I have a pair of ACS 4.0 Solution Engines that use TACACS+ for AAA with network equipment and authenticate wireless users to AD with the remote agents via Radius. I have a VPN 3030 that currently talks to a separate ACS running 3.3 which passes authentication requests to an RSA server using the API from a Windows Server. I want to migrate VPN authentication to the 4.0 SE failover set and upgrade RSA to version 6.1 that integrates the Steel Belted Radius front end.
The issue that I'm encountering is the need to send AV pairs to the 3030 based on group membership such as OU, split tunnel, ACL, etc. On the 4.0 ACS I've built a Network Access Filter based on a Device Group for the 3030. I've referenced this Filter in my Network Access Profile and set the authentication for the profile to use the Radius Token Server external database, which is the front end of RSA 6.1. This authentication works fine when I test from the 3030. Unfortunately, the user is recreated in the ACS for the RSA profile and is dynamically mapped to the default group specified in the external database mapping for the Radius Token Server. The user is unable to inherit the Radius attributes configured for the user or group because of the profile. Once I've authenticated, I can do a search for my username on the ACS and find two entries. Te first entry uses the default profile (original configuration) and a second which uses the RSA profile I created and is a member of the default group. I can now reassign the RSA profile user to the appropriate group, but I want all of the users authenticated with the RSA profile to use the attributes currently configured.
Is there a way to get the RSA profile to ignore the unknown user external database default group mapping and follow the user/group mappings in the configuration (known as the default profile)?