SSL VPN
Reply
Visitor
csmith1329
Posts: 5
Registered: ‎06-17-2008
0
Accepted Solution

Role Mapping

I'm trying to setup RSA Tokens.  I'm going to use RADIUS for authication, but then I want role mapping to be done by Active Directory.  I have heard this is possible, but I'm not quite sure how to set it up.  I'm running an SA 2000 on version 6.0R3.1 (build 12507).  I'm currently setup up for active directory authications and active directory is doing the role mapping as well.

 

Any help would be nice.

 

Thanks,

Corey

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: Role Mapping

Hi Corey,

 

We currently have this configured.  You would configure your RSA with the ACE option and your AD with the LDAP option.  Both are these are configured under "Auth Servers".  Upon completion, your would add these to your Relam.  RSA for Authentication and AD for Directory.  This will result in your RSA server providing authentication and your AD for mapping roles based on group membership.

 

Rgds,

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
csmith1329
Posts: 5
Registered: ‎06-17-2008
0

Re: Role Mapping

John,

 

The part I missing is the LDAP group.  I have configured LDAP authications server.  After authicating I get no roles.  I don't get what part I'm missing in the LDAP authication server.

 

Thanks for your Help.

 

Regards,

Corey

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: Role Mapping

Hi,

 

Your original message indicated you were trying to use RSA.  Are you authenticating via RSA or AD?  Once your LDAP server is defined as a Directory Server, you will be able to configure the groups for role mapping.  Let me know.


Rgds,

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
csmith1329
Posts: 5
Registered: ‎06-17-2008
0

Re: Role Mapping

John,

 

I'm currently authenticating via Active Directory.  I just Purchased an RSA System that I'm trying to implement.  So when I switch it to RSA authenticating via ACE or RADIUS, I add the directory service with LDAP to my active directory server, that's when it I get the no roles problem.  Of course I only have this one SA 2000 to do my configuring so I have to break it for general users while I check my configuration changes.

 

I guess, do I have to re-do my role mapping after I break it ??  Or can I use the current configuration of role mapping and have it still work.  I'll try to add a screen shot, but last time it was too big.  I'll see if I can do that again.

 

Thanks again for you help.

 

Regards,

Corey

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: Role Mapping

Hi,

 

If this is a production box, I would create a new realm and sign-in URL to test.  That way your users can still use the box.  I was unable to open your snapshot, but I'm guessing you're having issues with Auth servers and role mapping.  Try the following:

 

1.  Create host agent on RSA and export the sdconf.rec.

2.  Create an ACE auth server and import sdconf.rec.

3.  Create an LDAP server and point to your AD.

4.  Create a sign-in policy URL for testing

5.  Create a Realm and specify your ACE (auth) and LDAP (Directory)

6.  Create a group in AD for Role mapping

7.  Add the proper role mapping for the realm and build the server catalogue (map using groups)

8.  Configure the remaining SSL settings (bookmarks, policies, etc) and test

 

Let me know if which steps you get stuck on and I will try to provide more information.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
csmith1329
Posts: 5
Registered: ‎06-17-2008
0

Re: Role Mapping

John,

 

Where I'm having the issue is when it goes to lookup the groups I guess.  I'm not sure what to put in the filter ?? DC or CN.  I have tried both and they won't bring anything back from the server.  I'm not sure if i'm putting in the correct string.  I have don CN=<DomainName> and DC=<DomainName>.  The authication part is kinda through me for a loop as well.  I think I might have to authicate for LDAP to work properly but not sure how to format that line either...

 

Sorry for all the stupid questions.

 

Thanks for the help.

 

Regards,

Corey

Visitor
csmith1329
Posts: 5
Registered: ‎06-17-2008
0

Re: Role Mapping

John,

 

I finally got the correct syntax.  Thanks for you all your Help !!

 

Best Regards,

Corey

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: Role Mapping

Excellent, I'm glad you got it working.

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Contributor
keith
Posts: 42
Registered: ‎01-24-2008
0

Re: Role Mapping

Have you tried using the (Softerra) LDAP Browser?  It's a fantastic, free, little tool for working out A/D schemas.

 

Keith 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.