Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RSA (SDI) for Authentication and LDAP (AD) for Authorization for ASA VPN

We currently use RSA for VPN authentication. I have configured and tested LDAP on the ASA. I would like the ASA to query AD via LDAP for the group membership of the user trying to login and will give them a specific Access Policy off of that group. Is there a way to do this when the user is authenticating soley through RSA?

  • AAA Identity and NAC
1 ACCEPTED SOLUTION

Accepted Solutions

Re: RSA (SDI) for Authentication and LDAP (AD) for Authorization

The same user id should exist on both database. However password can be different as for Authorization password check is not performed.

For example user name "brentcatoe" should be there on both database.

If user name is not same, this is not going to work and I don't think there is any way to link or map userid.

Regards,

~JG

Do rate helpful posts

4 REPLIES

Re: RSA (SDI) for Authentication and LDAP (AD) for Authorization

You can do authentication with the RSA Radius server and then do authorization with the LDAP server.

Refer to the table details that shows what methods are available for VPN users:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080

60f261.shtml

Regards,

~JG

Do rate helpful posts

New Member

Re: RSA (SDI) for Authentication and LDAP (AD) for Authorization

Thanks for the link. However it does not explain how to accomplish this. I have succesfully gotten it to work with using AD for authentication and LDAP for authorization, however not using RSA for authentication and LDAP for authorization. The DAP i setup looks to see if the user is a member of an LDAP group, but the userid it is looking for i am assuming is the RSA UserID, which it will not find on the LDAP server. Is there a way to link a rsa userid with a windows userid?

Re: RSA (SDI) for Authentication and LDAP (AD) for Authorization

The same user id should exist on both database. However password can be different as for Authorization password check is not performed.

For example user name "brentcatoe" should be there on both database.

If user name is not same, this is not going to work and I don't think there is any way to link or map userid.

Regards,

~JG

Do rate helpful posts

New Member

Re: RSA (SDI) for Authentication and LDAP (AD) for Authorization

Ok, that helps alot, so i need to just make sure that AD and RSA have the same usernames.

Thanks for you help

1352
Views
0
Helpful
4
Replies
This widget could not be displayed.