cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2460
Views
0
Helpful
4
Replies

RSA (SDI) for Authentication and LDAP (AD) for Authorization for ASA VPN

Brent Catoe
Level 1
Level 1

We currently use RSA for VPN authentication. I have configured and tested LDAP on the ASA. I would like the ASA to query AD via LDAP for the group membership of the user trying to login and will give them a specific Access Policy off of that group. Is there a way to do this when the user is authenticating soley through RSA?

1 Accepted Solution

Accepted Solutions

The same user id should exist on both database. However password can be different as for Authorization password check is not performed.

For example user name "brentcatoe" should be there on both database.

If user name is not same, this is not going to work and I don't think there is any way to link or map userid.

Regards,

~JG

Do rate helpful posts

View solution in original post

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

You can do authentication with the RSA Radius server and then do authorization with the LDAP server.

Refer to the table details that shows what methods are available for VPN users:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080

60f261.shtml

Regards,

~JG

Do rate helpful posts

Thanks for the link. However it does not explain how to accomplish this. I have succesfully gotten it to work with using AD for authentication and LDAP for authorization, however not using RSA for authentication and LDAP for authorization. The DAP i setup looks to see if the user is a member of an LDAP group, but the userid it is looking for i am assuming is the RSA UserID, which it will not find on the LDAP server. Is there a way to link a rsa userid with a windows userid?

The same user id should exist on both database. However password can be different as for Authorization password check is not performed.

For example user name "brentcatoe" should be there on both database.

If user name is not same, this is not going to work and I don't think there is any way to link or map userid.

Regards,

~JG

Do rate helpful posts

Ok, that helps alot, so i need to just make sure that AD and RSA have the same usernames.

Thanks for you help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: