Solved: Device authentication with Tacacs using RSA and AD

kondzio24 · ‎06-20-2019

Both RSA and AD are setup as external identities. RSA is also using AD as identity store. So effectively all accounts are present in both ext. ID stores. What I’m trying is to set my policy so that when I use an account that ends “_a” it requires to use RSA 2/fa. All other accounts in that match specific security group just get in with read only.

Is there a way to match “_a” accounts to be authenticated against certain ext ID store, RSA in my case? I’ve tried with “contains” and “end with” in the policy but doesn’t seem to make a difference and it simply doesn’t want to match.

hslai · ‎07-01-2019

Adding to what rubenvankomen suggested...

Below is an example of T+ policy sets similar to what you asked for and I tested working:

Two policy sets: One with TACACS.User endsWith 1 and the other is default.

The Username ends with 1 Policy set uses MFA (e.g. DuoRADIUS)

The default policy set uses AD to auth the users.

View solution in original post

rubenvankomen · ‎06-20-2019

Hello,

As you described, you can match an attribute to a value in the authentication policy to make sure that certain users use a specific Identity Store or Identity Store Sequence. Can you please confirm that you are using the Device Administration Policy set (Work Centers > Device Administration > Device Admin Policy Sets) and not the Network Acces Policy set for TACACS+ Device Administration?

If you are using the correct Policy set, can you provide a screenshot of the condition?

hslai · ‎07-01-2019

Adding to what rubenvankomen suggested...

Below is an example of T+ policy sets similar to what you asked for and I tested working:

Two policy sets: One with TACACS.User endsWith 1 and the other is default.

The Username ends with 1 Policy set uses MFA (e.g. DuoRADIUS)

The default policy set uses AD to auth the users.