RSA authentication with LDAP group mapping

scottlentz · ‎12-15-2010

Greetings,

I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.

The problem I'm having is that my users are in multiple OU's on our AD tree. When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error. If I add an OU in front of it, then it will work fine.

As far as I know, you can only use one LDAP configuration with RSA.

Any thoughts on this?

Tarik Admani · ‎12-21-2010

Scott,

Have you considered this option:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/GrpMap.html#wp961623

It looks as if the RSA can return a response that can place the user in a specific ACS group without needing LDAP mapping.

let me know if this helps.

Tarik Admani

scottlentz · ‎12-22-2010

@Tarik

I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.

I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen. I have resorted to creating a Radius profile on the RSA appliance for each access group I need. Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.

Thankfully, I have a small group of users that I am attempting to map. I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create. Likewise, our Account Admin will have to determine who gets assigned a particular access group.

I would still prefer to do this dynamically.

Scott