Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
0
Helpful
1
Replies

Cisco ACS 5.1.0.44 Identity Store Sequence Question

JohnTylerPearce
Level 7
Level 7

‎07-06-2011 06:12 AM - edited ‎03-10-2019 06:12 PM

We have two single domain forests with a forest trust between them in our Windows Server infrasturcture.

Currently we have Cisco ACS 5.1.0.44 and use RADIUS for VPN, and TACACS+ for Switch/Router authentication.

Some users from DomainB cannot authentication against their LDAP server for some reason. If I go to the

Identity Store Sequence -> Edit: "VPN_DataBase" and then go under "Authentication and Attribute and Retrieval

Search List" and put DomainB to the top of the list these users can successfully log on via VPN, but now my

account in DomainA cannot log on. Anyone have any ideas what might be going on? I tried running a debug

through the console port but I didn't see any acitvity when I tried to authenticate..... Not really sure why. I do

know for a fact that the Cisco ACS does in fact authentication users from both domains because I can see it

under Monitoring and Reports. Anyone have any ideas?

Labels:
0 Helpful
1 Reply 1

Nicolas Darchis
Cisco Employee
Cisco Employee

‎07-21-2011 12:16 AM

"Additional attribute retrieval" list is only for ... as it says "additional attribute retrieval". So it's not what will be used for authentication.

Above normally you have another list with the stores that will be used for authentication, that's what you need to play with in this case.

I'm confused by the fact that you mention LDAP and AD. It's best to integrate to AD with the AD feature on ACS, not to add AD as an LDAP server because you then don't benefit of the trust system.

0 Helpful
Customers Also Viewed These Support Documents