Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS5: one user, two credentials (external token vs cert)


I have ACS4 and i am planning to upgrade to ACS5.

I would like to have such a rules:

I have user1, one ASA device which is VPN concentrator for remote users.

ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,

and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).

So i have one user1 which can login thru VPN using RSA tokencode or certificate.

For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.

For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).

Is such scenatio possible under ACS 5 ?

Do you have any similar scenarios: where one user uses different credentials based on tunnel-group usage ?


Cisco Employee

ACS5: one user, two credentials (external token vs cert)

You are doing a mistake here.

Your certificate scenario will authenticate against ACS local database and will check for certificate for example.

The other scenario will authenticate against the RSA Token database. I.e. it won't check for the "user1" password on ACS but on RSA Token. So ACS only keeps the cert and knows that it has to ask RSA in a specific given scenario

Community Member

Re: ACS5: one user, two credentials (external token vs cert)

No, it's not wireless solution - ACS does not verify certificate, but ASA. I will be more specific:

With ASA VPN with certs we can do only authentication or pki authorization. I want to do pki authorization.

Cers are not kept on ACS but ASA. ASA validates cert (not ACS). ASA after succesful validation of cert makes AAA request for user from cert CN. This AAA request check on ACS user with login=$CN and password=$CN.

(used password can be changed for all users by "radius-common-pw" command on ASA).

If that login/password match authorization attributes are downloaded and applied on ASA.

That's why i need to have on ACS locally defined user1 with correct password (user1 connecting from phone using cert)

Also i want to have defined locally user1 but use external password (RSA Token) (user1 connecting from PC using token)

Remember that's it's still the same client device (ASA) and protocol (RADIUS).

Could you propose ACS5 rules to solve this problem ?

Or maybe there is other solution ?

Could you write more precisely how would you implement this solution ?


CreatePlease to create content