Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1028
Views
0
Helpful
1
Replies

ACS 5 Identity Store Sequence

jain.nitin
Level 3
Level 3

‎05-05-2011 08:08 AM - edited ‎03-10-2019 06:03 PM

Hi,

Can any one tell me the difference and use of Identity store sequence ?? ActuallY I had a issue while configuring these rules. I explain the scenario & the problem which I faced.

I had mostly all users on AD & few users locally on ACS. Now to direct authentication request to correct store, I configure Identity store sequence under Identity stores and also created Identity rule under device admin.

under identity store sequence I selected internal user under authentication and attribute reterival list and under additional attribute reterival search I selected AD.

And under Access Policy->identity I created rule based result selection policy and first rule was saying any NDG any Location result to Internal users and second rule was saying Any NDG Any Location result to AD

Now everything works fine but problem is any active directory users can login with any password. means if user1 is on AD and his password is cisco123 and when he logs in to any network device with password as 123456 or any wrong password he gets access ....

Then I modified first rule & specified specific users anme which are created on ACS then everything works well. AD users can not login with wrong passwords and they get authentication fail msgs..... No clue why it is happening...

Now if i swap the first rule without modifying (means with Location ANY & NDG ANY==result internal stores) with second rule (Location any NDG Any==result AD) then my internal users does not get authenticated.

So would anyone explain how does it works if you have to use both identity stores for device admin ?? what should be configured what not ??

Thanks

Labels:
0 Helpful
1 Reply 1

Cam Le
Cisco Employee
Cisco Employee

‎05-05-2011 09:03 AM

Hi Jain,

If you have users in AD and Internal on the ACS, you only need to create an Identity Store Sequence, select AD and then Internal Users next for "Authentication Method List" - "Authentication and Attribute Retrieval Search List". Thus, when a user authenticates, his username will be searched first in the AD and if it's not present, it'll be searched in the Internal Users on the ACS.

If you don't care to retrieve any additional attributes from the user, then you don't need to configure "Additional Attribute Retrieval Search List".

Under Acccess Policies, Default Device Admin, Identity, use the "Single result selection" and select the Identity Store Sequence that you just create above.

I don't understand why you need to use "Rule-based" here. Maybe you can elaborate on that. The way I understand your question is that the above should simply work for you. Thanks.

Regards,

Cam.

0 Helpful
Customers Also Viewed These Support Documents