Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1634
Views
0
Helpful
3
Replies

SSL VPN w/ RSA, how to control group other then 'alias' dropdown?

jasonhumes
Level 1
Level 1

‎12-07-2010 02:15 PM - edited ‎03-10-2019 05:38 PM

Hi

We've recently setup our ASA SSL VPN to use our RSA Authentication Manager 7.1 system via the native SDI protocol.  It is working great but I'm wondering if there is some way to have the ASA and the RSA server exchange 'group policy' information...ie;

When a user currently connects to the SSL VPN there is a dropdown box to control which group policy they connect with...is there some way to have the RSA pass back the group based on the user account and the group they belong to on the RSA server?

Thanks very much.

Jason

Labels:
0 Helpful
3 Replies 3

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-08-2010 11:48 AM

Hi Jason,

as far as I know, this is not possible with just the RSA server. However if you have a Radius or LDAP server (which can be a Microsoft AD server) with the same users as on the RSA server, then you can do authentication against RSA and in addition authorization against Radius or LDAP. The authorization server then sends the group info (and/or other attributes) to the ASA.

Let me know if you'd like to get more details on either solution.

hth

Herbert

0 Helpful

dnguyen
Level 1
Level 1
In response to Herbert Baerten

‎02-15-2011 10:29 AM

If you use RADIUS instead of SDI, you can pass the group information from RSA to ASA.  In RSA, install RADIUS server, create profiles for the groups you have in ASA.  The group profiles in RSA have to match the profile names in ASA.  For each RSA profile, you will have to add a an attribute CLASS with the entry as follows:  OU={ASA profile name};  the semicolon is needed.

Also you need to create RADIUS client for your ASA in RSA.

Dat

0 Helpful

tom.musgrave
Level 1
Level 1
In response to dnguyen

‎06-15-2011 08:06 AM

Thanks Dat, your post really helped me out.

As a heads up to anyone reading this post, with an RSA server and an ASA, this works for anyconnect version 3.0.

Just make sure you name the profile with the exact same name and use the same case as your group profile and use the following as a template:

Return List Attributes

Attribute: class [M]

Value OU=ASA_Profile;

It's the brackets that caught me out!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents