Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

External DB default group in ACS 5.4

Hi all,

I'm working on getting ACS 5.4 configured to replace our ACS 4.2 servers. I'm just about there, but one thing appears to be missing.

We have authentications backed off to a radius identity store for two-factor. I want any user authenticated by this identity store to be treated as though these were in a full-access identity group, unless there already exists an account in the internal users identity store which specifies differently.

In 4.2 there was a configuration to define a default group mapping for dynamic users from an external user database. Is there any such function in 5.4?

I've tried putting together an access service to assign full-access rights by default or for users in the all groups identity group, and while I see the rules getting hit when I log in as a dynamic user, the authorization doesn't seem to get applied properly - I get an "Authorization failed" message at the router.

If I create a user in the internal identity store to use radius for authentication then it all works fine. While it wouldn't be the end of the world to do this for all users on the radius server it would be a duplication of effort, so I'd prefer not to.

Anyone able to point me in the right direction?



Everyone's tags (5)
Cisco Employee

Re: External DB default group in ACS 5.4

Hi Matthew,

There is no concept of default GROUP in ACS 5.4, though we have a default rule in the authorization section.

I see you have already tried something and it didn't bring good results until you define a user in the internal database of ACS. Can you please attach a screen shot of 'Identity store sequence' > click on identity being used

Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**