cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1874
Views
5
Helpful
2
Replies

RSA authentication with LDAP group mapping

scottlentz
Level 1
Level 1

Greetings,

I'm trying to set up RSA authentication with LDAP group mapping with ACS Release 4.2(1) Build 15 Patch 3.

The problem I'm having is that my users are in multiple OU's on our AD tree.  When I only put our base DN in for User Directory Subtree on ACS, it fails with a "External DB reports about an error condition" error.  If I add an OU in front of it, then it will work fine.

As far as I know, you can only use one LDAP configuration with RSA.

Any thoughts on this?

2 Replies 2

Tarik Admani
VIP Alumni
VIP Alumni

Scott,

Have you considered this option:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/GrpMap.html#wp961623

It looks as if the RSA can return a response that can place the user in a specific ACS group without needing LDAP mapping.

let me know if this helps.

Tarik Admani

@Tarik

I believe your suggestion is the only way i'm going to get this to work. I ran across a similar method just this week that I have been working on.

I was hoping for dynamic mapping with the original method, but I haven't found any way to make it happen.  I have resorted to creating a Radius profile on the RSA appliance for each access group I need.  Using the Class attribute, I then pass the desired Group name to the ACS, i.e. OU=Admins, and that seems to work.

Thankfully, I have a small group of users that I am attempting to map.  I will only map those who need elevated priviliges to narrow down how many profiles I will have to manually create.  Likewise, our Account Admin will have to determine who gets assigned a particular access group.

I would still prefer to do this dynamically.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: