ACS 4.0 Network Profiles and External Radius/RSA

Unanswered Question
Nov 14th, 2006
User Badges:

Good Afternoon,

I have a pair of ACS 4.0 Solution Engines that use TACACS+ for AAA with network equipment and authenticate wireless users to AD with the remote agents via Radius. I have a VPN 3030 that currently talks to a separate ACS running 3.3 which passes authentication requests to an RSA server using the API from a Windows Server. I want to migrate VPN authentication to the 4.0 SE failover set and upgrade RSA to version 6.1 that integrates the Steel Belted Radius front end.

The issue that I'm encountering is the need to send AV pairs to the 3030 based on group membership such as OU, split tunnel, ACL, etc. On the 4.0 ACS I've built a Network Access Filter based on a Device Group for the 3030. I've referenced this Filter in my Network Access Profile and set the authentication for the profile to use the Radius Token Server external database, which is the front end of RSA 6.1. This authentication works fine when I test from the 3030. Unfortunately, the user is recreated in the ACS for the RSA profile and is dynamically mapped to the default group specified in the external database mapping for the Radius Token Server. The user is unable to inherit the Radius attributes configured for the user or group because of the profile. Once I've authenticated, I can do a search for my username on the ACS and find two entries. Te first entry uses the default profile (original configuration) and a second which uses the RSA profile I created and is a member of the default group. I can now reassign the RSA profile user to the appropriate group, but I want all of the users authenticated with the RSA profile to use the attributes currently configured.

Is there a way to get the RSA profile to ignore the unknown user external database default group mapping and follow the user/group mappings in the configuration (known as the default profile)?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Tue, 11/21/2006 - 14:18
User Badges:
  • Silver, 250 points or more


As I recall you can setup group mapping for a specific NAP rather than globally. I dont have 4.0 in front of me at the moment but Im sure somewhere in the NAP pages you can do this.

Its all pretty clunky but should work.

cairnsm Wed, 11/22/2006 - 06:36
User Badges:

Thanks for everyone's assistance.

Here is the solution that I came up with:

In order to keep the global configuration of static users and groups working with the VPN 3030, I used RDBMS to change roughly 2500 users to a default external database of Radius Token server (the new one we just created and synchronized with the old database, which was accessed through the API from the 3.3 ACS). I created a NAP to point authentications from the WiSM modules against an external AD database. This database is mapped to a single default group for EAP authentication and thus works as I need without any attributes to be passed for wireless. All users are considered unknown and are thus mapped to the default group.

As for group mapping for a NAP, the Radius front end (Funk) for the new RSA database has no knowledge of our groups and is used strictly for token authentication (no class attribute for mapping), so I needed to use the static global mappings in the ACS "default profile". I also have some attributes that are specific to a user and the external authentication, when done through a NAP would map the user as "unknown", and thus create a dynamic entry that would not inherit the user specific attributes that were already configured in the ACS.

As far as I can tell from building this and reading all of the documentation, each profile works in a similar fashion to a virtual machine. User authentication within a profile is considered independent of user authentication within another profile or the default profile (configuration done before adding any profiles). If you have built a complicated base configuration on the ACS, that configuration should match your default authentication method. I don't see a way to build a new profile that references configuration of groups and users that you had before any profiles existed, because those configurations are considered the default profile and have nothing to do with the new profile you create.

Thanks again.



This Discussion