Hi all,
I'm working on getting ACS 5.4 configured to replace our ACS 4.2 servers. I'm just about there, but one thing appears to be missing.
We have authentications backed off to a radius identity store for two-factor. I want any user authenticated by this identity store to be treated as though these were in a full-access identity group, unless there already exists an account in the internal users identity store which specifies differently.
In 4.2 there was a configuration to define a default group mapping for dynamic users from an external user database. Is there any such function in 5.4?
I've tried putting together an access service to assign full-access rights by default or for users in the all groups identity group, and while I see the rules getting hit when I log in as a dynamic user, the authorization doesn't seem to get applied properly - I get an "Authorization failed" message at the router.
If I create a user in the internal identity store to use radius for authentication then it all works fine. While it wouldn't be the end of the world to do this for all users on the radius server it would be a duplication of effort, so I'd prefer not to.
Anyone able to point me in the right direction?
Cheers,
Matt