Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.1 and RSA 5.2.x Identity Store Sequence

Hello,

I have Question in the operation of RSA Authentication Manager in regards to unknown users. I have three identity stores to check for VPN Access. ACS Internal Users, RSA users and AD users. Not all my AD users have RSA tokens. So i have created an Identity store sequence order, the order is Internal-->RSAToken Server-->AD. I can login just fine with Internal users and RSA defined users. But when a user does not existing in RSA, instead of rolling to check in the AD, the user authentication fails. When i check in the Monitoring and Report console, i notice that the reject message is coming from RSA identity store, it does not even get to the AD.

Does anyone have any ideas on how i can fix this or get RSA not to fail the authentication. If there is another way i can do this i would appreciate ideas.

Thanks,

Qobi

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.1 and RSA 5.2.x Identity Store Sequence

Hi Qobi,

In the RSA identity store properties you have the following option :

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found'

And also, under your access service policy, if you click on "identity" you will be able to select "continue if user not found". Screenshot attached.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

2 REPLIES
Cisco Employee

Re: ACS 5.1 and RSA 5.2.x Identity Store Sequence

Hi Qobi,

In the RSA identity store properties you have the following option :

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found'

And also, under your access service policy, if you click on "identity" you will be able to select "continue if user not found". Screenshot attached.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

Community Member

Re: ACS 5.1 and RSA 5.2.x Identity Store Sequence

Thanks Nicolas, this was helpful and it worked perfectly fine. I appreciate your help.

Thanks,

Qobi

1104
Views
0
Helpful
2
Replies
CreatePlease to create content