Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
0
Helpful
2
Replies

VPN user authentication with ACS5.6 identity sequence

jain.nitin
Level 3
Level 3

‎03-03-2015 03:32 AM - edited ‎03-10-2019 10:30 PM

Hi All, We would like to achieve VPN authentication through acs 5.6 as below

1) If user called user1 is part of AD-group1 then it should authenticate through AD

2) If user called user2 is part of Local ACS group group2 then it should authenticate through ACS local DB

Note:

A) User1 is available in AD as well as ACS local DB but we have pulled specific AD group in ACS authorization policy in which User1 is not part of the group and put that rule is on Top. So if user1 is uses windows AD username and password and part of the group which we pulled from AD and mentioned in Authorization policy, he should authenticate.

B) User1 is also available in ACS local DB then if user1 uses local acs DB username and password and user1 is not part of the AD group which we pulled and mentioned in the authorization policy in point A then it should authenticate via ACS internal DB.

but its not happening this way, ACS always check AD1 for username and password for vpn user authentication and authenticate user with AD username and password though we have mentioned identity store sequence as AD first then Internal store but it is always checking AD. If we reverse the Identity sequence order then it always check internal store, does not go to AD.

 

Any idea how to achieve it. We are using ACS 5.6.0.22.2 and configured separate service selection rule for VPN under that only two authorization rules are configured. On top windows AD with specific group and second one Internal ACS DB.

 

Please help me to get resolve this as we have migration tonight.

 

Labels:
0 Helpful
2 Replies 2

hdussa
Level 1
Level 1

‎03-03-2015 03:42 AM

As i don´t know how the rules are configured, it is hard to say what to do. Maybe you can use NDG-Location as a desicion.

Example: Authentication comes from SWITCH A the use AD

                Authentication comes from SWITCH B the use internal Store

              

0 Helpful

jain.nitin
Level 3
Level 3
In response to hdussa

‎03-03-2015 04:27 AM

Hi, I am asking help on VPN user authentication that means authentication is coming from only one firewall on which VPN is configured.

0 Helpful
Customers Also Viewed These Support Documents