cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
0
Helpful
0
Replies

ACS 5.X Identity Sequence Store

Roger Base
Level 1
Level 1

Hi.

I have a ACS 5.3 installation. Where I have my own identity store sequence store. It look first for AD and secondly for  local users. My users can login successfully if user existing on AD. But if a user is not exists on AD it should look for local users, and this part dosent work for me.  I am using Rule based result selection in my identity.

The log shows me that ACS are only using AD and not the localusers. I have changed my advanced option to continue to next store if user are not found. But it dosent work.

 

What can be the problem?

 

 

This is the authentication log:

 

Status:    Failed
Failure Reason:    22056 Subject not found in the applicable identity store(s).

Logged At:    May 02, 2015 3:41 PM
ACS Time:    May 02, 2015 3:41 PM
ACS Instance:    MYACS

Authentication Method:    PAP_ASCII
Authentication Type:    ASCII
Privilege Level:    1
User
Username:    test-username

Remote Address:    22.50.189.20
Network Device
Network Device:    mydevice

Network Device IP Address:    172.116.118.10
Network Device Groups:    Device Type:All Device Types:Switche-intra, Location:All Locations:Data-
Access Policy
Access Service:    Default Device Admin

Identity Store:    
Selected Shell Profile:    
Active Directory Domain:    mypc.mydomain.local
Identity Group:    
Access Service Selection Matched Rule :    Rule-2
Identity Policy Matched Rule:    Rule-1
Selected Identity Stores:    AD1, AD1
Query Identity Stores:    
Selected Query Identity Stores:    
Group Mapping Policy Matched Rule:    
Authorization Policy Matched Rule:    
Authorization Exception Policy Matched Rule:    
Other
ACS Session ID:    s8897886
Service:    Login
AV Pairs:    
Response Time:    9
Other Attributes:    ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=112
Device Port=18417
Protocol=Tacacs
Type=Authentication
Action=Login
Port=tty3
Action=Login
Port=tty3

 

Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - Default Device Admin
Evaluating Identity Policy
Matched rule
Selected Identity Store -
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched rule
Selected Identity Store -
Authenticating user against Active Directory
User not found in Active Directory
Authenticating user against Active Directory
User not found in Active Directory
Identity sequence completed iterating the IDStores
Subject not found in the applicable identity store(s).
The advanced option that is configured for an unknown user is used. ??
The 'Reject' advanced option is configured in case of a failed authentication request. ??
Returned TACACS+ Authentication Reply

 

 

0 Replies 0