cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
331
Views
0
Helpful
2
Replies

Dazed and confuzed!

j.siganto
Level 1
Level 1

Has anyone tried to use the ACS as a RADIUS proxy to a OTP system with an AD user database on backend?

This is so confusing i'm not even sure how to ask the right question.

I'm trying to setup a centralised SSL VPN with multiple domains and it works fine if i'm using pure RADIUS but it breaks when the OTP is introduced.

The really badly written OTP system says it's RADIUS compliant but it doesn't understand or like RADIUS class attributes except the username.

I need the AD group name returned to the VPN so I can allocate VPN groups. I'm having to find a workaround and it's driving me crazy. I know nothing about AD and LDAP or how to set it up on ACS or that I even need to.

anyone have a clue?

2 Replies 2

darpotter
Level 5
Level 5

This is probably "pushing the envelope".. in fact Im not sure its possible.

Parts are possible.. for example you can (in ACS) map AD groups to ACS groups. In each ACS group you can stick the AD group name into something the VPN server might look at. There's probably a VSA for it. However, this doesnt scale if you have more than a few groups.

ACS will not support authentication to an OTP server and authorisation from somewhere else (eg AD) has to do both in the same place.

Not sure I can help on the RADIUS proxy part - is that ACS proxy or another product?

Darran

Using Network Access Profiles you can possibly send authentication requests to different databases for the same ACS user, however, once the authentication database is selected, choice of group mapping is limited to that database (AD or OTP).

It is also possible in network device aaa configuration to send authentication requests and authorization requests to different servers, example, when using machine authentication in a MS AD environment, machine authentication requests can be sent to MS IAS whereas user authenticaiton requests are sent to ACS.

It will be helpful to know if your OTP has its own RADIUS server or what OTP system you are using.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: