12-07-2010 02:15 PM - edited 03-10-2019 05:38 PM
Hi
We've recently setup our ASA SSL VPN to use our RSA Authentication Manager 7.1 system via the native SDI protocol. It is working great but I'm wondering if there is some way to have the ASA and the RSA server exchange 'group policy' information...ie;
When a user currently connects to the SSL VPN there is a dropdown box to control which group policy they connect with...is there some way to have the RSA pass back the group based on the user account and the group they belong to on the RSA server?
Thanks very much.
Jason
12-08-2010 11:48 AM
Hi Jason,
as far as I know, this is not possible with just the RSA server. However if you have a Radius or LDAP server (which can be a Microsoft AD server) with the same users as on the RSA server, then you can do authentication against RSA and in addition authorization against Radius or LDAP. The authorization server then sends the group info (and/or other attributes) to the ASA.
Let me know if you'd like to get more details on either solution.
hth
Herbert
02-15-2011 10:29 AM
If you use RADIUS instead of SDI, you can pass the group information from RSA to ASA. In RSA, install RADIUS server, create profiles for the groups you have in ASA. The group profiles in RSA have to match the profile names in ASA. For each RSA profile, you will have to add a an attribute CLASS with the entry as follows: OU={ASA profile name}; the semicolon is needed.
Also you need to create RADIUS client for your ASA in RSA.
Dat
06-15-2011 08:06 AM
Thanks Dat, your post really helped me out.
As a heads up to anyone reading this post, with an RSA server and an ASA, this works for anyconnect version 3.0.
Just make sure you name the profile with the exact same name and use the same case as your group profile and use the following as a template:
Return List Attributes
Attribute: class [M]
Value OU=ASA_Profile;
It's the brackets that caught me out!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide