We are having conflicts with group membership in ACS due to using the same ID format for both Active Directory accounts and RSA tokens. We use the tokens for corporate wireless access - this account is then cached - then the same user will attempt to execute administration activities and be blocked because the user is in the wrong group.
Has anyone experienced issues with this type of conflict?
This kind of scenario is a problem for ACS because once an external user has been authenticated once... ACS sets the database type to the external DB that worked. Every subsequent authentication will goto the same external db
If you have ACS 4.0 you might be able to make it work by creating a NAP for each service - wired and wireless.
Inside each NAP you setup auth protocols and group mappings etc. Each NAP effectively has its own external db config.
At this stage users get multiple (yuck) entries in the ACS DB (one for each NAP) that can have its own password type.
ACS will automatically select the right one by virtue of the NAP. The trick is to make sure the correct NAP is activated. Each NAP has a set of rules to match incoming requests, eg by NFG or NAF, or by something in the request packet, eg a particular atribute value.
This last bit can be quite hard because sometimes the same device can ask for two different things. Cisco are still in a mess here an its down to the end user to try and find something in the packet they can trigger off.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...