What is your OTP server ? Does it act as a radius server ?

If so you can configure an external radius store in ACS.

I would then advise to configure an identity sequence in ACS that would check the OTP server for authetnication and then put AD in the "extra attribute retrieval store" to retrieve user groups and properties.

the OTP is the Nordic Edge Server, which i believe is radius.

I think im just struggling to put the Access Service and Rule selection together properly.

Thanks

S

What you want to achieve changes nothing to the access service and rule selection.

Just create an identity store sequence that authenticates against OTP but fetches the attributes found in AD.

Is it possible to check the AD first then check the OTP if in that group?

At the minute the OTP will get sent to anyone, then get denied by the AD afterwards.

Thanks

S

There is an authenticating server and an attribute retrieval server.

You can't retrieve AD attributes first because the guy is not authenticated yet.

And you can't store attributes on the OTP server either right ?

The problem is that your password is on OTP only so it's OTP authenticating and not AD, so OTP has to be first.

OK thanks for clearing that up. We'd like to stop the OTP being sent out to invalid users.

S