cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3799
Views
4
Helpful
8
Replies

ACS 4.2 RSA Authentication and LDAP Group Mapping

seba
Level 1
Level 1

Hello

I have a PaloAlto firewall with Global Protect functionality enabled (VPN-SSL)

I use Cisco Secure ACS as a proxy for RSA SecurID Authentication.

After the authentication y try to map AD Groups through LDAP Query.

The issue I've found is that the user I get with user authentication has no domain:

show user ip-user-mapping all | match mbm60380

10.240.1.24     vsys1  UIA     domain\mbm60380                 2388           2388        

10.240.1.1      vsys1  UIA     domain\mbm60380                 2101           2101        

10.240.250.1    vsys2  GP      mbm60380                         2590859        2590859   

But the list of users I get from the LDAP Query does include domain prefix:

show user group name domain\group1

short name:  domain\group1

[1     ] domain\aag60368

[2     ] domain\ced61081

[3     ] domain\jas61669

[4     ] domain\mbm60380

[5     ] domain\pmc61693

[6     ] domain\vcm60984

I would like to create the user with domain in the ACS but it should strip the domain before querying the RSA Server, as it doesn't support domain stripping.

I've tried to fix this on the Palo Alto firewall without any success.

I'm trying to make it work changing Cisco Secure ACS 4.2 but it hasn't worked either:

The RSA Servers are configured as an external database.  They are not defined in the Network Device Groups.

Can I configure domain stripping for RSA servers queries?

Thanks

1 Accepted Solution

Accepted Solutions

Chris Illsley
Level 3
Level 3

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

View solution in original post

8 Replies 8

Chris Illsley
Level 3
Level 3

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

Hello

The RSA Servers are not defined as AAA Servers.

I created an External User Database as RSA SecurID Token server with a file (C:\WINDOWS\system32\sdconf.rec)

To create a Proxy Distribution entry you need to specify the AAA server, don't you?

Thanks!

Absolutely, hence the reason to forward the request back to your AAA server.

Thanks

Chris

Please, excuse me.

I don't understand what is "forware the request back to your AAA server" or how to do it.

Do you mean that the ACS sends the query to itself after stripping the domain?

Yes, something like below where GSTT-AAA01 is the AAA server you are configuring the distribution entry on:

Thanks

Chris

Good going guys. I do agree what "mooncat76" suggested to resolve this thread.

Here is a supporting document in case you wanted to go through.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342969

Jatin Katyal


- Do rate helpful posts -

~Jatin

seba
Level 1
Level 1

It has worked

Thank you!

No worries.

Cheers

Chris