Has anyone tried to use the ACS as a RADIUS proxy to a OTP system with an AD user database on backend?
This is so confusing i'm not even sure how to ask the right question.
I'm trying to setup a centralised SSL VPN with multiple domains and it works fine if i'm using pure RADIUS but it breaks when the OTP is introduced.
The really badly written OTP system says it's RADIUS compliant but it doesn't understand or like RADIUS class attributes except the username.
I need the AD group name returned to the VPN so I can allocate VPN groups. I'm having to find a workaround and it's driving me crazy. I know nothing about AD and LDAP or how to set it up on ACS or that I even need to.
This is probably "pushing the envelope".. in fact Im not sure its possible.
Parts are possible.. for example you can (in ACS) map AD groups to ACS groups. In each ACS group you can stick the AD group name into something the VPN server might look at. There's probably a VSA for it. However, this doesnt scale if you have more than a few groups.
ACS will not support authentication to an OTP server and authorisation from somewhere else (eg AD) has to do both in the same place.
Not sure I can help on the RADIUS proxy part - is that ACS proxy or another product?
Using Network Access Profiles you can possibly send authentication requests to different databases for the same ACS user, however, once the authentication database is selected, choice of group mapping is limited to that database (AD or OTP).
It is also possible in network device aaa configuration to send authentication requests and authorization requests to different servers, example, when using machine authentication in a MS AD environment, machine authentication requests can be sent to MS IAS whereas user authenticaiton requests are sent to ACS.
It will be helpful to know if your OTP has its own RADIUS server or what OTP system you are using.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...