https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862619#M212886 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Unfortunately the Treat Rejects as 'authentication failed' and Treat Rejects as 'user not found' options only apply when configuring RSA (Native SDI). Those would not apply for any other External Database like AD or LDAP.</P><P></P><P>Hope this clarifies it.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Jan 2012 15:11:23 GMT camejia 2012-01-17T15:11:23Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862616#M212883 <P>Hello</P><P></P><P>Is it possible to create on ACS5 rule which will:</P><P>1. Try to authenticate user in external database1 (radius) </P><P>2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)</P><P></P><P>Is it possible to have such scenario ?</P><P></P><P>Thanx</P> Mon, 11 Mar 2019 01:43:29 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862616#M212883 mlopacinski 2019-03-11T01:43:29Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862617#M212884 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>The only database that will allow that behavior when configured first on an Identity Store Sequence would be RSA when configured to use Native SDI. It has a setting that reads as follows:</P><P></P><P>"This Identity Store does not differentiate between&nbsp; 'authentication failed' and 'user not found' when an authentication&nbsp; attempt is rejected. From the options below, select how such an&nbsp; authentication reject from the Identity Store should be interpreted by&nbsp; ACS for Identity Policy processing and reporting . </P><P></P><P> Treat Rejects as 'authentication failed' </P><P> Treat Rejects as 'user not found'"</P><P></P><P>You can select either of the above two options in order to determine how will the ACS interpret the failure returned from the RSA.</P><P></P><P>For LDAP, AD or any other external database, if the ACS does the query to the external database, finds the username but the failure is caused due to a "Bad Password" the ACS will exit the Identity Store Sequence and will deny access to the user.</P><P></P><P>The only way for the ACS to keep querying databases in an ID Store Sequence is that the user account is not found on the current database.</P><P></P><P>Hope this helps.</P><P></P><P>Regards.</P></BODY></HTML> Mon, 16 Jan 2012 22:40:52 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862617#M212884 camejia 2012-01-16T22:40:52Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862618#M212885 <HTML><HEAD></HEAD><BODY><P>Thanx for detailed description for Treat Rejects as 'authentication failed'</P><P></P><P>I have one more question for Treat Rejects as 'user not found'"</P><P></P><P>So - if my first external database: LDAP or AD return Treat Rejects as 'user not found'"</P><P>next external database can be queried ? (or this functionality is also only for RSA SDI) ?</P><P></P><P>Thanx</P></BODY></HTML> Tue, 17 Jan 2012 08:02:18 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862618#M212885 mlopacinski 2012-01-17T08:02:18Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862619#M212886 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Unfortunately the Treat Rejects as 'authentication failed' and Treat Rejects as 'user not found' options only apply when configuring RSA (Native SDI). Those would not apply for any other External Database like AD or LDAP.</P><P></P><P>Hope this clarifies it.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Jan 2012 15:11:23 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862619#M212886 camejia 2012-01-17T15:11:23Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862620#M212888 <HTML><HEAD></HEAD><BODY><P>so - there is no way i could do a migration from one external database to another external database ?</P><P>(creating gradually new users in new database and deleting them from old database) ?</P><P></P><P>Thanx</P></BODY></HTML> Wed, 18 Jan 2012 07:08:17 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862620#M212888 mlopacinski 2012-01-18T07:08:17Z https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862621#M212890 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>You will have to delete the user from the Old Database as soon as you create it on the New Database for the ACS to receive an "Unknown User" error and move to the next available database. </P><P></P><P>The problem is that if the ACS finds the user on the Old Database it will not move to the New Database and the failure would be reported as "Bad Password" as you stated on the beginning.</P><P></P><P>Regards.</P></BODY></HTML> Wed, 18 Jan 2012 17:37:02 GMT https://community.cisco.com/t5/network-access-control/acs5-rules-continue-on-fail/m-p/1862621#M212890 camejia 2012-01-18T17:37:02Z