Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1608
Views
0
Helpful
2
Replies

ACS 5.1: Group mapping for RSA SecurID Token Server store in an Identity Store Sequence

gglynn
Level 1
Level 1

‎08-26-2010 09:34 AM - last edited on ‎03-25-2019 05:27 PM by Community Manager

I have a need to authenticate and authorize users on a NAS via RADIUS against both SecurID and Active Directory using a Cisco ACS 5.1 appliance, but I need to ensure that the AD-authenticated users are in a particular AD group before authorizing.  The problem is that the SecurID users usernames are identical to their AD usernames, and I don't want SecurID users to be able to login with their AD credentials (bypassing SecurID) unless they're in that particular AD group.

I was able to setup SecurID and AD external Identity Stores and put them in an Identity Store Sequence with SecurID first and AD second. I configured the SecurID store to treat authentication rejects as "user not found" rather than "authentication failed," so the fall-through from SecurID to AD works for non-SecurID users, but I can't figure out how to enforce the AD group requirement for users with a SecurID account.

I can design a Network Access Service Authorization Policy to require that an authenticated user be a member of a specific group--either a mapped Identity Group or an AD group--in order to be permitted access, but SecurID-authenticated users aren't assigned to any groups. I can't seem to map authenticated SecurID users to internal Identity Groups, because there doesn't seem to be a SecurID dictionary on the ACS by which to accomplish the mapping with a Network Access Service Group Mapping Policy.

Anyone have any idea how I can accomplish this?

Labels:
0 Helpful
2 Replies 2

jrabinow
Level 7
Level 7

‎08-26-2010 11:11 AM

You can try and put the Active Directory in the list of databases for "Additional Attribute Retrieval Search List"

Then in cases where authentication against securID succeeds active directory will be accessed to retrieve attributes

Therefore in both use cases attribute directory attributes will be available for the authorization policy

0 Helpful

gglynn
Level 1
Level 1
In response to jrabinow

‎08-26-2010 11:21 AM

Good to know, but that actually won't help in this case, because I want the user to be able to login if he's in the NonSecurIDVPNAccess group *or* he uses a SecurID to login. If I just do the AD attribute lookup, a user not in that group who successfully authenticates with a SecurID would still be denied access.  What I really need is to be able to map all SecurID authenticated users to a single internal Identity Group and filter on that in the Authorization Policy.  Is this at all possible?

0 Helpful
Customers Also Viewed These Support Documents