Assigning a user group using RSA SecurID RADIUS Server

Unanswered Question

We have several ASA 5510 firewalls which are being used as VPN gateways.

RSA SecurID is the authentication mechanism using native SDI connectivity.

No ACS server is being used.

Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

Thanks in advance for replies.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
darpotter Mon, 02/05/2007 - 00:43

Hi

I assume this is using RSA's comms protocol rather than RADIUS? Actually not sure it makes any difference - last time I looked (about 18months ago) you couldnt do group assignment from RSA.

chris-gibbs Sun, 07/08/2007 - 19:02

We are currently looking at implementing this as well. While we have been able to get our IAS asigning tunnelgroups for Web SSL VPN we have not been able to get the same functionality working with the SDI protocol.

Any tips / hints on what else we can try??

We are using the RSA SecurID with the RSA SecurID Appliances. We are also using a Cisco 5510 as the VPN endpoint.

wong.jason Wed, 11/21/2007 - 07:19

Hi Chris,

Did you ever managed to resolve this ? I hit into the same problem as well. Thanks.

chris-gibbs Wed, 11/21/2007 - 13:29

Hi Jason,

Yes I eventually got this sorted so we could automatically assign group membership.

To give a bit of background, we use a windows AD environment here and created a number of different groups that would belong to different profiles.

We have RSA Auth Manager Automatically sync through LDAP and then assign a profile to the user that is imported, I'm still yet to find a way to assign a profile based on a SecurID group but working on it - so the profile assignment is manually ATM.

The profile in Auth Manager is linked to the identically named Funk RADIUS profile running on our RSA appliances. In the Funk RADIUS server, the profiles can be configured with the typical OU reply.

Then the ASA can be configured to talk RADIUS instead of RSA.

Hopefully my response was not to confusing.

Cheers

Chris

wong.jason Wed, 11/21/2007 - 17:22

Hi Chris,

Let me get this right, so the ASA is talking radius rather than SDI ?

I guess I could do that although I would rather not if it could talk SDI and still have the group. I guess it would be simplied if I use Cisco ACS and integrates that with RSA . Will have to look at that.

Have you tried the integrated radius that comes with RSA Authentication Manager 6.1 ?

chris-gibbs Wed, 11/21/2007 - 17:44

Hi Jason,

The only way I could get it to work is with the inbuilt Radius software in Auth Manager (Made by Funk software i think) and then have the ASA communicate via RADIUS.

I spent a while trying to get the SDI working as introducing RADIUS into the Authentication process creates another point of failure. In the end we ended up buying 2 RSA Applicances and running a master/replica setup.

I did not have the chance to investigate ACS.

Chris

chris-gibbs Thu, 11/22/2007 - 13:54

Hi Jason,

While we have internal documentation for ongoing maintainence purposes, i'm not able to release it. However I will briefly try to outline the steps I took to get it working.

1. We upgraded to version 8.0 ASA from 7.2, this had nothing to do with the RSA but gave us access to more features for the SSL deployment. This was existing production equipment setup for ipsec vpn.

2. Installed 2 x RSA hardware Appliances configured with Master/Replica failover.

3. Installed bundled Radius server on the RSA Appliances. Configured a secret key for pairing with ASA.

4. Setup profile(s) in the Radius server. These should be setup with the 'Group Policies' that the will be mapped through the AAA process. This can be done by assigning Attribute/Value Pair under the profile. The attribute should be "class" and the Value should be "OU=group_policy_name;" Please note that the group_policy_name is case sensitive.

5. Setup matching profile in the RSA Auth Manager. Radius -> Add Profile. This should be the same name as the profile setup in the Radius Server.

6. Add users in the RSA Auth manager. We achieve this automatically by scheduled LDAP sync's every 15mins during the day.

7. Assign token to user and assign profile to user in RSA Auth Manager.

8. Setup AAA server (& group) on the ASA, pairing using Radius as the protocol.

9. Make sure the connection profile that is linked to the Group Policy in step 4 uses the the AAA group in step 8.

I found the RSA Secured site helpful for the integration. http://www.rsa.com/rsasecured/product.asp?id=1487

I also found some cisco doco for the ASA, specifically for configuring the return attribute passed from the radius server. This link is specific for ACS but will work with a few mods for most Radius servers.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

Searching the forums gave some good ideas away as well.

Let me know how you go.

Cheers

Chris

wong.jason Thu, 11/22/2007 - 16:51

Thanks. Actually I'm familiar with the general steps, just concern about the part for the return attributes and configuration from the RSA Radius as it's not well documented and I'm more familiar with ACS. In any case, thanks for the help, the information has been helpful. I'll explore it further.

kirkpad01 Sat, 12/01/2007 - 00:11

Hi,

I have a similar issue but Im trying to do network authorization not webssl or VPN using RADIUS. It appears that network authorization for groups only works with TACACS+. I think with PIX you were able to use Cisco AV-pairs in RADIUS to create per-user ACL's. i used to link this in with Safeword tokens which worked well. They have taken this away now on the ASA, which means you need to spend extra on a ACS server. not great if your're a small business. Did you manage to get network authorization working with RADIUS?

Thanks,

Dave

alig.norbert Thu, 04/14/2011 - 01:57

Hi,

Could you post the setting (IAS & ASA) for the asigning tunnelgroups for Web SSL VPN?

Thanks a lot,

Norbert

Actions

This Discussion