I have a need to authenticate and authorize users on a NAS via RADIUS against both SecurID and Active Directory using a Cisco ACS 5.1 appliance, but I need to ensure that the AD-authenticated users are in a particular AD group before authorizing. The problem is that the SecurID users usernames are identical to their AD usernames, and I don't want SecurID users to be able to login with their AD credentials (bypassing SecurID) unless they're in that particular AD group.
I was able to setup SecurID and AD external Identity Stores and put them in an Identity Store Sequence with SecurID first and AD second. I configured the SecurID store to treat authentication rejects as "user not found" rather than "authentication failed," so the fall-through from SecurID to AD works for non-SecurID users, but I can't figure out how to enforce the AD group requirement for users with a SecurID account.
I can design a Network Access Service Authorization Policy to require that an authenticated user be a member of a specific group--either a mapped Identity Group or an AD group--in order to be permitted access, but SecurID-authenticated users aren't assigned to any groups. I can't seem to map authenticated SecurID users to internal Identity Groups, because there doesn't seem to be a SecurID dictionary on the ACS by which to accomplish the mapping with a Network Access Service Group Mapping Policy.
Anyone have any idea how I can accomplish this?