If ACS is configured to authenticate to two backed external authentication DBs, namely Windows A/D and RSA SecureID, is it possible to send the authentication request received by ACS from a AAA client to one or the other rather than only having the option to send it to the list that contains both external authentication servers.
ACS doco makes it clear that the order of these external DBS is important.
I want a policy to override this and ensure that a request from a AAA client goes to a particular external DB and does not rely on the order of the ext. DBs in the list.
i.e. auth request comes from wlan controller, authenticate straight to windows A/D; auth request comes from
ASA for VPN users, authenticate straight to RSA secureID
Which version of ACS are you running? If you are running a later version you should have Network Access Profiles available to you. NAPs allow you to select authentication based on device type versus order in the unknown user db. Please refer to:
Thanks for that jhillend. By using NAPs can I then ensure that VPN authentication always goes to the RSA DB, and TACACS+ always goes to Windows?
I have a current issue at the moment where random users that are not in the ACS user cache are not being correctly mapped to their RSA group (no log entry is showing up on the RSA server either) and being dumped in the default group.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...