ACS 5.1 Authentication Problem

barryfowles · ‎02-02-2011

Hi,

I am having an issue trying to devise a selection policy to differentiate between different types of remote access users. We currently have a working setup using ACS 3.3 to authenticate the remote users but are currently in the process of migrating to 5.1. There are two types of remote users, RSA SecurID authenticated users and Windows AD authenticated users, both connecting to the same ASA VPN concentrator. On ACS 3.3 the two external databases (RSA and AD) are mapped to two different ACS Groups and all works fine. However, on ACS 5.1 I can only get each of these two types of user to successfully authenticate by creating two seperate service selection rules. However, because the conditions being matched are the same for both service types, and only the Identity source is different, only the first rule works in each case and the second rule is never matched. Does any one have a suggestion as to how can I make it so that either type of user can connect and be authenticated. I know that this should be reasonably simple to achieve but I have tried everthing I can think of and cannot make it work.

Thanks

Barry

I've managed to sort this now.

Message was edited by: barryfowles

seaguirr · ‎02-09-2011

Hello,

It is complicated to explain this rule but hopelly you will understand.

I suggest you to do an identity store sequence that will point to the AD and RSA. this is like the user unknow policy in ACS 4.x

Once this is done you can create 2 authorization policies 1 based on RSA authentication and another based on AD authentication.

To give you a better clear example is there any difference between AD and RSA authentication? Do they have the same rights? Please detail what you need to configure besides AD and RSA simultanuos authentication.

Regards,

Sebastian Aguirre