Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and Active Directory groups for profiles

ChristopheBerger — Mon, 11 Mar 2019 00:28:22 GMT

Hi,

I'm deploying an ACS connected to a RSA AuthManager (which is connected to an Active Directory domain)

I'm creating multiple groups inside the Active Directory server, I'm looking to give different access rights to users regarding to their groups.

I tried to define an access policy "NetOp/NetAdm policy" and two authorization rules :

Rule-1 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETOP "Auth for net operators" 0

Rule-2 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETADM "Auth for net admin" 0

Default : Deny

In the Identity I configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

But I always get an access deny, the RSA authentication succeeds but the active directory group belonging does not work, even with unix attributes or main group defined for the user.

My question, is this configuration scenario valid ? Is there another way to define multiple profiles depending on the user group from external source ?

The steps from the monitoring :

Steps

11001 Received RADIUS Access-Request

11017 RADIUS created a new session

Evaluating Service Selection Policy

15004 Matched rule

15012 Selected Access Service - NetOp/NetAdm policy

Evaluating Identity Policy

15004 Matched rule

15013 Selected Identity Store - RSA Server

24500 Authenticating user against the RSA SecurID Server.

24501 A session is established with the RSA SecurID Server.

24506 Check passcode operation succeeded

24505 User authentication has succeeded.

24553 User record was cached

24502 The session with RSA SecurID Server is closed

22037 Authentication Passed

22023 Proceed to attribute retrieval

24628 User cache not enabled in the RADIUS token identity store configuration.

22016 Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

15006 Matched Default Rule

Evaluating Exception Authorization Policy

15042 No rule was matched

Evaluating Authorization Policy

15006 Matched Default Rule

15016 Selected Authorization Profile - DenyAccess

15039 Selected Authorization Profile is DenyAccess

11003 Returned RADIUS Access-Reject

Thank you,

Christophe

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and

jrabinow — Wed, 06 Oct 2010 17:30:21 GMT

I think what you need to do is create an identity sequence with RSA as the selection in

Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and

ChristopheBerger — Thu, 07 Oct 2010 09:44:29 GMT

Thanks for the advice, I'll try this solution next week and let you know the result

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and

ChristopheBerger — Tue, 12 Oct 2010 08:05:24 GMT

Hi,

Thanks for your help, I missed this detail.

So I added Active Directory as an additionnal attribute search list and the group mapping is now working fine.

Regards,

Christophe

topic Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and in Network Access Control

Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and Active Directory groups for profiles

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and

Re: Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and