Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 5.1 / ASA fallback to local AAA if user unknown

Hi there

I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.

Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.

Thanks a lot in advance and best regards?

Dominic

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)

An identity store sequence allows you to access multiple databases in sequence until user authenticates

Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy

Community Member

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

You should be able to accomplish this in the configuration of your tunnel group on your ASA.

tunnel-group general-attributes

     authentication-server-group LOCAL

The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.

4 REPLIES
Gold

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

This can be done by creating an identity sequence (Users and Identity Stores > Identity Store Sequences)

An identity store sequence allows you to access multiple databases in sequence until user authenticates

Create a sequence and select Password Based and then AD1 followed by "Internal Users" in the "Authentication Method List". Once created the sequence can then be selected as the result of the corresponding identity policy

Community Member

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

Thanks for the answer. But we already configured first AD1 and then Internal Users. But what I want is the local users on the ASA, not the ACS?

Community Member

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

The sequence is really useful, but can I use an authorization policy for each identity store ?

Community Member

Re: ACS 5.1 / ASA fallback to local AAA if user unknown

You should be able to accomplish this in the configuration of your tunnel group on your ASA.

tunnel-group general-attributes

     authentication-server-group LOCAL

The keyword 'LOCAL' will have the ASA try the local ASA database if the authentication attempts to ACS via RADIUS fails.

1131
Views
0
Helpful
4
Replies
CreatePlease to create content