The list is evaluated top to

N3t W0rK3r · ‎03-02-2016

I am setting up a new installation of ACS v5.8 from scratch to replace our ACS4.1 solution.

I have got to the point where I have the new ACS server authenticating device admin access using an internal identity store user just fine. I then connected it successfully to our AD domain. I have selected an AD group to query under the Directory Groups tab of the External Identity Store/Active Directory and have tried to create appropriate device admin identity and authorization policies to reference the AD group using a condition.

Login attempts from device admins are failing. When I check the ACS logs and policy hit counts, its clear that my AD-based device admin identity/auth policies are not being matched. Obviously I have done something wrong or not completely and I'm looking for some guidance.

Thanks,

John

Javier Henderson · ‎03-02-2016

John,

On the authentication report page, click on the magnifying glass for a test authentication to get the details, then scroll down to see what attributes were retrieved from AD for that user, and see if you can determine why the intended authorization policy was not matched.

Javier Henderson

Cisco Systems

N3t W0rK3r · ‎03-02-2016

Thanks Javier.

My problem right now is that AD is NOT being queried at all. The second identity rule, which I expect to be hit to query AD, is not being hit. See attached.

N3t W0rK3r · ‎03-02-2016

Javier,

I was able to get it to work by changing the Identity source in my Rule-1 ID policy from internal users (only) to an id sequence Internal-AD.

Not exactly sue why this worked, however... I would have thought that Rule-2 would have matched.

Oh well.

Thanks for your help.

John

Javier Henderson · ‎03-02-2016

The list is evaluated top to bottom, and exits on the first match. In this case, it matched Rule-1 and it stopped there.

Javier Henderson

Cisco Systems

How to Configure ACS 5.8 for AAA authentication to AD