Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1834
Views
0
Helpful
2
Replies

ACS: using local users as fallback for AD

Go to solution
Wassim Aouadi
Level 4
Level 4

‎08-25-2011 12:22 AM - edited ‎03-10-2019 06:20 PM

Hi,

I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.

When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.

I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.

I heard about Identity Sequence in ACS. But I still don't see the right configuration,

any help?

thanks

Labels:
112585-ACS.rar.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎08-27-2011 10:46 PM

You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

Configuration can be done as follows:

1) Go to Users and Identity Stores > Identity Store Sequences and press Create

2) Enter a name for the sequence and then Password Based Authentication Method. Will see a list called "Authentication and Attribute Retrieval Search List". Include first Internal Users and then AD1 in "Selected" list. Press "submit" and sequence will be create

3) Select the Indentity sequence as the result in the idnetity policy you are using. for example if you are using "Default Network Access" access service that is created by default go to:

Access Policies > Access Services > Default Network Access > Identity and select the indentity sequence you created in step 1) as the Identity Source

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jrabinow
Level 7
Level 7

‎08-27-2011 10:46 PM

You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

Configuration can be done as follows:

1) Go to Users and Identity Stores > Identity Store Sequences and press Create

2) Enter a name for the sequence and then Password Based Authentication Method. Will see a list called "Authentication and Attribute Retrieval Search List". Include first Internal Users and then AD1 in "Selected" list. Press "submit" and sequence will be create

3) Select the Indentity sequence as the result in the idnetity policy you are using. for example if you are using "Default Network Access" access service that is created by default go to:

Access Policies > Access Services > Default Network Access > Identity and select the indentity sequence you created in step 1) as the Identity Source

0 Helpful

Go to solution
Wassim Aouadi
Level 4
Level 4
In response to jrabinow

‎08-29-2011 01:31 AM 

jrabinow wrote:
You can configure an indentity sequence that will first access the local data base for user authentication and, if the user does not exist in the local database it can then proceed to authenticate the user against AD

I wanted the opposite, i.e. if user does not exist in AD then proceed to local database. It worked.

Thanks for giving me these steps

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents