Solved: ACS 4.2 RSA Authentication and LDAP Group Mapping

seba · ‎05-15-2013

Hello

I have a PaloAlto firewall with Global Protect functionality enabled (VPN-SSL)

I use Cisco Secure ACS as a proxy for RSA SecurID Authentication.

After the authentication y try to map AD Groups through LDAP Query.

The issue I've found is that the user I get with user authentication has no domain:

show user ip-user-mapping all | match mbm60380

10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388

10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101

10.240.250.1 vsys2 GP mbm60380 2590859 2590859

But the list of users I get from the LDAP Query does include domain prefix:

show user group name domain\group1

short name: domain\group1

[1 ] domain\aag60368

[2 ] domain\ced61081

[3 ] domain\jas61669

[4 ] domain\mbm60380

[5 ] domain\pmc61693

[6 ] domain\vcm60984

I would like to create the user with domain in the ACS but it should strip the domain before querying the RSA Server, as it doesn't support domain stripping.

I've tried to fix this on the Palo Alto firewall without any success.

I'm trying to make it work changing Cisco Secure ACS 4.2 but it hasn't worked either:

The RSA Servers are configured as an external database. They are not defined in the Network Device Groups.

Can I configure domain stripping for RSA servers queries?

Thanks

Chris Illsley · ‎05-15-2013

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

View solution in original post

Chris Illsley · ‎05-15-2013

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

seba · ‎05-15-2013

Hello

The RSA Servers are not defined as AAA Servers.

I created an External User Database as RSA SecurID Token server with a file (C:\WINDOWS\system32\sdconf.rec)

To create a Proxy Distribution entry you need to specify the AAA server, don't you?

Thanks!

Chris Illsley · ‎05-15-2013

Absolutely, hence the reason to forward the request back to your AAA server.

Thanks

Chris

seba · ‎05-15-2013

Please, excuse me.

I don't understand what is "forware the request back to your AAA server" or how to do it.

Do you mean that the ACS sends the query to itself after stripping the domain?

Chris Illsley · ‎05-15-2013

Yes, something like below where GSTT-AAA01 is the AAA server you are configuring the distribution entry on:

Thanks

Chris

Jatin Katyal · ‎05-15-2013

Good going guys. I do agree what "mooncat76" suggested to resolve this thread.

Here is a supporting document in case you wanted to go through.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342969

Jatin Katyal

- Do rate helpful posts -

~Jatin

seba · ‎05-15-2013

It has worked

Thank you!

Chris Illsley · ‎05-15-2013

No worries.

Cheers

Chris