cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
0
Helpful
2
Replies

ACS: using local users as fallback for AD

Wassim Aouadi
Enthusiast
Enthusiast

Hi,

I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.

When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.

I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.

I heard about Identity Sequence in ACS. But I still don't see the right configuration,

any help?

thanks

1 Accepted Solution

Accepted Solutions

jrabinow
Rising star
Rising star

You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

Configuration can be done as follows:

1) Go to Users and Identity Stores > Identity Store Sequences and press Create

2) Enter a name for the sequence and then Password Based Authentication Method. Will see a list called "Authentication and Attribute Retrieval Search List". Include first Internal Users and then AD1 in "Selected" list. Press "submit" and sequence will be create

3) Select the Indentity sequence as the result in the idnetity policy you are using. for example if you are using "Default Network Access" access service that is created by default go to:

Access Policies > Access Services > Default Network Access > Identity and select the indentity sequence you created in step 1) as the Identity Source

View solution in original post

2 Replies 2

jrabinow
Rising star
Rising star

You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

Configuration can be done as follows:

1) Go to Users and Identity Stores > Identity Store Sequences and press Create

2) Enter a name for the sequence and then Password Based Authentication Method. Will see a list called "Authentication and Attribute Retrieval Search List". Include first Internal Users and then AD1 in "Selected" list. Press "submit" and sequence will be create

3) Select the Indentity sequence as the result in the idnetity policy you are using. for example if you are using "Default Network Access" access service that is created by default go to:

Access Policies > Access Services > Default Network Access > Identity and select the indentity sequence you created in step 1) as the Identity Source

jrabinow wrote:

You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

I wanted the opposite, i.e. if user does not exist in AD then proceed to local database. It worked.

Thanks for giving me these steps

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers