to perform authentication based on a password, you can define a list of databases to be accessed in sequence.
When authentication succeeds, any defined attributes within the database are retrieved. You must have defined the databases in ACS.
Attribute Retrieval Sequence
You can optionally define a list of databases from which to retrieve additional attributes. These databases can be accessed regardless of whether you use password or certificate-based authentication. When you use certificate-based authentication, ACS populates the username field from a certificate attribute and then uses the username to retrieve attributes.
ACS can retrieve attributes for a user, even when:
[a] The user's password is flagged for a mandatory change.
[b] The user's account is disabled.
Note: ACS authenticates a user or host in an identity store only when there is a single match for that user or host. If an external database contains multiple instances of the same user, authentication fails. Similarly, ACS retrieves attributes only when a single match for the user or host exists; otherwise, ACS skips attribute retrieval from that database.
In order to configure the Identity Store Sequence:
 Select ACS 5.x GUI > Users and Identity Stores > Identity Store Sequences
 Click on Create.
 Select either Certificate Based or Password Based. (Certificate Based Authentication will be chosen if you are doing EAP-TLS, for everything else it will be Password Based)
 Now, move the databases from available to select column for Authentication and Attribute Retrieval Search List and Save Changes. A sample is show below:
Note: When you perform password-based authentication, you can define the same identity database in the authentication list and the attribute retrieval list. However, if the database is used for authentication, it will not be accessed again as part of the attribute retrieval flow.
 Now, choose the Access Service that you want to use this newly created sequence in:
 Select the Identity Store Sequence, click OK, and click Save Changes:
Now, your ACS is ready to process the authentication request against multiple databases based on the sequence defined in the Identity Store Sequences.
Please refer to the ACS 5.x User Guide for more details.