Solved: ACS 5+ proxify authentication request

Calin C. · ‎02-04-2011

Hello,

I'm curious if the following scenario is possible:

I have 2 x ACS 5+, located on different subnets. I have one NCM configured to authenticate against 1st of the two ACS systems. One user tries to login in NCM. If the 1st ACS cannot find this specific user in it's database (internal or external), is there a possibility that that 1st ACS forward a request to the 2nd ACS, so this one can check it's database?

Each ACS has a different user database (e.g. users on the first ACS will not be configured on the second one, and viceversa).

Did anyone heard about such strange thing? It is possible (at least in theory)?

I'm still searching here and on Internet, but until now, I could not find anything related to this kind of concept.

Thank you!

Bernardo Gaspar · ‎02-04-2011

Hi Calin,

Never saw it being used, but if you want to do it for RADIUS authentications I guess it would be possible by:

1. configuring ACS 2 as a RADIUS Identity Server on ACS 1

2. You configure an identity store sequence, password based, and select Internal Users and the Radius ID Server defined earlier as the authentication servers. They will be checked in a top-down approach until first authentication succeeds. Please refer to the screenshot:

Not sure which ACS version you're using, so I'm including 5.2 documentation links.

Radius ID stores:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1181773

ID store sequences:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132

I hope this helps!

Best regards,

Bernardo

View solution in original post

Bernardo Gaspar · ‎02-04-2011

Hi Calin,

Never saw it being used, but if you want to do it for RADIUS authentications I guess it would be possible by:

1. configuring ACS 2 as a RADIUS Identity Server on ACS 1

2. You configure an identity store sequence, password based, and select Internal Users and the Radius ID Server defined earlier as the authentication servers. They will be checked in a top-down approach until first authentication succeeds. Please refer to the screenshot:

Not sure which ACS version you're using, so I'm including 5.2 documentation links.

Radius ID stores:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1181773

ID store sequences:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132

I hope this helps!

Best regards,

Bernardo

Calin C. · ‎02-07-2011

Hello Bernardo,

Thanks for your help and sorry for my late reply, but I was busy with day-by-day work.

I did setup a test environment, and I'll come back in a few days with a result on this. Maybe somebody else will need a solution.

I'll let you know if it's working!

Cheers,

Calin

Calin C. · ‎02-28-2011

Hello Bernardo,

Your solution work indeed, but it was unstable in my environment and there was some things to tweak there. Is this in the only solution, then it work, but if there is another one, go for it.

Luckly my customer understood this and now we have a clean topology with ACS and Active Directory (one common AD for all users) integration. This one works perfect.

Since your solution work and I thank you for this, your suggestion Bernardo is the solution for my question.

Cheers,

Calin