I'm working on getting ACS 5.4 configured to replace our ACS 4.2 servers. I'm just about there, but one thing appears to be missing.
We have authentications backed off to a radius identity store for two-factor. I want any user authenticated by this identity store to be treated as though these were in a full-access identity group, unless there already exists an account in the internal users identity store which specifies differently.
In 4.2 there was a configuration to define a default group mapping for dynamic users from an external user database. Is there any such function in 5.4?
I've tried putting together an access service to assign full-access rights by default or for users in the all groups identity group, and while I see the rules getting hit when I log in as a dynamic user, the authorization doesn't seem to get applied properly - I get an "Authorization failed" message at the router.
If I create a user in the internal identity store to use radius for authentication then it all works fine. While it wouldn't be the end of the world to do this for all users on the radius server it would be a duplication of effort, so I'd prefer not to.
There is no concept of default GROUP in ACS 5.4, though we have a default rule in the authorization section.
I see you have already tried something and it didn't bring good results until you define a user in the internal database of ACS. Can you please attach a screen shot of 'Identity store sequence' > click on identity being used
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...