topic it worked for me thx in Network Access Control

acs 5.8 vpn authentication using AD and External OTP server

Dikkia — Mon, 11 Mar 2019 06:22:56 GMT

Hi,

is it possible to authenticate an user using Active Directory, internal database and OTP server for password?

what i want to achieve is:

- if the VPN user belongs to a specific group of our AD....perform the user lookup on that Group and if user exists than ask to an external sever ( activeidentity ) for OTP password

- If the user belong to internal ACS Group, authenticate it internally.

till now i've been able to authenticate users just with the EXTERNAL server (active identity) but AD lookup is not performed.

Thank you.

Yes !!

Jatin Katyal — Tue, 12 Jan 2016 10:08:26 GMT

Yes !!

Go to access policies > Default network Access > identity > Select a radio button " Rule based result selection. Over here you can use more than identity store based on the condition you have.

Hope it helps. - Jatin

thx.... even if i'm not sure

Dikkia — Tue, 12 Jan 2016 10:29:09 GMT

thx.... even if i'm not sure how to accomplish it.

how can i setup a rule that checks if a user belong to an AD group, and (if user exist) ask the password to External radius server?

at the same time, if the above checks fail, it should check the internal database.

could you pls me give additional suggestion ?

many thx

maybe some printscreen could

Dikkia — Tue, 12 Jan 2016 12:32:44 GMT

maybe some printscreen could help.

as you can see , i've created the "rule base selection" under "identity" of the "default network access". Same thing for "authorization"....but still doesn't work.

it seems that it checks if the user is local but after that nothing happen.

any idea?

many thx

it worked for me thx

Dikkia — Wed, 13 Jan 2016 16:13:06 GMT

it worked for me thx

for people who may encunter same problem here is what i did:

i just created an "identity store sequences" with the radius server ( acitveidentity at the top ) and than the internal database.

the access policy is configured as follow:

1) identity: the new identity sequence store & protocol (in the "Rule based result selection"

2) authorizaion : 2 rules

a) check the AD database and protocol ( for employee authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This conf worked for me because users lookup is performed against Radius server first and ,if no user is found, is performed then on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restictions ( authorization policy B )

Hope it helps