Re: Dynamic Access Policies with RSA Authentication

Brent Catoe · ‎03-04-2010

What is the best way to use DAP when using RSA for user authentication. I really do not want to have the users have to authenticate twice, once for tunnel authentication through RSA and then again for AD authentication. Is there a way to add users to groups on the RSA server and apply policies based on those groups?

Thanks

Erick Delgado · ‎03-14-2010

Hi,

You want to do group mapping with RSA? if yes please see the following documentation.

Yopu can authenticate against RSA and authorize using LDAP.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMap.html

Regards,

tobyhouser · ‎04-06-2010

I have a similar request ... I'm trying to setup DAP for two different AAA groups. The first group (vendors) is authenticated to Windows Active Directory using LDAP and I check for a "member of" AAA attribute to define which DAP to apply. This works correctly.

However, the second group (employees) is passed off to RSA using the SDI protocol, because our employees use tokens. The DAP check for "member of" doesn't work. It seems like RSA doesn't return the "member of" attribute ... or if it does, the ASA doesn't receive it. Is it possible to use DAP for RSA authentication? If so, how do you setup the AAA attributes?