cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

509
Views
0
Helpful
4
Replies
Dikkia
Beginner

acs 5.8 vpn authentication using AD and External OTP server

Hi,

is it possible to authenticate an user using Active Directory, internal database and OTP server for password?

what i want to achieve is:

- if the VPN user belongs to a specific group of our AD....perform the user lookup on that Group and if user exists than  ask to an external sever ( activeidentity ) for OTP password

- If the user belong to internal ACS Group, authenticate it internally.

till now i've been able to authenticate users just with the EXTERNAL server (active identity) but AD lookup is not performed.

Thank you.

1 ACCEPTED SOLUTION

Accepted Solutions
Jatin Katyal
Cisco Employee

Yes !!

Go to access policies > Default network Access > identity > Select a radio button " Rule based result selection. Over here you can use more than identity store based on the condition you have.

Hope it helps. - Jatin

~Jatin

View solution in original post

4 REPLIES 4
Jatin Katyal
Cisco Employee

Yes !!

Go to access policies > Default network Access > identity > Select a radio button " Rule based result selection. Over here you can use more than identity store based on the condition you have.

Hope it helps. - Jatin

~Jatin

View solution in original post

thx.... even if i'm not sure how to accomplish it.

how can i setup a rule that checks if a user belong to an AD group, and  (if user exist) ask the password to External radius server?

at the same time,  if the above checks fail, it should check the internal  database.

could you pls me give additional suggestion ?

many thx

maybe some printscreen could help.

as you  can see , i've created the "rule base selection" under "identity" of the "default network access".  Same thing for "authorization"....but still doesn't work.

it seems that it checks if the user is local but after that nothing happen.

any idea?

many thx

it worked for me thx

for people who may encunter same problem here is what i did:

i just created an "identity store sequences" with the radius server ( acitveidentity at the top ) and than the internal database.

the access policy is configured as follow:

1)  identity: the new identity sequence store & protocol (in the "Rule based result selection"

2)  authorizaion : 2 rules

a) check the AD database  and protocol  ( for employee  authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This conf worked for me because users lookup is performed against Radius server first and ,if no user is found, is performed then  on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restictions ( authorization policy B )

Hope it helps

Content for Community-Ad