Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1829
Views
10
Helpful
4
Replies

Configuring multiple Identity Sources in the Identity Policy (ACS 5.3)

Go to solution
Sami Abunasser
Level 1
Level 1

‎08-29-2012 07:29 AM - edited ‎03-12-2019 05:40 PM

Hi,

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.

It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.

Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.

- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working

- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.

- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.

Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the      MAC address.

- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

Any suggestions on how to get this configured?

Thank you,

Sami Abunasser

Labels:
Preview file
54 KB
Preview file
43 KB
Preview file
64 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to Jagdeep Gambhir

‎08-29-2012 09:40 PM

The reason why the current definition is not working is because there is the same condition in both rules in the policy. Once a condition is matched in a policy it will not move to any subsequent rules in the policy. It is a first match policy.

The way to resolve this is to use an identity sequence.

An identity sequence can hunt through a series of databases until the username is found and authentication can be performed

To do this for the scenario above do the following:

- Users and Identity Stores > Identity Store Sequences

- Create an identity sequence. Select "Password Based" option and then in "Authentication and Attribute Retrieval Search List" out first AD1 and then "Internal Users"

This identity sequence can now be selected as the result in the identity policy rule

View solution in original post

4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎08-29-2012 02:30 PM

Hi Sami,

Have you configured Mac-address in Internal user or Internal hosts? If it is host then we need to choose internal host in the identity policy.

Regards,

~JG

Do rate helpful posts!

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to Jagdeep Gambhir

‎08-29-2012 09:40 PM

The reason why the current definition is not working is because there is the same condition in both rules in the policy. Once a condition is matched in a policy it will not move to any subsequent rules in the policy. It is a first match policy.

The way to resolve this is to use an identity sequence.

An identity sequence can hunt through a series of databases until the username is found and authentication can be performed

To do this for the scenario above do the following:

- Users and Identity Stores > Identity Store Sequences

- Create an identity sequence. Select "Password Based" option and then in "Authentication and Attribute Retrieval Search List" out first AD1 and then "Internal Users"

This identity sequence can now be selected as the result in the identity policy rule

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to jrabinow

‎08-29-2012 10:47 PM

Thanks for clearing this up Jonny!

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
Sami Abunasser
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-31-2012 06:42 AM

Thanks, that was exactly what I was looking for and it worked perfectly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents