cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1485
Views
4
Helpful
8
Replies
Highlighted
Beginner

ACS 4.2 RSA Authentication and LDAP Group Mapping

Hello

I have a PaloAlto firewall with Global Protect functionality enabled (VPN-SSL)

I use Cisco Secure ACS as a proxy for RSA SecurID Authentication.

After the authentication y try to map AD Groups through LDAP Query.

The issue I've found is that the user I get with user authentication has no domain:

show user ip-user-mapping all | match mbm60380

10.240.1.24     vsys1  UIA     domain\mbm60380                 2388           2388        

10.240.1.1      vsys1  UIA     domain\mbm60380                 2101           2101        

10.240.250.1    vsys2  GP      mbm60380                         2590859        2590859   

But the list of users I get from the LDAP Query does include domain prefix:

show user group name domain\group1

short name:  domain\group1

[1     ] domain\aag60368

[2     ] domain\ced61081

[3     ] domain\jas61669

[4     ] domain\mbm60380

[5     ] domain\pmc61693

[6     ] domain\vcm60984

I would like to create the user with domain in the ACS but it should strip the domain before querying the RSA Server, as it doesn't support domain stripping.

I've tried to fix this on the Palo Alto firewall without any success.

I'm trying to make it work changing Cisco Secure ACS 4.2 but it hasn't worked either:

The RSA Servers are configured as an external database.  They are not defined in the Network Device Groups.

Can I configure domain stripping for RSA servers queries?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

ACS 4.2 RSA Authentication and LDAP Group Mapping

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

View solution in original post

8 REPLIES 8
Participant

ACS 4.2 RSA Authentication and LDAP Group Mapping

Hi,

I think this should work, but it a bit clumsy:

Create a Proxy Distribution entry in Network Configuration.

domain\*

Strip the Prefix

Forward back to the AAA server, from there authenticate against the RSA server without the domain prefix.

Make sense?

Thanks

Chris

View solution in original post

Beginner

ACS 4.2 RSA Authentication and LDAP Group Mapping

Hello

The RSA Servers are not defined as AAA Servers.

I created an External User Database as RSA SecurID Token server with a file (C:\WINDOWS\system32\sdconf.rec)

To create a Proxy Distribution entry you need to specify the AAA server, don't you?

Thanks!

Participant

ACS 4.2 RSA Authentication and LDAP Group Mapping

Absolutely, hence the reason to forward the request back to your AAA server.

Thanks

Chris

Beginner

ACS 4.2 RSA Authentication and LDAP Group Mapping

Please, excuse me.

I don't understand what is "forware the request back to your AAA server" or how to do it.

Do you mean that the ACS sends the query to itself after stripping the domain?

Participant

Re: ACS 4.2 RSA Authentication and LDAP Group Mapping

Yes, something like below where GSTT-AAA01 is the AAA server you are configuring the distribution entry on:

Thanks

Chris

Cisco Employee

Re: ACS 4.2 RSA Authentication and LDAP Group Mapping

Good going guys. I do agree what "mooncat76" suggested to resolve this thread.

Here is a supporting document in case you wanted to go through.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342969

Jatin Katyal


- Do rate helpful posts -

~Jatin Katyal
Beginner

ACS 4.2 RSA Authentication and LDAP Group Mapping

It has worked

Thank you!

Participant

ACS 4.2 RSA Authentication and LDAP Group Mapping

No worries.

Cheers

Chris