Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
4
Replies

acs 5.8 vpn authentication using AD and External OTP server

Go to solution
Dikkia
Level 1
Level 1

‎01-11-2016 06:42 AM - edited ‎03-10-2019 11:22 PM

Hi,

is it possible to authenticate an user using Active Directory, internal database and OTP server for password?

what i want to achieve is:

- if the VPN user belongs to a specific group of our AD....perform the user lookup on that Group and if user exists than  ask to an external sever ( activeidentity ) for OTP password

- If the user belong to internal ACS Group, authenticate it internally.

till now i've been able to authenticate users just with the EXTERNAL server (active identity) but AD lookup is not performed.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-12-2016 02:08 AM

Yes !!

Go to access policies > Default network Access > identity > Select a radio button " Rule based result selection. Over here you can use more than identity store based on the condition you have.

Hope it helps. - Jatin

~Jatin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎01-12-2016 02:08 AM

Yes !!

Go to access policies > Default network Access > identity > Select a radio button " Rule based result selection. Over here you can use more than identity store based on the condition you have.

Hope it helps. - Jatin

~Jatin
0 Helpful

Go to solution
Dikkia
Level 1
Level 1
In response to Jatin Katyal

‎01-12-2016 02:29 AM

thx.... even if i'm not sure how to accomplish it.

how can i setup a rule that checks if a user belong to an AD group, and  (if user exist) ask the password to External radius server?

at the same time,  if the above checks fail, it should check the internal  database.

could you pls me give additional suggestion ?

many thx

0 Helpful

Go to solution
Dikkia
Level 1
Level 1
In response to Dikkia

‎01-12-2016 04:32 AM

maybe some printscreen could help.

as you  can see , i've created the "rule base selection" under "identity" of the "default network access".  Same thing for "authorization"....but still doesn't work.

it seems that it checks if the user is local but after that nothing happen.

any idea?

many thx

printscreens.zip
0 Helpful

Go to solution
Dikkia
Level 1
Level 1
In response to Jatin Katyal

‎01-13-2016 08:13 AM

it worked for me thx

for people who may encunter same problem here is what i did:

i just created an "identity store sequences" with the radius server ( acitveidentity at the top ) and than the internal database.

the access policy is configured as follow:

1)  identity: the new identity sequence store & protocol (in the "Rule based result selection"

2)  authorizaion : 2 rules

a) check the AD database  and protocol  ( for employee  authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This conf worked for me because users lookup is performed against Radius server first and ,if no user is found, is performed then  on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restictions ( authorization policy B )

Hope it helps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents