ACS 5.1 Separate Authentication and Authorization (internal and LDAP)
I am using ACS 5.1 and have an ASA using RADIUS towards ACS. Useres are authenticated using Certificates, but should still get a Class ID from AD via ACS 5.1. ACS 5.1 has an LDAP Connection to AD to read out the specific Attribute.
Everything works fine so far, as long as the user is not only authorized, but also authenticated using this LDAP connection. But since the Users have a valid Certificate, I do not want them also to use in addition to that the username and password from AD.
I have created a SSP to handle the radius from ASA in a separe Rule. The identity I set to do LDAP and tell if not user found and/or authentication invalid to continue. So it will continue to go for authorization.In this scenario I get in trouble, since AD will disable the user account after 5 unsuccessful authentication tries. So this is not the way I can go for production environment. So my try was to change from LDAP to the internal DB instead.
But in this case the ACS does not do authorization using LDAP (I put a sniffer in the path and saw no LDAP Traffic at all). But in the monitoring it tell to take the apropriate rule, but finds no dynamic attribute.
My question is: Is this per Design or could this be a bug in ACS 5.1?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :