topic ACS 4.2 RSA Authentication and LDAP Group Mapping in Network Access Control

ACS 4.2 RSA Authentication and LDAP Group Mapping

seba — Mon, 11 Mar 2019 03:26:04 GMT

Hello

I have a PaloAlto firewall with Global Protect functionality enabled (VPN-SSL)

I use Cisco Secure ACS as a proxy for RSA SecurID Authentication.

After the authentication y try to map AD Groups through LDAP Query.

The issue I've found is that the user I get with user authentication has no domain:

show user ip-user-mapping all | match mbm60380

10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388

10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101

10.240.250.1 vsys2 GP mbm60380 2590859 2590859

But the list of users I get from the LDAP Query does include domain prefix:

show user group name domain\group1

short name: domain\group1

[1 ] domain\aag60368

[2 ] domain\ced61081

[3 ] domain\jas61669

[4 ] domain\mbm60380

[5 ] domain\pmc61693

[6 ] domain\vcm60984

I would like to create the user with domain in the ACS but it should strip the domain before querying the RSA Server, as it doesn't support domain stripping.

I've tried to fix this on the Palo Alto firewall without any success.

I'm trying to make it work changing Cisco Secure ACS 4.2 but it hasn't worked either:

The RSA Servers are configured as an external database. They are not defined in the Network Device Groups.

Can I configure domain stripping for RSA servers queries?

Thanks

ACS 4.2 RSA Authentication and LDAP Group Mapping

Chris Illsley — Wed, 15 May 2013 07:30:35 GMT

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

ACS 4.2 RSA Authentication and LDAP Group Mapping

seba — Wed, 15 May 2013 08:05:00 GMT

Hello

The RSA Servers are not defined as AAA Servers.

I created an External User Database as RSA SecurID Token server with a file (C:\WINDOWS\system32\sdconf.rec)

To create a Proxy Distribution entry you need to specify the AAA server, don't you?

Thanks!

ACS 4.2 RSA Authentication and LDAP Group Mapping

Chris Illsley — Wed, 15 May 2013 08:07:09 GMT

Absolutely, hence the reason to forward the request back to your AAA server.

Thanks

Chris

ACS 4.2 RSA Authentication and LDAP Group Mapping

seba — Wed, 15 May 2013 08:15:43 GMT

Please, excuse me.

I don't understand what is "forware the request back to your AAA server" or how to do it.

Do you mean that the ACS sends the query to itself after stripping the domain?

Re: ACS 4.2 RSA Authentication and LDAP Group Mapping

Chris Illsley — Wed, 15 May 2013 08:18:39 GMT

Yes, something like below where GSTT-AAA01 is the AAA server you are configuring the distribution entry on:

Thanks

Chris

Re: ACS 4.2 RSA Authentication and LDAP Group Mapping

Jatin Katyal — Wed, 15 May 2013 08:49:59 GMT

Good going guys. I do agree what "mooncat76" suggested to resolve this thread.

Here is a supporting document in case you wanted to go through.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342969

Jatin Katyal

- Do rate helpful posts -

ACS 4.2 RSA Authentication and LDAP Group Mapping

seba — Wed, 15 May 2013 09:36:46 GMT

It has worked

Thank you!

ACS 4.2 RSA Authentication and LDAP Group Mapping

Chris Illsley — Wed, 15 May 2013 09:39:10 GMT

No worries.

Cheers

Chris