Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4883
Views
5
Helpful
3
Replies

Cisco Secure ACS 5.1 with RSA Authentication Manager 7.1 and Active Directory groups for profiles

Go to solution
ChristopheBerger
Level 1
Level 1

‎10-06-2010 08:34 AM - edited ‎03-10-2019 05:28 PM

Hi,

I'm deploying an ACS connected to a RSA AuthManager (which is connected to an Active Directory domain)

I'm creating multiple groups inside the Active Directory server, I'm looking to give different access rights to users regarding to their groups.

I tried to define an access policy "NetOp/NetAdm policy" and two authorization rules :

Rule-1 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETOP "Auth for net operators" 0

Rule-2 AD-AD1:ExternalGroups contains any DIR.INTRA/Groups/NETADM "Auth for net admin" 0

Default : Deny

In the Identity I configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

But I always get an access deny, the RSA authentication succeeds but the active directory group belonging does not work, even with unix attributes or main group defined for the user.

My question, is this configuration scenario valid ? Is there another way to define multiple profiles depending on the user group from external source ?

The steps from the monitoring :

Steps

11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - NetOp/NetAdm policy

Evaluating Identity Policy

15004  Matched rule

15013  Selected Identity Store - RSA Server

24500  Authenticating user against the RSA SecurID Server.

24501  A session is established with the RSA SecurID Server.

24506  Check passcode operation succeeded

24505  User authentication has succeeded.

24553  User record was cached

24502  The session with RSA SecurID Server is closed

22037  Authentication Passed

22023  Proceed to attribute retrieval

24628  User cache not enabled in the RADIUS token identity store configuration.

22016  Identity sequence completed iterating the IDStores

Evaluating Group Mapping Policy

15006  Matched Default Rule

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile - DenyAccess

15039  Selected Authorization Profile is DenyAccess

11003  Returned RADIUS Access-Reject

Thank you,

Christophe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7

‎10-06-2010 10:30 AM

I think what you need to do is create an identity sequence with RSA as the selection in

Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

View solution in original post

3 Replies 3

Go to solution
jrabinow
Level 7
Level 7

‎10-06-2010 10:30 AM

I think what you need to do is create an identity sequence with RSA as the selection in

Authentication and Attribute Retrieval Search List and AD in Additional Attribute Retrieval Search List. Then select this sequence as the result in the identity policy for the service

Go to solution
ChristopheBerger
Level 1
Level 1
In response to jrabinow

‎10-07-2010 02:44 AM

Thanks for the advice, I'll try this solution next week and let you know the result

0 Helpful

Go to solution
ChristopheBerger
Level 1
Level 1
In response to jrabinow

‎10-12-2010 01:05 AM

Hi,

Thanks for your help, I missed this detail.

So I added Active Directory as an additionnal attribute search list and the group mapping is now working fine.

Regards,

Christophe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents