Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
0
Helpful
2
Replies

ACS 5.1 and RSA 5.2.x Identity Store Sequence

Go to solution
hogoqo
Level 1
Level 1

‎11-13-2010 09:41 PM - edited ‎03-10-2019 05:34 PM

Hello,

I have Question in the operation of RSA Authentication Manager in regards to unknown users. I have three identity stores to check for VPN Access. ACS Internal Users, RSA users and AD users. Not all my AD users have RSA tokens. So i have created an Identity store sequence order, the order is Internal-->RSAToken Server-->AD. I can login just fine with Internal users and RSA defined users. But when a user does not existing in RSA, instead of rolling to check in the AD, the user authentication fails. When i check in the Monitoring and Report console, i notice that the reject message is coming from RSA identity store, it does not even get to the AD.

Does anyone have any ideas on how i can fix this or get RSA not to fail the authentication. If there is another way i can do this i would appreciate ideas.

Thanks,

Qobi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-14-2010 10:36 PM

Hi Qobi,

In the RSA identity store properties you have the following option :

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found'

And also, under your access service policy, if you click on "identity" you will be able to select "continue if user not found". Screenshot attached.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

Preview file
58 KB
0 Helpful
2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎11-14-2010 10:36 PM

Hi Qobi,

In the RSA identity store properties you have the following option :

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found'

And also, under your access service policy, if you click on "identity" you will be able to select "continue if user not found". Screenshot attached.

Hope this helps.

Nicolas

===

Don't forget to rate answers that you find useful

Preview file
58 KB
0 Helpful

Go to solution
hogoqo
Level 1
Level 1
In response to Nicolas Darchis

‎11-15-2010 05:39 PM

Thanks Nicolas, this was helpful and it worked perfectly fine. I appreciate your help.

Thanks,

Qobi

0 Helpful
Customers Also Viewed These Support Documents