08-22-2011 12:23 AM - edited 03-10-2019 06:20 PM
Hi,
I need to configure the ACS 5.1 to meet the following requirement :-
1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential
2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.
I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.
Can any expert out there advise on the configuration portion?
regards
08-22-2011 02:36 AM
In the users and identity menu, click on "identity store sequence".
Create a new sequence that will be composed of your RSA and then the internal store.
In your service policy, instead of pointing the identity store to the RSA server, point it to the sequence you created.
Regards,
Nicolas
08-25-2011 05:42 AM
Hi Nicolas,
Thanks of the help.
I tried out your method. But I am still encounting the "same" problem.
When I bring down the RSA server, my internal account is still not able to login successfully.
From the logging, the failure is due to the "invalid account" in my RSA server (so apparently it did not roll over to the internal store for the next authentication sequence).
This is what i configured:
I defined "Authentication_Sequence" under the "identity store sequence".
> RSA
> Internal Hosts
Then under Access Policy (Default Network Access),
I selected "Authentication_Sequence" under the identity field.
Not too sure where i missed out
regards
08-25-2011 05:50 AM
the configuration seems correct. However it would seem that ACS doesn't realize that the RSA is down. How did you turn the RSA down ? off completely ?
08-25-2011 06:29 AM
I just simply disconnect the RSA server from the network so that ACS will not be able to reach RSA
08-25-2011 10:59 PM
Hi,
To add on, the error is saying that the authentication failure is due to ' ACS is not able to establish a connection to the RSA server'
08-26-2011 12:52 AM
Strange ...
I didn't play much with RSA server failover. It should fail over to my opinion but ...
08-26-2011 08:58 AM
It is indeed quite strange.
I found one old thread that was quite similar to my problem :
https://supportforums.cisco.com/thread/2052480
I tried out the setting, but the problem still persist.
Besides the sequence setting, Is there any setting that indicate the timeout value for a authentication store to declare "failure" and failover to the second store?
09-09-2011 04:50 AM
Hi,
Are you aware of this bug :
which could be relared to my problem?
regards
09-09-2011 05:06 AM
That bug is not related. It's about Active Directory. Your problem is RSA ...
09-09-2011 05:15 AM
This is the reply from the TAC engineer,
"
> I believe that you are hitting this bug:
>
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method
> =fetchBugDetails&bugId=CSCtl05416
> While the notes for this bug talk about problems with AD, the same
> problem applies to _any_ identity sequence that you create.
> For example, if you create an Identity Store Sequence with the Identity
> Stores A and B, the ACS will _not_ go to Identity B if Identity Store A
> is not available. It does not matter what the order of identity stores
> is in the sequence. This is a known issue with ACS 5.2 and there is no
> work around.
>
> This problem will be resolved in the next release of ACS, which will be
> ACS 5.3. The 5.3 release will allow you to select what action is to take
> place is an Identity Store becomes unavailable.
> "
So would like to seek your opinion. In addition, also found this article.
09-09-2011 05:21 AM
Well if you have a TAC case ...
He logically spent time working on it and possibly checked cases affected by that bug.
As this is a forum, I'm rarely working more than a few minutes for each reply I give, so I would trust that answer over mine.
However, the bug is still Assigned and not marked as resolved yet. It was marked to be fixed for 5.3 but if it's not resolved yet, it won't be fixed in 5.3 release that comes out in 2 months ;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide