cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1325
Views
10
Helpful
4
Replies

Authenticate against AD then Internal Store with same username?

ghuey
Level 1
Level 1

I know this sounds easy at first glance but I am having a nightmare of a time finding a way to get this to work.  Our engineers were used to OUR old ACS 3.2 method where an account was either authenticated against the internal user store or Wwindows AD and would like to duplicate this functionality with the our new ACS 5.3 setup.  I fully realize that the two models are not even close to being similar between those two versions but I am being asked anyway.

Here is the crux of the issue.  If you have a jsmith account in the internal user store with one password, and also a jsmith in AD with a different password then the system cannot seem to handle different accounts with same name when it comes to passwords.

I have an internal store sequence setup to authenticate against AD then the local data store.  The problem is that if the user puts the password of the internal store user the ACS server sees that the user exists in AD but that password was incorrect and authentication fails.

Bottom line is that I need some kind of logic that says try to authenticate against AD first with this username and password, and if that fails instead of ending there try to authenticate to the internal store using the given username and password.

Appreciate any help on this.

1 Accepted Solution

Accepted Solutions

Jagdeep Gambhir
Level 10
Level 10

Hi,

There is a problem having the same username in both database, as ACS will never try to search the user in the second database because it will always find it in the first database whatever that is.

You can create some rules based on the Device IP, NDG Location, Type indicating that if the authentication comes from a specific device use  specific database.

Incase of RSA database we have to option to consider invalid password as user not found but it is not available for AD database.

Regards,

~JG

Do rate helpful posts


View solution in original post

4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

This feature was added in ACS 5.3 where you can set the user password type:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp230601

User Password Type

Allows you to set the password type of users in internal identity  stores. You can select any one of the external identity store names  along with internal users, to indicate against which identity store, this user needs to be authenticated.

For more information on User Password Type, see

User Guide for Cisco Secure Access Control System 5.3.

Let me know if this helps!

Tarik Admani
*Please rate helpful posts*

Jagdeep Gambhir
Level 10
Level 10

Hi,

There is a problem having the same username in both database, as ACS will never try to search the user in the second database because it will always find it in the first database whatever that is.

You can create some rules based on the Device IP, NDG Location, Type indicating that if the authentication comes from a specific device use  specific database.

Incase of RSA database we have to option to consider invalid password as user not found but it is not available for AD database.

Regards,

~JG

Do rate helpful posts


Jagdeep,

I thought ACS 5.3 allowed you to use the internal database but point the password authentication to AD? However if the user isnt found then we can point to AD by using a identity sequence store?

Thanks,

Tarik Admani
*Please rate helpful posts*

This is an interesting setting that I did not even know about so thanks for that Tarik, but I believe that it still does not resolve my problem.

Since my user accounts would have the same name in AD and in the internal store the user would be found.  The ACS system just assumes that the user is typing an incorrect password, when in fact they are typing in the password for thier internal store account.

Thank you for confirmation Jagdeep.