Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3952
Views
5
Helpful
11
Replies

ACS 4.2 unknown user database search order

Go to solution
ROBERTO GIANA
Level 4
Level 4

‎01-04-2011 04:20 AM - edited ‎03-10-2019 05:41 PM

Hi

I have multiple user databases in the search order for the unknown user policy. Disregarding the manual (http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277530) which states that after failing the authentication against the first database (Windows) the ACS does not continue to search the second database, a RADIUS server. I can see that with the fail in the first user database the ACS stops searching and fails the authentication of the user with an "External DB password invalid" authentication failure code.

Is the documentation wrong or is it a bug in the ACS v4.2.1? How can I make the ACS to continue to search the second user database?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎01-04-2011 05:55 AM

Ciao Roberto,

If the external database returns a user/password invlaid, then it is expected for ACS not to check the next databse in the sequence and to fail the authentication:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277502

"For authentication requests, ACS applies the  Unknown User Policy to unknown users only. ACS does not support fallback  to unknown user authentication when known or discovered users fail  authentication."

If you'd like ACS to check the next database, even if an invlaid user/password response was received, you'd need to explicitly configure this under the Windows external database configuration page, in the section called "Unknown User Policy" (but under the specific Windows database configuration page, not under the general Unknown User Policy):

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354338

Also, from the previous screenshots, I could see that you configured the two following database:

Windows Database

RADIUS Token Server

So we may be running into a situation where the authentication method in use is not supported by Radius token servers, and so the second database in the list cannot be checked:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wpxref36799

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/Overvw.html#wpxref846

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

11 Replies 11

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-04-2011 04:51 AM

Hello,

ACS should be able to proceed and check the next database defined in the list, if the authentication protocol in use is supported with such a database.

Could you please attach few screenshotsm from the following setting in your ACS?
External User Databases > Unknown User Policy
System Configuration > Global Authentication Setup

Also, is the access-request hitting any NAP in ACS? This may override the global database usage list.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Federico Ziliotto

‎01-04-2011 05:15 AM

Hi Fede

I think that the problem is that the Windows Database always gives a reject back and not a "I don't know that user, go ahead, look elsewhere". Therefore there is never an authentication afterwards to check for the ACS.

Here the current unknown user policy:

Actually I don't know what the enabled authentication methods have to do with the order of authentication. Especially as a Windows environment by default only supports PAP authentication, as the passwords are not stored reversible, which is necessary for all CHAP versions. And PAP can not be controlled in the global auth. ;-)

But anyway. Here the global authentication setup:

0 Helpful

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎01-04-2011 05:01 AM

Hello

Did you configured the unknown user policy as described in your link? See http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277502

"For authentication requests, ACS applies the  Unknown User Policy to unknown users only. ACS does not support fallback  to unknown user authentication when known or discovered users fail  authentication."

It means that it will look into the next database if the user is not found in the first, if it is found and the authentication doesn't succeed, it will fail.

HTH,

Bastien.

0 Helpful

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Bastien Migette

‎01-04-2011 05:20 AM

Hi Bastien

The user account used for testing doesn't exist in the entire Windows environment. Definitly not.

What I'm missing in the unknown User Policy stuff of the ACS is the same possibility as there is for LDAP authenticaitons. A possibility to say "Only process usernames that are domain qualified" and a possibility to define the corresponding domain. It would also be a great help regarding performance to direct authentications by domain-identifiers directly to the right user database. Why hasn't this been made available generally to all user databases and globally at the unknown user policy? Why ist it only available to the LDAP user DB?

Kind regards

Roberto

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎01-04-2011 05:24 AM

Hi Roberto,

What you are trying to achieve may actually be done with NAPs.

Based on the user name string (so starting with the FQDN for a specific domain, like "CISCO\"), you could select a specific database for the credentials.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Federico Ziliotto

‎01-04-2011 05:29 AM

Ciao Fede

The problem is that NAP only supports RADIUS requests and not TACACS. :-(

I need to authenticate the user either against the windows domain or against an external RADIUS server. Authentication and authorization between the network devices and the ACS is done by using TACACS.

Kind regards

Roberto

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎01-04-2011 05:34 AM

Ciao Roberto,

In the ACS Windows external database configuration, we also have the following option:

Use the next sequential External Database in the Selected Databases list in case of an "External DB user invalid or bad password" error

This should allow you to use the next external database in the list of the Unknown User Policy, even if this database returned an invalid user/password response.

Also, for checking only selected domains against a Windows external database, there is a further option under "Enable Domain Access Control".

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Federico Ziliotto

‎01-04-2011 05:41 AM

Ciao Fede

That's exactly what I'm trying to do. But the ACS never sends out an authentication request to the external RADIUS server, when the first database is the Windows database and the RADIUS server is at the second place. Instead the authentication fails with an "External DB user invalid or bad password" authentication failure code.

Has this behaviour, to check the next user database, to be enabled especially? And where? The manual says that this is the default behaviour.

Kind regards

Roberto

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎01-04-2011 05:55 AM

Ciao Roberto,

If the external database returns a user/password invlaid, then it is expected for ACS not to check the next databse in the sequence and to fail the authentication:

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277502

"For authentication requests, ACS applies the  Unknown User Policy to unknown users only. ACS does not support fallback  to unknown user authentication when known or discovered users fail  authentication."

If you'd like ACS to check the next database, even if an invlaid user/password response was received, you'd need to explicitly configure this under the Windows external database configuration page, in the section called "Unknown User Policy" (but under the specific Windows database configuration page, not under the general Unknown User Policy):

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354338

Also, from the previous screenshots, I could see that you configured the two following database:

Windows Database

RADIUS Token Server

So we may be running into a situation where the authentication method in use is not supported by Radius token servers, and so the second database in the list cannot be checked:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wpxref36799

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/Overvw.html#wpxref846

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Federico Ziliotto

‎01-04-2011 06:17 AM

Ciao Fede

You were right. The Windows Database was not configured to allow subsequent authentication tests! That was the trick!

Thank you very much!

Kind regards

Roberto

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎01-04-2011 06:20 AM

Grazie Roberto ;-)

Glad that this fixed your issue.

Feel free to ping us back at any time in the future, in case further help would be needed with ACS.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents