Solved: is there a detailed explanation of advanced options?

Alex Pfeil · ‎03-08-2010

I was wondering if there is a document that further details the advanced options. The defaults are selected Reject, Reject, Drop. However, if the user is not found and you select continue instead of reject, what is the next step in authentication.

Here is my exact question:

If you select continue, where does the ACS look next?

Does it look for the next rule in that access-policy or does it go to the next access-policy?

jrabinow · ‎03-08-2010

Do not have a dcoument but can try explaining in this post

There are three cases to which this configuration can apply and for each case three options to control the behavior

The three behavior options are:

- Reject: send a reject response for the request

- Drop: send no response to the request

- Continue: continue to evaluate the authorization policy conditions

The three cases for which the options can be configured are:

- Authentication failed: User name was found in ID store but either password is incorrect or user is disabled

- User not found: User name was not found in any of the ID stores that were evaluated

- Process failed: Could not get a response from ID store

As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.

Note that within the authorization policy there is an additional attribute that can be used to determine the specific case that occured during authentication. The attribute is "Authentication Status" and can take values of "AuthenicationPassed", "AuthenticationFailed", "ProcessError", "UnknwonUser"

So within the authorization policy can define different results depending on "Authentication Status" result; eg to put in default VLAN

View solution in original post

jrabinow · ‎03-08-2010

Do not have a dcoument but can try explaining in this post

There are three cases to which this configuration can apply and for each case three options to control the behavior

The three behavior options are:

- Reject: send a reject response for the request

- Drop: send no response to the request

- Continue: continue to evaluate the authorization policy conditions

The three cases for which the options can be configured are:

- Authentication failed: User name was found in ID store but either password is incorrect or user is disabled

- User not found: User name was not found in any of the ID stores that were evaluated

- Process failed: Could not get a response from ID store

As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.

Note that within the authorization policy there is an additional attribute that can be used to determine the specific case that occured during authentication. The attribute is "Authentication Status" and can take values of "AuthenicationPassed", "AuthenticationFailed", "ProcessError", "UnknwonUser"

So within the authorization policy can define different results depending on "Authentication Status" result; eg to put in default VLAN

Alex Pfeil · ‎03-09-2010

jrabinow wrote:

As I mentioned, if continue is select the processing continues to evaluate the authorization policy for the access service that was previously selected. No other access services are evaluated.

This is the info I was specifically looking for.

Thanks,

I appreciate your time,

Alex Pfeil