This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
as far as you know, it could be possible to have two factor authentication in acs 5.x?
What i want to achieve is:
1) if a VPN user try joint the network, a user lookup needs to be performed against a specific Group in AD, but the password needs to be verified by an external OTP server ( ActiveIdentity).
2) if the user is not found in the AD Group ABOVE, an internal lookup needs to be performed against ACS database.
Do you know if it's possible?
Untill now i've been able ONLY to peform External autentication using ( configuring ACS as a proxy) but no lookup against AD as been performed.
(1). Configure ActiveIdentity as a RADIUS server for authentication, and then configure a DAP (Dynamic Access Policy) and do an LDAP lookup to confirm the user is a member of the AD group desired. Check out this URL (search for Active Directory to get to the right bit quickly).
(2). 90% yes (haven't tried it myself but should work), with the same approach above. Create two policies, but make the above a higher priority policy.
i'll try to explain.
i have some difficulties in configuring DAP that's why doesn't work for me...btw i found a different way to accomplish it...a bit easiser
i just created an identity store sequences with the radius server ( acitveidentity in the top ) and than the internal database.
the access policy is configured as follow:
1) identity: the new identity sequence store & protocol (in the "Rule based result selection"
2) authorizaion there are 2 rules:
a) check the AD database and protocol ( for employee authentication )
b) check protocol and any optional ACL's ( for external partner authentication )
This way it works for me cause users lookup is performed against Radius server first and ,if no user is found, is performed then on the internal DB ( identity selection)
empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restiction ( authorization policy B )
Hope it helps