cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4563
Views
5
Helpful
3
Replies
ChristopheBerger
Beginner

Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and Active Directory groups for profiles

Hi,

I'm deploying an ACS connected to a RSA AuthManager (which is connected to an Active Directory domain)

I'm creating multiple groups inside the Active Directory server, I'm looking to give different access rights to users regarding to their groups.

I tried to define an access policy "NetOp/NetAdm policy" and two authorization rules :

Rule-1 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETOP "Auth for net operators" 0

Rule-2 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETADM "Auth for net admin" 0

Default : Deny

In the Identity I configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

But I always get an access deny, the RSA authentication succeeds but the active directory group belonging does not work, even with unix attributes or main group defined for the user.

My question, is this configuration scenario valid ? Is there another way to define multiple profiles depending on the user group from external source ?

The steps from the monitoring :

Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - NetOp/NetAdm policy

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store - RSA Server

24500  Authenticating user against the RSA SecurID Server.

24501  A session is established with the RSA SecurID Server.

24506  Check passcode operation succeeded

24505  User authentication has succeeded.

24553  User record was cached

24502  The session with RSA SecurID Server is closed

22037  Authentication Passed

22023  Proceed to attribute retrieval

24628  User cache not enabled in the RADIUS token identity store configuration.

22016  Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

15006  Matched Default Rule

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile - DenyAccess

15039  Selected Authorization Profile is DenyAccess

11003  Returned RADIUS Access-Reject

Thank you,

Christophe

1 ACCEPTED SOLUTION

Accepted Solutions
jrabinow
Rising star

I think what you need to do is create an identity sequence with RSA as the selection in

Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

View solution in original post

3 REPLIES 3
jrabinow
Rising star

I think what you need to do is create an identity sequence with RSA as the selection in

Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

View solution in original post

Thanks for the advice, I'll try this solution next week and let you know the result

Hi,

Thanks for your help, I missed this detail.

So I added Active Directory as an additionnal attribute search list and the group mapping is now working fine.

Regards,

Christophe

Content for Community-Ad