Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
1
Replies

External DB default group in ACS 5.4

Matthew Hill
Level 1
Level 1

‎10-22-2013 09:18 AM - edited ‎03-10-2019 09:01 PM

Hi all,

I'm working on getting ACS 5.4 configured to replace our ACS 4.2 servers. I'm just about there, but one thing appears to be missing.

We have authentications backed off to a radius identity store for two-factor. I want any user authenticated by this identity store to be treated as though these were in a full-access identity group, unless there already exists an account in the internal users identity store which specifies differently.

In 4.2 there was a configuration to define a default group mapping for dynamic users from an external user database. Is there any such function in 5.4?

I've tried putting together an access service to assign full-access rights by default or for users in the all groups identity group, and while I see the rules getting hit when I log in as a dynamic user, the authorization doesn't seem to get applied properly - I get an "Authorization failed" message at the router.

If I create a user in the internal identity store to use radius for authentication then it all works fine. While it wouldn't be the end of the world to do this for all users on the radius server it would be a duplication of effort, so I'd prefer not to.

Anyone able to point me in the right direction?

Cheers,

Matt

Labels:
0 Helpful
1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

‎10-27-2013 01:14 PM

Hi Matthew,

There is no concept of default GROUP in ACS 5.4, though we have a default rule in the authorization section.

I see you have already tried something and it didn't bring good results until you define a user in the internal database of ACS. Can you please attach a screen shot of 'Identity store sequence' > click on identity being used

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents