https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547295#M511732 <HTML><HEAD></HEAD><BODY><P>ISE does not support this , if you feel this is a feature that is need I recommend you contact your Cisco representative with your use case.</P></BODY></HTML> Thu, 08 Mar 2018 11:47:58 GMT ldanny 2018-03-08T11:47:58Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547289#M511723 <P>Hi Guys,</P> <P>&nbsp;</P> <P><SPAN>I need to configure an backup identity store( actually the local database of the ISE ) , but it should be used only in case when the primary (in this case Active Directory) fails.The users in the local database should not be usable if the AD is reachable . Is this possible ?</SPAN></P> Tue, 26 Mar 2024 10:46:49 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547289#M511723 Palazsto 2024-03-26T10:46:49Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547290#M511725 <HTML><HEAD></HEAD><BODY><P>Yes out all identify sources in an identity source sequence</P><P></P><P>Assign the source sequence to your flow</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Thu, 08 Mar 2018 06:52:31 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547290#M511725 afahmy 2018-03-08T06:52:31Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547291#M511727 <HTML><HEAD></HEAD><BODY><P>when Identity Source Sequence is created ,&nbsp; ISE will go through the chosen Identity stores in the order they are placed until it hits a match , much like an ACL behavior . When that match is hit it will stop the sequence of&nbsp; lookups</P><P></P><P>e.g<IMG __jive_id="115812" alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/115812_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P>In above snap shot , if you were to chose AD1 as first identity store and then Internal Users as your second , then ISE would search for the user under AD1 and if not found would move on to Internal Users.</P><P></P><P>Hope thats clear.</P></BODY></HTML> Thu, 08 Mar 2018 07:37:13 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547291#M511727 ldanny 2018-03-08T07:37:13Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547292#M511728 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick response guys ,but that's doesn't solve my case ... because I want the ISE to use the local database <SPAN style="font-size: 10pt;"><STRONG>only in situation when the AD is not reachable(fail)</STRONG></SPAN><SPAN style="font-size: 10pt;"> . The Identity Source Sequence is configured just like you have suggested , of course ,but in this situation there will be users in the local database that will always have an access , even if the AD&nbsp; is up, and I don't wont that.</SPAN></P></BODY></HTML> Thu, 08 Mar 2018 08:09:44 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547292#M511728 Palazsto 2018-03-08T08:09:44Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547293#M511730 <HTML><HEAD></HEAD><BODY><P>sounds like you have same accounts on both internal and AD data base .</P><P>In that case ISE does not support this option.</P></BODY></HTML> Thu, 08 Mar 2018 09:43:35 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547293#M511730 ldanny 2018-03-08T09:43:35Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547294#M511731 <HTML><HEAD></HEAD><BODY><P>No , the accounts are different , but I want the accounts from local store to be usable only if the primary id store fail(in my case the AD and the ISE are not in the same location and sometimes there are connectivity issues ). There are options in the authentication policies ( continue ,reject and drop ) , but when I tried to configure it with&nbsp; them , they doesn't work like I expected . </P></BODY></HTML> Thu, 08 Mar 2018 09:51:24 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547294#M511731 Palazsto 2018-03-08T09:51:24Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547295#M511732 <HTML><HEAD></HEAD><BODY><P>ISE does not support this , if you feel this is a feature that is need I recommend you contact your Cisco representative with your use case.</P></BODY></HTML> Thu, 08 Mar 2018 11:47:58 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547295#M511732 ldanny 2018-03-08T11:47:58Z https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547296#M511733 <HTML><HEAD></HEAD><BODY><P>Hi Stoyan,</P><P></P><P>There is another option in Identity store sequence at the end to deal with the situation when ID store is not accessible.</P><P><IMG alt="" class="image-1 jive-image" height="96" src="https://community.cisco.com/legacyfs/online/fusion/115830_pastedImage_0.png" style="width: 415px; height: 96.3871px;" width="415" /></P><P></P><P>Have you tried this?</P><P></P><P>-Krishnan</P></BODY></HTML> Thu, 08 Mar 2018 19:38:45 GMT https://community.cisco.com/t5/network-access-control/tacacs-backup-identity-store/m-p/3547296#M511733 kthiruve 2018-03-08T19:38:45Z