Herbert or others.

Is there any way to have the ASA Authenticate against an RSA Authentication manager but retrieve an IP address from an Radius (perhaps ACS) or LDAP source?

I am aware that I could 'chain' the Radius request through the ACS and provide the IP address in this manner, but I think I would then lose the advantages of the SDI integration between the ASA and the RSA server.

SO my question i presume is... is it possible to provide the IP address as part of an 'authorsation' rather then an 'authentication' request/response.

yes, you can use SDI authentication and Radius or LDAP authorization.

However for Radius it's a bit tricky, because the Radius protocol only supports authentication and accounting, not authorization. Or rather, the authentication and authorization are done in 1 go. Hence, to do authorizatio the ASA needs to send an Access-Request, which needs to include the user's password. Obviously this would not work because the password is an OTP (or in a similar case, when using certificate authentication and Radius authorization, there is no password at all).

The solution the ASA developers have implemented to overcome this, is to always send a fixed password in the Access-Request. This password is the same as the username by default, or you can configure it to be a certain string of your choice (but then it is the same for all users).

Hence, this solution will only work if you can configure your Radius server accordingly.

Alternatively, LDAP authorization does not have this limitation since we can do an LDAP query without providing the user's password. You'll just need an LDAP attribute map to map LDAP attributes/values to ASA attributes/values.

hth

Herbert

Excellent pointers, thanks.

If we use ACS to store the IP addresses then we should be able to set the password to the same as the username with no issue.

If we decide to use LDAP then as you say it should be straightforward enough.

I'll look into the usernam/fixed password method you describe, thanks for the hint.