Solved: Authenticate against AD then Internal Store with same username?

ghuey · ‎09-06-2012

I know this sounds easy at first glance but I am having a nightmare of a time finding a way to get this to work. Our engineers were used to OUR old ACS 3.2 method where an account was either authenticated against the internal user store or Wwindows AD and would like to duplicate this functionality with the our new ACS 5.3 setup. I fully realize that the two models are not even close to being similar between those two versions but I am being asked anyway.

Here is the crux of the issue. If you have a jsmith account in the internal user store with one password, and also a jsmith in AD with a different password then the system cannot seem to handle different accounts with same name when it comes to passwords.

I have an internal store sequence setup to authenticate against AD then the local data store. The problem is that if the user puts the password of the internal store user the ACS server sees that the user exists in AD but that password was incorrect and authentication fails.

Bottom line is that I need some kind of logic that says try to authenticate against AD first with this username and password, and if that fails instead of ending there try to authenticate to the internal store using the given username and password.

Appreciate any help on this.

Jagdeep Gambhir · ‎09-06-2012

Hi,

There is a problem having the same username in both database, as ACS will never try to search the user in the second database because it will always find it in the first database whatever that is.

You can create some rules based on the Device IP, NDG Location, Type indicating that if the authentication comes from a specific device use specific database.

Incase of RSA database we have to option to consider invalid password as user not found but it is not available for AD database.

Regards,

~JG

Do rate helpful posts

View solution in original post

Tarik Admani · ‎09-06-2012

This feature was added in ACS 5.3 where you can set the user password type:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp230601

User Password Type

Allows you to set the password type of users in internal identity stores. You can select any one of the external identity store names along with internal users, to indicate against which identity store, this user needs to be authenticated.

For more information on User Password Type, see

User Guide for Cisco Secure Access Control System 5.3.

Let me know if this helps!

Tarik Admani
*Please rate helpful posts*

Jagdeep Gambhir · ‎09-06-2012

Hi,

There is a problem having the same username in both database, as ACS will never try to search the user in the second database because it will always find it in the first database whatever that is.

You can create some rules based on the Device IP, NDG Location, Type indicating that if the authentication comes from a specific device use specific database.

Incase of RSA database we have to option to consider invalid password as user not found but it is not available for AD database.

Regards,

~JG

Do rate helpful posts

Tarik Admani · ‎09-06-2012

Jagdeep,

I thought ACS 5.3 allowed you to use the internal database but point the password authentication to AD? However if the user isnt found then we can point to AD by using a identity sequence store?

Thanks,

Tarik Admani
*Please rate helpful posts*

ghuey · ‎09-07-2012

This is an interesting setting that I did not even know about so thanks for that Tarik, but I believe that it still does not resolve my problem.

Since my user accounts would have the same name in AD and in the internal store the user would be found. The ACS system just assumes that the user is typing an incorrect password, when in fact they are typing in the password for thier internal store account.

Thank you for confirmation Jagdeep.