https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583601#M257520 <HTML><HEAD></HEAD><BODY><P>That makes sense, thank you</P></BODY></HTML> Wed, 23 Feb 2011 06:19:37 GMT Roman Rodichev 2011-02-23T06:19:37Z https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583599#M257490 <P>in ACS4 I could specify a different external authentication method for each user account. I'm trying to figure out how to do the same in ACS 5? When I go under Identity in Access Services, I see System:Username condition that I can use to identify the user that's logging in, so that I can direct him to a different identity source, but configuring separate policy for each user is very inconvinient and would require hundreds of policies in our case.</P><P></P><P>I was hoping we can create some kind of attribute for each user. SysAdmin &gt; Configuration &gt; Dictionaries &gt; Identity &gt; Internal Users. I created new attribute called "Identity Store" with Enumeration type, that has 4 values: Internal, Entrust Token, RSA Token, AD&nbsp; account, and checked the box "Add Policy Condition". I can then go under each user and select the identity store for each user. But now I can't find where I can use it under Identity portion of an access policy. I can use it under "Group Mapping" but that maps it to a group, and not to an identity store. I need to use it somehow under Identity, but I can't find how.</P> Mon, 11 Mar 2019 00:50:38 GMT https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583599#M257490 Roman Rodichev 2019-03-11T00:50:38Z https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583600#M257504 <HTML><HEAD></HEAD><BODY><P>Hello Roman,</P><P>The attribute you have created will be available when the user is authenticated through internel ID Store, so you can't use it to select the ID store.</P><P>The best way to do that would be use other attributes that you have to differentiate the idendity store.<BR />You can as well create an identity store sequence so that for each user, ACS will try to authenticate using several identity store.</P><P></P><P>You can, for example, use these:</P><P></P><P>Network Condition</P><P>&gt;End Station filter</P><P>&gt;Device filter</P><P>&gt;Devide Ports filter</P><P>Here you can import the filters from a file, so it would be more scalable.</P><P></P><P>Hope this help.</P></BODY></HTML> Mon, 21 Feb 2011 12:22:38 GMT https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583600#M257504 Bastien Migette 2011-02-21T12:22:38Z https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583601#M257520 <HTML><HEAD></HEAD><BODY><P>That makes sense, thank you</P></BODY></HTML> Wed, 23 Feb 2011 06:19:37 GMT https://community.cisco.com/t5/network-access-control/acs5-different-external-authentication-method-for-each-user/m-p/1583601#M257520 Roman Rodichev 2011-02-23T06:19:37Z