Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to Setup another Access Policy 5.3

hi everyone,

Thank you for your help in advance. I am new to v5.3, and I am not good at VPN. So hope you can help.

I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.

Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details?

OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from.

I have a ASA 5520.

Thank you very much for your help.

Takami Chiro


How to Setup another Access Policy 5.3


Instead of creating a separate rule for the credentials validation you can edit the existing one that points to AD1 (only) and change it to a result on the ACS that checks both AD1 and Internal Users. In that case we need to use Identity Store Sequence. Refer to the steps below:

On the ACS GUI > Users and Identity Stores > Identity Store Sequences > Create > Select "Password Based" and on the first box move AD1 and Internal Users to the right. Please do the same on the box at the bottom.

The option "Internal User/Host Advanced Option: If internal user/host not found or disabled then exit sequence and treat as "User Not Found" should stay unchecked. Click submit.

After creating the ID Store Sequence you need to change the Identity Result where you had AD1. Now the name of the ID Store will display as an available option. Please select that one and save the changes.

With the above configuration, the expected behavior would be:

1) ACS receives a request from the Internal User.

2) ACS tries to validate the credentials against AD.

3) AD returns an "User Unkown" response.

4) ACS moves to the Internal Users.

5 ACS successfully authenticates the user validating the provided credentials against Internal Users.

Hope this helps.


Community Member

How to Setup another Access Policy 5.3

Hi Carlos,

Thank you very much for your details on this. I really appreciate this.

I did what you told. But it did not work. So I also did lilttle further... I went to "Access Policies" - Deffault Network Addess - Identity, and "Single Result selection" is still selected, and "AD1" was selected in the "Identity Source". Instead of "AD1", now I change to the source I created (based on what you told in the last post so AD1 checked first followed by Inerenal Users).

But it still did not work... I meant I tried to use the Internal User account to logon the vpn... and the internal user account could not go thru.

In the "Identity Sotre sequence", advanced option that you mentioned, I also selected "Contiune to next identity store in the sequence" instead of "Break Sequence", but it still not work.

Was I still on the right approach? And what else do I need to make the AD and internal user working?

I know I am getting close... and hope you can help.... Again, I really appreciate your help.
Takami Ichiro


How to Setup another Access Policy 5.3

Hello Takami,

Can you please check the ACS reports and share the failed attempt with us?

Also, please share the "Steps" section of the report on a screenshot for us to analyze the ACS Authentication flow and try to determine where the Internal ACS User is failing.

NOTE: The Authentication Steps can be found after clicking the Report Magnifier icon.


Community Member

How to Setup another Access Policy 5.3

Hi Carlos, Thank you very much for response again!

I tried to run reports under Catatlog - AAA Protocol - Raidus, and Tacacs but I could not see any log. So I run a report on User and narrow down to the user account called "testacs" I created in ACS. And please review the following screenshots. And based on what I seems like the system even not checking the internal user even though I set to check AD1 first then the Internal User... unless I did something wrong on the setting. So please my config screenshot on last page and see if I did something wrong.

Thank you very much again for your help

CreatePlease to create content