Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ACS: two factor authentication using AD group/internal user, external proxy

Hi all,

as far as you know, it could be possible to have two factor authentication in acs 5.x?

What i want to achieve is:

1) if a VPN user try joint the network, a user lookup needs to be performed against a specific Group in AD, but the password needs to be verified by an external OTP server ( ActiveIdentity).

2) if the user is not found in the AD Group ABOVE, an internal lookup needs to be performed against  ACS database.

Do you know if it's possible?

Untill now i've been able ONLY to peform External autentication using ( configuring ACS as a proxy) but no lookup against AD as been performed.

many thx

Philip D'Ath

(1). Configure ActiveIdentity as a RADIUS server for authentication, and then configure a DAP (Dynamic Access Policy) and do an LDAP lookup to confirm the user is a member of the AD group desired.  Check out this URL (search for Active Directory to get to the right bit quickly).

(2).  90% yes (haven't tried it myself but should work), with the same approach above.  Create two policies, but make the above a higher priority policy.

many thx but doesn't work for me.

Which bit doesn't work?  (1) will definitely work.  RADIUS provides the authentication and AD provides the authorisation.

i'll try to explain.

i have some difficulties in configuring DAP that's why doesn't work for me...btw i found a different way to accomplish it...a bit easiser

i just created an identity store sequences with the radius server ( acitveidentity in the top ) and than the internal database.

the access policy is configured as follow:

1)  identity: the new identity sequence store & protocol (in the "Rule based result selection"

2)  authorizaion there are 2 rules:

a) check the AD database  and protocol  ( for employee  authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This way it works for me cause users lookup is performed against Radius server first and ,if no user is found, is performed then  on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restiction ( authorization policy B )

Hope it helps

Content for Community-Ad