I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity.
Any idea how to do that, if the user is not found on first policy, continue to the next policy.
Re: ACS v5.3 Identity selection for authentication
Hello Juan Carlos,
The Authentication will always hit the first rule as the conditions are exactly the same for both rules, so the request will always hit the first configured Rule.
Instead of configuring 2 Rules pointing to 2 different Databases you need to create 1 Rule using the Identity Store Sequence feature where you will define first Internal Users and then AD1.
Go under Users and Identity Stores > Identity Store Sequence > Click Password Based > Move the Internal Users and AD1 to the right box.
After completing the above, delete one of the Rules you created under the Access Services > Device Admin > Identity and keep only one of the rules. For the Identity Source Select the Identity Store Sequence you created above instead of selecting AD1 OR Internal Users.
NOTE: The Identity Store Sequence will include both databases.
The above configuration should accomplish the scenario you need with the ACS checking the Internal Users first and then AD1.
Please mark the post as answered if you find the above useful for your scenario after testing. If you have any question let us know.
Thanks for your quick answer, I configured as you said but I got an strange behaviour, I try to authenticate using an internal user and it says "Authorization failed", but if I go to TACACS authentication reports, it says that authentication was passed. And if I try using a user from AD, it also says "Authorization failed", and the reports says that the user was not found, it's was looking for it on internal user identity store.
I was wondering, do I have to restart some service for this change??
Probably you have Authorization EXEC configuration on the IOS device or ASA. You need to define a condition under Device Admin > Authorization in order to send Privilege level 15 after successfully authenticating the user.
In that case you first need to create the Shell Profile under Policy Elements > Device Administration Shell Profiles > Click Create > Assign a name and select the Common Tasks Tab > Set both privilege options to static and value 15 and Submit.
You need to bind that Shell Profile as a result of the authorization condition for Device Admin Access Service.
You can use AD1: External Groups for one rule and ACS Identity Groups for the othe Rule. In this case (for Authorization) you are going to need two rules.
NOTE: Also, the Identity Store Sequence needs a change. Under the box where you selected Internal Users and AD1 there are two other boxes for "Additional Attribute Retrieval". You might want to move both Internal Users and AD1 to the right box as well.
I do not have an ACS 5.x with me right now. Hope the above is clear enough for you. If not let us know.
Hello Carlos, I appreciate your time and your comments, I omit the author EXEC on IOS device and now it works for internal users, but something else is missing that I can't authenticate using AD users, this is my config:
aaa group server tacacs+ TACACS_PLUS
aaa authentication login default group TACACS_PLUS
aaa authorization commands 15 TACACS_PLUS group tacacs+
aaa authorization network default group TACACS_PLUS if-authenticated
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :