10-24-2011 07:36 AM - last edited on 03-25-2019 05:28 PM by ciscomoderator
Hello guys,
I am found following problem and can't solve it.
I have installed cluster from two ACS 5.3.0.40 (Internal Build ID : B.839) hardware appliances.
I have created Identity Store Sequence in this way:
Additional Attribute Retrieval Search List - Internal Users
If access to the current identity store failed - Continue to next identity store in the sequence
For Attribute Retrieval only: Checked option - If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
My idea is this - User will try authneticate, Identity sequence will be initiated - if user doesn't exist on SMS server then he should be authneticated via RSA AM. On the end additional attributes should be taken from his account in ACS internal database (it is used for Authorization).
Problem is that if authentication agains first server in identity store sequence will fail, second server in sequence is never contacted. If user exist on first auth. server then login will pass without problem.
I am tried change sequence order, but if RSA AM is first and SMS server is second situation is still the same like before, only user on RSA AM will pass.
From Logs I see that only First server is mentioned in Identity Store item (Authentication Summary).
Session event saying (if SMS server is first) - Radius authentication failed for USER: breskmic MAC: AUTHTYPE: Radius authentication failed
Authentication dedails: Access Policy - Selected Indetity Stores - both authnetication servers are correctly mentioned
Steps:
Can anybody help me with this issue, am I doing anything wrong or is it bug in ACS?
Solved! Go to Solution.
10-25-2011 02:12 AM
There is an advanced configuraton option for RADIUS token server:
This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found
You need to make sure the option to Treat Rejects as 'user not found' is selected
10-24-2011 09:36 AM
The identity sequence continues through the list of identity databases until get a definitive answer for authentication: either authentication passed or authentication failed. It is possible to continue to the other databases if the user is not found or could not contact or connect to the database at all
In all cases does the same user exist on both SMS and RSA stores?
10-25-2011 01:26 AM
I have created unique testing user accounts on both authentication servers, so unfortunately no, this is not reason for this behavior, because auth. server should return response "user doesn't exist". Is possible find from some log type of response from auth. server?
10-25-2011 01:38 AM
From the logs you shared we see the following:
24613 Authentication against the RADIUS token server failed.
That means the user you requested exists in the RADIUS token server but with a different password and so authentication failed. This did not return "user did not exist". In the case the user exists the identity sequence wil not proceed
Delete the user account from the RADIUS token and you should see things work as expected
10-25-2011 02:09 AM
I am sure that this user doesn't exist on this authentication server, but maybe this Radius is returning wrong response for non-existin user. I will try investigate it.
10-25-2011 02:12 AM
There is an advanced configuraton option for RADIUS token server:
This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found
You need to make sure the option to Treat Rejects as 'user not found' is selected
10-25-2011 02:20 AM
It was direct shot. Thank you very much, now it is working properly :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide