Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN authentication using ACS 5.2

I want to use ACS 5.2 to authenticate VPN users and Wireless users.

For the VPN users, there is an internal group on the ACS box and an Active Directory group in AD.  I would like to be able to use both sources to authenticate VPN users.  Some VPN users will have local accts on the ACS box, others will be AD users.  I'm having a hard time getting the policies right.  It seems I can get it to use either AD or Internal users but not both.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: VPN authentication using ACS 5.2

Create Identity store sequence and have Internal User and AD in the Sequenece, refer to the attached screenshot and you can have this Identity in the Access policy so both internal and AD store is checked

Note: please rate the answer if it was helpful

5 REPLIES
New Member

Re: VPN authentication using ACS 5.2

Create Identity store sequence and have Internal User and AD in the Sequenece, refer to the attached screenshot and you can have this Identity in the Access policy so both internal and AD store is checked

Note: please rate the answer if it was helpful

New Member

Re: VPN authentication using ACS 5.2

So can you not create 2 different rules in the identity policy that would
reference 2 identity sources?

New Member

Re: VPN authentication using ACS 5.2

If you create two access policy with different identity store, then you will run into the same issue a you mentioned, if user is in AD and assume your first policy is configured for internal users, then it comes back with user not found, unless if the AD users come in from a diffrerent NAS client and you configure access poilcy based on NAS

Note: Please rate the answer if it was helpful

New Member

Re: VPN authentication using ACS 5.2

So, if you are wanting to use 2 different identity sources, then using an

identity sequence is the way to go because it will check all of them?

Re: VPN authentication using ACS 5.2

I have a similar scenario. Some of our VPN users are in SecurID database. Some VPN users are in ACS Local database.

We configured the "Identity Policies" as "Rule based result selection". Then we created one rule using "Compound Condition" . You set the condition to  "System:UserName equals " and set the "Identity Source" to "Internal Users". For this rule you have to tell ACS explicitly what's the name of the user.

There's a default rule which "Identity Source" is set to SecurID Database. It applies to all users that didn't match the previous rule.

Hope it helps

456
Views
0
Helpful
5
Replies
CreatePlease to create content