Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
1
Helpful
7
Replies

Tacacs+ Backup identity store

Go to solution
Palazsto
Level 1
Level 1

‎03-07-2018 10:44 PM - edited ‎03-26-2024 03:46 AM

Hi Guys,

 

I need to configure an backup identity store( actually the local database of the ISE ) , but it should be used only in case when the primary (in this case Active Directory) fails.The users in the local database should not be usable if the AD is reachable . Is this possible ?

1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Palazsto

‎03-08-2018 11:38 AM

Hi Stoyan,

There is another option in Identity store sequence at the end to deal with the situation when ID store is not accessible.

Have you tried this?

-Krishnan

View solution in original post

0 Helpful
7 Replies 7

Go to solution
afahmy
Cisco Employee
Cisco Employee

‎03-07-2018 10:52 PM

Yes out all identify sources in an identity source sequence

Assign the source sequence to your flow

Sent from my iPhone

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎03-07-2018 11:37 PM

when Identity Source Sequence is created ,  ISE will go through the chosen Identity stores in the order they are placed until it hits a match , much like an ACL behavior . When that match is hit it will stop the sequence of  lookups

e.g

In above snap shot , if you were to chose AD1 as first identity store and then Internal Users as your second , then ISE would search for the user under AD1 and if not found would move on to Internal Users.

Hope thats clear.

0 Helpful

Go to solution
Palazsto
Level 1
Level 1
In response to ldanny

‎03-08-2018 12:09 AM

Thanks for the quick response guys ,but that's doesn't solve my case ... because I want the ISE to use the local database only in situation when the AD is not reachable(fail) . The Identity Source Sequence is configured just like you have suggested , of course ,but in this situation there will be users in the local database that will always have an access , even if the AD  is up, and I don't wont that.

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Palazsto

‎03-08-2018 01:43 AM

sounds like you have same accounts on both internal and AD data base .

In that case ISE does not support this option.

0 Helpful

Go to solution
Palazsto
Level 1
Level 1
In response to ldanny

‎03-08-2018 01:51 AM

No , the accounts are different , but I want the accounts from local store to be usable only if the primary id store fail(in my case the AD and the ISE are not in the same location and sometimes there are connectivity issues ). There are options in the authentication policies ( continue ,reject and drop ) , but when I tried to configure it with  them , they doesn't work like I expected .

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee
In response to Palazsto

‎03-08-2018 03:47 AM

ISE does not support this , if you feel this is a feature that is need I recommend you contact your Cisco representative with your use case.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Palazsto

‎03-08-2018 11:38 AM

Hi Stoyan,

There is another option in Identity store sequence at the end to deal with the situation when ID store is not accessible.

Have you tried this?

-Krishnan

0 Helpful
Customers Also Viewed These Support Documents