Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.1 - Evaluating Exception Authorization Policy

Hi,

I'm getting the error 'No rule was matched'.

The authentication itself passes; the 'Radius Identity Servers' are sending back the accept.

Tcpdump shows that the ACS is not asking the AD as defined in the compound condition.

What am I missing?

ScreenShot015.jpg

Any help would be appreciated.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Gold

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Can you please clarify what you have selected as the result of the identity policy. If you are still using the default defined access services you will see this at the following location:

Access Policies > Access Services > Default Network Access > Identity

In order to use the attributes from AD in the authorization decision Active Directory must be included in the results for the identity policy. This can be done in one of two ways:
- Select the database directly

- Define and select an identity sequence that includes Active Directory

Gold

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Was just writing that to respond but you got there first while I was in the middle

Interesting use case using some of the more adavnced capabilities

5 REPLIES
Gold

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Can you please clarify what you have selected as the result of the identity policy. If you are still using the default defined access services you will see this at the following location:

Access Policies > Access Services > Default Network Access > Identity

In order to use the attributes from AD in the authorization decision Active Directory must be included in the results for the identity policy. This can be done in one of two ways:
- Select the database directly

- Define and select an identity sequence that includes Active Directory

New Member

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Thanks for getting back to me.

The AD is part of the selected Identity Store.

I'm trying to migrate our our old Steelbelted Radius with a Vasco Plugin to the ACS with a new ActivIdentity OTP Token Server.

So I setup those two as Radius Identity Servers and placed them with the AD in an Identity Store. A reject of the first server will be treated as a user not found, if the second server sends a reject the ACS will treat it as an authentication failed.

I don't want to authenticate against the AD I just want the attribute in the user object as it contains the VPN Group Policy that needs to be applied to the user.

New Member

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Argh...never mind; found it.

I had to add the AD in the Identity Store Sequence to the 'Additional Attribute Retrieval Search List Group'.

Thanks for the help, put me on the right track.

Gold

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Was just writing that to respond but you got there first while I was in the middle

Interesting use case using some of the more adavnced capabilities

New Member

Re: ACS 5.1 - Evaluating Exception Authorization Policy

Yeah...took a while to get all the little pieces clicked together, but now i got the last piece of the puzzle and can run some final tests today and then start migrating some test users.

857
Views
0
Helpful
5
Replies
CreatePlease to create content