01-04-2011 04:20 AM - edited 03-10-2019 05:41 PM
Hi
I have multiple user databases in the search order for the unknown user policy. Disregarding the manual (http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277530) which states that after failing the authentication against the first database (Windows) the ACS does not continue to search the second database, a RADIUS server. I can see that with the fail in the first user database the ACS stops searching and fails the authentication of the user with an "External DB password invalid" authentication failure code.
Is the documentation wrong or is it a bug in the ACS v4.2.1? How can I make the ACS to continue to search the second user database?
Solved! Go to Solution.
01-04-2011 05:55 AM
Ciao Roberto,
If the external database returns a user/password invlaid, then it is expected for ACS not to check the next databse in the sequence and to fail the authentication:
"For authentication requests, ACS applies the Unknown User Policy to unknown users only. ACS does not support fallback to unknown user authentication when known or discovered users fail authentication."
If you'd like ACS to check the next database, even if an invlaid user/password response was received, you'd need to explicitly configure this under the Windows external database configuration page, in the section called "Unknown User Policy" (but under the specific Windows database configuration page, not under the general Unknown User Policy):
Also, from the previous screenshots, I could see that you configured the two following database:
Windows Database
RADIUS Token Server
So we may be running into a situation where the authentication method in use is not supported by Radius token servers, and so the second database in the list cannot be checked:
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 04:51 AM
Hello,
ACS should be able to proceed and check the next database defined in the list, if the authentication protocol in use is supported with such a database.
Could you please attach few screenshotsm from the following setting in your ACS?
External User Databases > Unknown User Policy
System Configuration > Global Authentication Setup
Also, is the access-request hitting any NAP in ACS? This may override the global database usage list.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 05:15 AM
Hi Fede
I think that the problem is that the Windows Database always gives a reject back and not a "I don't know that user, go ahead, look elsewhere". Therefore there is never an authentication afterwards to check for the ACS.
Here the current unknown user policy:
Actually I don't know what the enabled authentication methods have to do with the order of authentication. Especially as a Windows environment by default only supports PAP authentication, as the passwords are not stored reversible, which is necessary for all CHAP versions. And PAP can not be controlled in the global auth. ;-)
But anyway. Here the global authentication setup:
01-04-2011 05:01 AM
Hello
Did you configured the unknown user policy as described in your link? See http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UnknUsr.html#wp277502
"For authentication requests, ACS applies the Unknown User Policy to unknown users only. ACS does not support fallback to unknown user authentication when known or discovered users fail authentication."
It means that it will look into the next database if the user is not found in the first, if it is found and the authentication doesn't succeed, it will fail.
HTH,
Bastien.
01-04-2011 05:20 AM
Hi Bastien
The user account used for testing doesn't exist in the entire Windows environment. Definitly not.
What I'm missing in the unknown User Policy stuff of the ACS is the same possibility as there is for LDAP authenticaitons. A possibility to say "Only process usernames that are domain qualified" and a possibility to define the corresponding domain. It would also be a great help regarding performance to direct authentications by domain-identifiers directly to the right user database. Why hasn't this been made available generally to all user databases and globally at the unknown user policy? Why ist it only available to the LDAP user DB?
Kind regards
Roberto
01-04-2011 05:24 AM
Hi Roberto,
What you are trying to achieve may actually be done with NAPs.
Based on the user name string (so starting with the FQDN for a specific domain, like "CISCO\"), you could select a specific database for the credentials.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 05:29 AM
Ciao Fede
The problem is that NAP only supports RADIUS requests and not TACACS. :-(
I need to authenticate the user either against the windows domain or against an external RADIUS server. Authentication and authorization between the network devices and the ACS is done by using TACACS.
Kind regards
Roberto
01-04-2011 05:34 AM
Ciao Roberto,
In the ACS Windows external database configuration, we also have the following option:
Use the next sequential External Database in the Selected Databases list in case of an "External DB user invalid or bad password" error
This should allow you to use the next external database in the list of the Unknown User Policy, even if this database returned an invalid user/password response.
Also, for checking only selected domains against a Windows external database, there is a further option under "Enable Domain Access Control".
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 05:41 AM
Ciao Fede
That's exactly what I'm trying to do. But the ACS never sends out an authentication request to the external RADIUS server, when the first database is the Windows database and the RADIUS server is at the second place. Instead the authentication fails with an "External DB user invalid or bad password" authentication failure code.
Has this behaviour, to check the next user database, to be enabled especially? And where? The manual says that this is the default behaviour.
Kind regards
Roberto
01-04-2011 05:55 AM
Ciao Roberto,
If the external database returns a user/password invlaid, then it is expected for ACS not to check the next databse in the sequence and to fail the authentication:
"For authentication requests, ACS applies the Unknown User Policy to unknown users only. ACS does not support fallback to unknown user authentication when known or discovered users fail authentication."
If you'd like ACS to check the next database, even if an invlaid user/password response was received, you'd need to explicitly configure this under the Windows external database configuration page, in the section called "Unknown User Policy" (but under the specific Windows database configuration page, not under the general Unknown User Policy):
Also, from the previous screenshots, I could see that you configured the two following database:
Windows Database
RADIUS Token Server
So we may be running into a situation where the authentication method in use is not supported by Radius token servers, and so the second database in the list cannot be checked:
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 06:17 AM
Ciao Fede
You were right. The Windows Database was not configured to allow subsequent authentication tests! That was the trick!
Thank you very much!
Kind regards
Roberto
01-04-2011 06:20 AM
Grazie Roberto ;-)
Glad that this fixed your issue.
Feel free to ping us back at any time in the future, in case further help would be needed with ACS.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide