Darran,

Thanks for the reply.

I am able to get RSA to authenticate my user account, but now, can I dynamically assign users to proper groups based on AD group membership. Can I even do such a thing: check the group membership in AD and use RSA token for authentication.

Currently ACS only lets me choose one group where I can have all my RSA users in.

Unfortunately not.

This ability was being designed into ACS XA but that project got canned.

I doubt ACS v5.0 will be that flexible.

The only workaround I have found is manually mapping users to a different group once they have been cached in ACS. It does not scale to large environments, but if you have a static batch of users, it may work.

Thanks everyone for your replies.

I finally remembered how I had accomplished this in the past. The reason I had asked was once I had done this scenario at a client site, but could not remember it. Over the weekend it finally came back to me. At this client site, I did not have an appliance, I had ACS for windows, and we had made the server a member server of the domain, it was able to grab all the AD groups, and we then sent the authentication to an RSA server. Plus dynamically map them to group in ACS.

Now since we have an appliance, I can?t have the ACS grab AD groups and authenticate against RSA.

This bites.... :(

Thanks again everyone. If anyone comes up with an alternative or a solution please let me know.