Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
0
Helpful
2
Replies

ACS5: different external authentication method for each user account

Go to solution
Roman Rodichev
Level 7
Level 7

‎02-20-2011 08:15 AM - edited ‎03-10-2019 05:50 PM

in ACS4 I could specify a different external authentication method for each user account. I'm trying to figure out how to do the same in ACS 5? When I go under Identity in Access Services, I see System:Username condition that I can use to identify the user that's logging in, so that I can direct him to a different identity source, but configuring separate policy for each user is very inconvinient and would require hundreds of policies in our case.

I was hoping we can create some kind of attribute for each user. SysAdmin > Configuration > Dictionaries > Identity > Internal Users. I created new attribute called "Identity Store" with Enumeration type, that has 4 values: Internal, Entrust Token, RSA Token, AD  account, and checked the box "Add Policy Condition". I can then go under each user and select the identity store for each user. But now I can't find where I can use it under Identity portion of an access policy. I can use it under "Group Mapping" but that maps it to a group, and not to an identity store. I need to use it somehow under Identity, but I can't find how.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎02-21-2011 04:22 AM

Hello Roman,

The attribute you have created will be available when the user is authenticated through internel ID Store, so you can't use it to select the ID store.

The best way to do that would be use other attributes that you have to differentiate the idendity store.
You can as well create an identity store sequence so that for each user, ACS will try to authenticate using several identity store.

You can, for example, use these:

Network Condition

>End Station filter

>Device filter

>Devide Ports filter

Here you can import the filters from a file, so it would be more scalable.

Hope this help.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Bastien Migette
Cisco Employee
Cisco Employee

‎02-21-2011 04:22 AM

Hello Roman,

The attribute you have created will be available when the user is authenticated through internel ID Store, so you can't use it to select the ID store.

The best way to do that would be use other attributes that you have to differentiate the idendity store.
You can as well create an identity store sequence so that for each user, ACS will try to authenticate using several identity store.

You can, for example, use these:

Network Condition

>End Station filter

>Device filter

>Devide Ports filter

Here you can import the filters from a file, so it would be more scalable.

Hope this help.

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7
In response to Bastien Migette

‎02-22-2011 10:19 PM

That makes sense, thank you

0 Helpful
Customers Also Viewed These Support Documents