Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

Silver

Users in CSACS Internal Database and External Database

We have CSACS 3.2(3) where users are configured with an internal SecurID account, with the unknown user policy set up to query our Windows 2000 AD for wireless users. A user might have two entries in the database: a static "matt.melbourne" RSA SecurID username in the internal database (for VPN access) and a MYDOMAIN\matt.melbourne user created through a dynamic group mapping for wireless authentication.

The Cisco wireless client prepends the domain name to the username and passes this to ACS for authentication, which then queries the AD through the Unknown User Policy. However, some wireless clients (including the Cisco Secure Services Client) don't appear to prepend the domain name and when authenticating wirelessly, the username e.g. "matt.melbourne" only is presented. This matches the SecurID user in the internal database and the authentication fails.

Is there a way around this? Ideally, I like to say if the request comes from this group of NASes (e.g. APs) then only query the Windows 2000 AD database.

2 REPLIES
Silver

Re: Users in CSACS Internal Database and External Database

If you had ACS v4.x you could create a Network Access Policy (NAP) for wireless and VPN.

These can be triggered off the device ip, or network device group or even an attribute in the access request - basically anything that id's the request as either wlan or vpn.

Each NAP can have its own external db config and group mappings.

The net result being the WLAN users get directed to windows regardless of domain mark-ups and vice versa for RSA.

ACS 4.x implements this horribly (ie you might see the same userid several times in the ACS user db), but if you can get past the UI it should work!

Silver

Re: Users in CSACS Internal Database and External Database

Thanks for that; I'd seen NAPs in the 4.x documentation which looked like it may work. We have ordered ACS 4.1, so I'll be going through a tortuous process to upgrade from ACS 3.2(3) :)

240
Views
5
Helpful
2
Replies
CreatePlease to create content