02-10-2010 10:38 AM - edited 03-10-2019 04:56 PM
Hi there
I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.
Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.
Thanks a lot in advance and best regards?
Dominic
Solved! Go to Solution.
02-12-2010 08:27 AM
This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)
An identity store sequence allows you to access multiple databases in sequence until user authenticates
Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy
09-20-2010 11:55 AM
You should be able to accomplish this in the configuration of your tunnel group on your ASA.
tunnel-group
authentication-server-group
The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.
02-12-2010 08:27 AM
This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)
An identity store sequence allows you to access multiple databases in sequence until user authenticates
Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy
02-12-2010 12:44 PM
Thanks for the answer. But we already configured first AD1 and then Internal Users. But what I want is the local users on the ASA, not the ACS?
03-31-2011 07:08 AM
The sequence is really useful, but can I use an authorization policy for each identity store ?
09-20-2010 11:55 AM
You should be able to accomplish this in the configuration of your tunnel group on your ASA.
tunnel-group
authentication-server-group
The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide