Solved: ACS 5.2 with different RADIUS authentication servers

dominikhug · ‎10-26-2010

Hi

I like to migrate from ACS 4.1 to ACS 5.2. I've already configured TACACS+ authentication but now I stuck at configuring RADIUS authentication for WebVPN remote access. Please look at the diagram below:

I want to configure ACS to use OTP Token Server first. If authentication fails or user is not found, ACS has to use Windows IAS server. If this server also fails ACS has to use internal DB. Additional attributes like group membership or downloadable ACL have to be taken from internal ACS DB.

Is it possible to configure ACS like this? In ACS 4.1 it was very easy to configure by selecting authentication method per user.

Thanks for your help!

jrabinow · ‎10-27-2010

There is an option in the Advanced tab of th "RADIUS Identity server" definition:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed' Treat Rejects as 'user not found'

In order to continue in the sequence I think you need to select the "user not found" option

View solution in original post

jrabinow · ‎10-27-2010

I think what you need to do is as follows:

- define RSA server:Users and Identity Stores > External Identity Stores > RSA SecurID Token Servers

- For IAS server create a "RADIUS Identity Server":Users and Identity Stores > External Identity Stores > RADIUS Identity Servers

- Create an identity sequeunce:Users and Identity Stores > Identity Store Sequences

Select password based authentication method and in Authentication and Attribute Retrieval Search List select the RSA, RADIUS identiy server and internal users. In Additional Attribute Retrieval Search List select the internal users

- Select the identity sequence as the result of the identity policy of the RADIUS server

What this should do is access each of the RSA, Identity server and internal user db until an authentication gets deterministic response and also in any case retrieve the attributes from the internal identity store

Tiago Antunes · ‎10-27-2010

Correct, that would be the way to achieve the authentication, then after the user is authenticated in which ever DB, you move to the authorization part where you can return the ACL.

For this you can configure an Authorization Profile, and include the ACL name on it.

The ACL itself is configured on the Named Permission Objects -> Downloadable ACLs.

Then on the Service matched under the Access Policies, you have to create rules under the authorization section to return that Authorization Profile where the dACL is.

HTH,

Tiago

dominikhug · ‎10-27-2010

Hi Yoda

Thanks for your help!

dominikhug · ‎10-27-2010

Because we are not using RSA SecureID Server I have added the server as a external RADIUS server. But I think it doesn't matter if I use an RSA server or a RADIUS server.

I've already tried using store sequences but unfortunately ACS only queries the token server. The token server sends a access-reject to ACS server and then ACS stopps query the other server in store sequence.

Access Policy
Access Service:	VPN Remote Access
Identity Store:	Token Server
Authorization Profiles:
Exception Authorization Profiles:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule:	Rule-3
Identity Policy Matched Rule:	VPN Store Sequence
Selected Identity Stores:	Token Server, IAS, Internal Users
Query Identity Stores:
Selected Query Identity Stores:	Internal Users
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:

15004 Matched rule

15013 Selected Identity Store - Token Server

24609 RADIUS token identity store is authenticating against the primary server.

11100 RADIUS-Client about to send request

11101 RADIUS-Client received response

24613 Authentication against the RADIUS token server failed.

22057 The advanced option that is configured for a failed authentication request is used.

22061 The 'Reject' advanced option is configured in case of a failed authentication request.

11003 Returned RADIUS Access-Reject

Tiago Antunes · ‎10-27-2010

Hi,

You need to select "Continue" under the Advanced Options of the Identity section.

Please take a look into the screenshot.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

jrabinow · ‎10-27-2010

There is an option in the Advanced tab of th "RADIUS Identity server" definition:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed' Treat Rejects as 'user not found'

In order to continue in the sequence I think you need to select the "user not found" option

dominikhug · ‎10-27-2010

Hey jrabinow

That's exactly what I was looking for!!! Thanks a lot. Now everything is working.

Have a nice day!