Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1953
Views
0
Helpful
4
Replies

ACS 5.1 / ASA fallback to local AAA if user unknown

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4

‎02-10-2010 10:38 AM - edited ‎03-10-2019 04:56 PM

Hi there

I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.

Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.

Thanks a lot in advance and best regards?

Dominic

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎02-12-2010 08:27 AM

This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)

An identity store sequence allows you to access multiple databases in sequence until user authenticates

Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy

View solution in original post

0 Helpful

Go to solution
jdcarpenter
Level 1
Level 1

‎09-20-2010 11:55 AM

You should be able to accomplish this in the configuration of your tunnel group on your ASA.

tunnel-group general-attributes

     authentication-server-group LOCAL

The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jrabinow
Level 7
Level 7

‎02-12-2010 08:27 AM

This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)

An identity store sequence allows you to access multiple databases in sequence until user authenticates

Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy

0 Helpful

Go to solution
Dominic Stalder (old profile)
Level 4
Level 4
In response to jrabinow

‎02-12-2010 12:44 PM

Thanks for the answer. But we already configured first AD1 and then Internal Users. But what I want is the local users on the ASA, not the ACS?

0 Helpful

Go to solution
r.spiandorello
Level 1
Level 1
In response to jrabinow

‎03-31-2011 07:08 AM

The sequence is really useful, but can I use an authorization policy for each identity store ?

0 Helpful

Go to solution
jdcarpenter
Level 1
Level 1

‎09-20-2010 11:55 AM

You should be able to accomplish this in the configuration of your tunnel group on your ASA.

tunnel-group general-attributes

     authentication-server-group LOCAL

The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.

0 Helpful
Customers Also Viewed These Support Documents