Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 5.2 with different RADIUS authentication servers

Hi

I like to migrate from ACS 4.1 to ACS 5.2. I've already configured TACACS+ authentication but now I stuck at configuring RADIUS authentication for WebVPN remote access. Please look at the diagram below:

acs.JPG

I want to configure ACS to use OTP Token Server first. If authentication fails or user is not found, ACS has to use Windows IAS server. If this server also fails ACS has to use internal DB. Additional attributes like group membership or downloadable ACL have to be taken from internal ACS DB.

Is it possible to configure ACS like this? In ACS 4.1 it was very easy to configure by selecting authentication method per user.

Thanks for your help!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACS 5.2 with different RADIUS authentication servers

There is an option in the Advanced tab of th "RADIUS Identity server" definition:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed' Treat Rejects as 'user not found'

In order to continue in the sequence I think you need to select the "user not found" option

7 REPLIES
Cisco Employee

Re: ACS 5.2 with different RADIUS authentication servers

I think what you need to do is as follows:

- define RSA server:Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers

- For IAS server create a "RADIUS Identity Server":Users and Identity Stores > External Identity Stores > RADIUS Identity Servers

- Create an identity sequeunce:Users and Identity Stores > Identity Store Sequences

Select password based authentication method and in Authentication and Attribute Retrieval Search List select the RSA, RADIUS identiy server and internal users. In Additional Attribute Retrieval Search List select the internal users

- Select the identity sequence as the result of the identity policy of the RADIUS server

What this should do is access each of the RSA, Identity server and internal user db until an authentication gets deterministic response and also in any case retrieve the attributes from the internal identity store

Cisco Employee

Re: ACS 5.2 with different RADIUS authentication servers

Correct, that would be the way to achieve the authentication, then after the user is authenticated in which ever DB, you move to the authorization part where you can return the ACL.

For this you can configure an Authorization Profile, and include the ACL name on it.

The ACL itself is configured on the Named Permission Objects -> Downloadable ACLs.

Then on the Service matched under the Access Policies, you have to create rules under the authorization section to return that Authorization Profile where the dACL is.

HTH,

Tiago

New Member

Re: ACS 5.2 with different RADIUS authentication servers

Hi Yoda

Thanks for your help!

New Member

Re: ACS 5.2 with different RADIUS authentication servers

Because we are not using RSA SecureID Server I have added the server as a external RADIUS server. But I think it doesn't matter if I use an RSA server or a RADIUS server.

I've already tried using store sequences but unfortunately ACS only queries the token server. The token server sends a access-reject to ACS server and then ACS stopps query the other server in store sequence.

Access Policy
Access Service:
VPN Remote Access
Identity Store:
Token Server
Authorization Profiles:
Exception Authorization Profiles:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule:
Rule-3
Identity Policy Matched Rule:
VPN Store Sequence
Selected Identity Stores:
Token Server, IAS, Internal Users
Query Identity Stores:
Selected Query Identity Stores:
Internal Users
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:

15004  Matched rule
15013  Selected Identity Store - Token Server
24609  RADIUS token identity store is authenticating against the primary server.
11100  RADIUS-Client about to send request
11101  RADIUS-Client received response
24613  Authentication against the RADIUS token server failed.
22057  The advanced option that is configured for a failed authentication request is used.
22061  The 'Reject' advanced option is configured in case of a failed authentication request.
11003  Returned RADIUS Access-Reject

Cisco Employee

Re: ACS 5.2 with different RADIUS authentication servers

Hi,

You need to select "Continue" under the Advanced Options of the Identity section.

Please take a look into the screenshot.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Cisco Employee

Re: ACS 5.2 with different RADIUS authentication servers

There is an option in the Advanced tab of th "RADIUS Identity server" definition:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed' Treat Rejects as 'user not found'

In order to continue in the sequence I think you need to select the "user not found" option

New Member

Re: ACS 5.2 with different RADIUS authentication servers

Hey jrabinow

That's exactly what I was looking for!!! Thanks a lot. Now everything is working.

Have a nice day!

2371
Views
5
Helpful
7
Replies