cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15255
Views
15
Helpful
6
Replies

Identity store sequence is not working

Hello guys,

I am found following problem and can't solve it.

I have installed cluster from two ACS 5.3.0.40 (Internal Build ID : B.839) hardware appliances.

I have created Identity Store Sequence in this way:

  • Authentication Method List - Password Based
  • Authentication and Attribute Retrieval Search List:
    • First server providing SMS authentication (via Radius Protocol)
    • Second in sequence is RSA Authentication Manager (SecurID twofactor token authentication)
  • Additional Attribute Retrieval Search List - Internal Users

  • Advanced options:
    • If access to the current identity store failed - Continue to next identity store in the sequence

    • For Attribute Retrieval only: Checked option - If internal user/host not found or disabled then exit sequence and treat as "User Not Found"

My idea is this - User will try authneticate, Identity sequence will be initiated - if user doesn't exist on SMS server then he should be authneticated via RSA AM. On the end additional attributes should be taken from his account in ACS internal database (it is used for Authorization).

Problem is that if authentication agains first server in identity store sequence will fail, second server in sequence is never contacted. If user exist on first auth. server then login will pass without problem.

I am tried change sequence order, but if RSA AM is first and SMS server is second situation is still the same like before, only user on RSA AM will pass.

From Logs I see that only First server is mentioned in Identity Store item (Authentication Summary).

Session event saying (if SMS server is first) - Radius authentication failed for USER: breskmic  MAC:   AUTHTYPE: Radius authentication failed

Authentication dedails: Access Policy - Selected Indetity Stores - both authnetication servers are correctly mentioned

Steps:

  • 24613  Authentication against the RADIUS token server failed.
  • 22057  The advanced option that is configured for a failed authentication request is used.
  • 22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  • 11003  Returned RADIUS Access-Reject
  • This is end of the log - If RSA AM server is first in sequence then result is the same.

Can anybody help me with this issue, am I doing anything wrong or is it bug in ACS?

1 Accepted Solution

Accepted Solutions

There is an advanced configuraton option for RADIUS token server:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'

Treat Rejects as 'user not found

You need to make sure the option to Treat Rejects as 'user not found' is selected

View solution in original post

6 Replies 6

jrabinow
Level 7
Level 7

The identity sequence continues through the list of identity databases until get a definitive answer for authentication: either authentication passed or authentication failed. It is possible to continue to the other databases if the user is not found or could not contact or connect to the database at all

In all cases does the same user exist on both SMS and RSA stores?

I have created unique testing user accounts on both authentication servers, so unfortunately no, this is not reason for this behavior, because auth. server should return response "user doesn't exist". Is possible find from some log type of response from auth. server?

From the logs you shared we see the following:

24613  Authentication against the RADIUS token server failed.

That means the user you requested exists in the RADIUS token server but with a different password and so authentication failed. This did not return "user did not exist". In the case the user exists the identity sequence wil not proceed

Delete the user account from the RADIUS token and you should see things work as expected

I am sure that this user doesn't exist on this authentication server, but maybe this Radius is returning wrong response for non-existin user. I will try investigate it.

There is an advanced configuraton option for RADIUS token server:

This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .

Treat Rejects as 'authentication failed'

Treat Rejects as 'user not found

You need to make sure the option to Treat Rejects as 'user not found' is selected

It was direct shot. Thank you very much, now it is working properly :-)