https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491074#M377633 <HTML><HEAD></HEAD><BODY><P>Thanks for getting back to me. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>The AD is part of the selected Identity Store.</P><P></P><P>I'm trying to migrate our our old Steelbelted Radius with a Vasco Plugin to the ACS with a new ActivIdentity OTP Token Server.</P><P>So I setup those two as Radius Identity Servers and placed them with the AD in an Identity Store. A reject of the first server will be treated as a user not found, if the second server sends a reject the ACS will treat it as an authentication failed.</P><P></P><P>I don't want to authenticate against the AD I just want the attribute in the user object as it contains the VPN Group Policy that needs to be applied to the user.</P></BODY></HTML> Thu, 05 Aug 2010 08:11:00 GMT fschramke 2010-08-05T08:11:00Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491072#M377631 <P>Hi,</P><P></P><P>I'm getting the error 'No rule was matched'.</P><P></P><P>The authentication itself passes; the 'Radius Identity Servers' are sending back the accept.</P><P>Tcpdump shows that the ACS is not asking the AD as defined in the compound condition.</P><P></P><P>What am I missing?</P><P><IMG src="https://community.cisco.com/legacyfs/online/legacy/9/9/2/6299-ScreenShot015.jpg" alt="ScreenShot015.jpg" class="jive-image-thumbnail jive-image" onclick="" width="450" /></P><P></P><P>Any help would be appreciated.</P> Mon, 11 Mar 2019 00:18:28 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491072#M377631 fschramke 2019-03-11T00:18:28Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491073#M377632 <HTML><HEAD></HEAD><BODY><P>Can you please clarify what you have selected as the result of the identity policy. If you are still using the default defined access services you will see this at the following location:</P><P><SPAN class="cuesBreadcrumbStatic">Access Policies</SPAN> &gt; Access Services &gt; Default Network Access &gt; <SPAN class="cuesBreadcrumbLast">Identity</SPAN></P><P><SPAN class="cuesBreadcrumbLast"></SPAN></P><P><SPAN class="cuesBreadcrumbLast">In order to use the attributes from AD in the authorization decision Active Directory must be included in the results for the identity policy. This can be done in one of two ways:<BR />- Select the database directly</SPAN></P><P><SPAN class="cuesBreadcrumbLast">- Define and select an identity sequence that includes Active Directory</SPAN></P></BODY></HTML> Thu, 05 Aug 2010 06:44:43 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491073#M377632 jrabinow 2010-08-05T06:44:43Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491074#M377633 <HTML><HEAD></HEAD><BODY><P>Thanks for getting back to me. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>The AD is part of the selected Identity Store.</P><P></P><P>I'm trying to migrate our our old Steelbelted Radius with a Vasco Plugin to the ACS with a new ActivIdentity OTP Token Server.</P><P>So I setup those two as Radius Identity Servers and placed them with the AD in an Identity Store. A reject of the first server will be treated as a user not found, if the second server sends a reject the ACS will treat it as an authentication failed.</P><P></P><P>I don't want to authenticate against the AD I just want the attribute in the user object as it contains the VPN Group Policy that needs to be applied to the user.</P></BODY></HTML> Thu, 05 Aug 2010 08:11:00 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491074#M377633 fschramke 2010-08-05T08:11:00Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491075#M377634 <HTML><HEAD></HEAD><BODY><P>Argh...never mind; found it.</P><P>I had to add the AD in the Identity Store Sequence to the 'Additional Attribute Retrieval Search List Group'. <SPAN __jive_emoticon_name="sad" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/sad.gif"></SPAN></P><P></P><P>Thanks for the help, put me on the right track. <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P></BODY></HTML> Thu, 05 Aug 2010 08:21:22 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491075#M377634 fschramke 2010-08-05T08:21:22Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491076#M377635 <HTML><HEAD></HEAD><BODY><P>Was just writing that to respond but you got there first while I was in the middle</P><P></P><P>Interesting use case using some of the more adavnced capabilities</P></BODY></HTML> Thu, 05 Aug 2010 08:24:29 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491076#M377635 jrabinow 2010-08-05T08:24:29Z https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491077#M377636 <HTML><HEAD></HEAD><BODY><P>Yeah...took a while to get all the little pieces clicked together, but now i got the last piece of the puzzle and can run some final tests today and then start migrating some test users. <SPAN __jive_emoticon_name="wink" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/wink.gif"></SPAN></P></BODY></HTML> Thu, 05 Aug 2010 08:34:11 GMT https://community.cisco.com/t5/network-access-control/acs-5-1-evaluating-exception-authorization-policy/m-p/1491077#M377636 fschramke 2010-08-05T08:34:11Z