https://community.cisco.com/t5/network-access-control/identity-store-sequence-from-one-source/m-p/1479147#M336559 <P>I have one set of ASA's wi<SPAN style="background-color: #f8fafd;">th users who need to hit two different identity stores on the ACS.&nbsp; One group is normal users hitting Active Directory via LDAP, which currently works perfectly.&nbsp; I need to add a group of users that will be application based for auth purposes only, I am trying to store the users on the ACS rather than Active Directory because the current AD password policy breaks the application we are using and we have a 2003 AD which wont allow seperate password policies.&nbsp; Regardless of the Identity Store Sequence being set to internal first the users that log in always hit the LDAP AD attempt.&nbsp; bug?&nbsp; I am on current code.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I thought we could use identity store sequence to hit the local user DB first and the LDAP AD second but its not working.&nbsp; I was poking around in "Access Policies &gt; *My ASA* &gt; identity &gt; advanced options" and it has a blurb that says...</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">"Note For authentications using PEAP, LEAP, EAP-FAST, or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found.&nbsp; If continue option is selected in these cases, reuqest will be rejected."</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">This statement seems to trump the concept of an "Identity Store Sequence", obviously if your user isnt in your first sequence you can't *continue* on two your second sequence.</SPAN></P><P></P><P></P><P><SPAN style="background-color: #f8fafd;">what gives?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Does anyone know how to get one source to talk to two identity stores?&nbsp; If we cant find a solution I'll probably have to try and get another set of ASA's to complete this project.</SPAN>&nbsp; <SPAN __jive_emoticon_name="cry" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/cry.gif"></SPAN></P><P></P><P>e-</P> Mon, 11 Mar 2019 00:16:11 GMT Eric Hansen 2019-03-11T00:16:11Z https://community.cisco.com/t5/network-access-control/identity-store-sequence-from-one-source/m-p/1479147#M336559 <P>I have one set of ASA's wi<SPAN style="background-color: #f8fafd;">th users who need to hit two different identity stores on the ACS.&nbsp; One group is normal users hitting Active Directory via LDAP, which currently works perfectly.&nbsp; I need to add a group of users that will be application based for auth purposes only, I am trying to store the users on the ACS rather than Active Directory because the current AD password policy breaks the application we are using and we have a 2003 AD which wont allow seperate password policies.&nbsp; Regardless of the Identity Store Sequence being set to internal first the users that log in always hit the LDAP AD attempt.&nbsp; bug?&nbsp; I am on current code.</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">I thought we could use identity store sequence to hit the local user DB first and the LDAP AD second but its not working.&nbsp; I was poking around in "Access Policies &gt; *My ASA* &gt; identity &gt; advanced options" and it has a blurb that says...</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">"Note For authentications using PEAP, LEAP, EAP-FAST, or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found.&nbsp; If continue option is selected in these cases, reuqest will be rejected."</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">This statement seems to trump the concept of an "Identity Store Sequence", obviously if your user isnt in your first sequence you can't *continue* on two your second sequence.</SPAN></P><P></P><P></P><P><SPAN style="background-color: #f8fafd;">what gives?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Does anyone know how to get one source to talk to two identity stores?&nbsp; If we cant find a solution I'll probably have to try and get another set of ASA's to complete this project.</SPAN>&nbsp; <SPAN __jive_emoticon_name="cry" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/cry.gif"></SPAN></P><P></P><P>e-</P> Mon, 11 Mar 2019 00:16:11 GMT https://community.cisco.com/t5/network-access-control/identity-store-sequence-from-one-source/m-p/1479147#M336559 Eric Hansen 2019-03-11T00:16:11Z https://community.cisco.com/t5/network-access-control/identity-store-sequence-from-one-source/m-p/1479148#M336602 <HTML><HEAD></HEAD><BODY><P>Hi Eric,</P><P></P><P>That note you have mentioned has a different meaning to my knowledge and that means continue to the authorization portion of it. In any case, you configuration choice is correct and it maybe a matter of a minor config error that you are running into. Under <SPAN style="background-color: #f8fafd;">"Access Policies &gt; *My ASA* &gt; identity, did you chose the identity sequence you created or did you by mistake chose the LDAP server ? What does it say when you go to monitoring and reports and chose the failed entry and click on the magnifying glass ? It tells you the step by step processing and that may be of some help to troubleshoot<BR /></SPAN></P><P></P><P>Thanks,</P><P>Mani</P></BODY></HTML> Fri, 30 Jul 2010 22:13:08 GMT https://community.cisco.com/t5/network-access-control/identity-store-sequence-from-one-source/m-p/1479148#M336602 mansrini 2010-07-30T22:13:08Z