06-17-2008 11:46 AM
I'm trying to setup RSA Tokens. I'm going to use RADIUS for authication, but then I want role mapping to be done by Active Directory. I have heard this is possible, but I'm not quite sure how to set it up. I'm running an SA 2000 on version 6.0R3.1 (build 12507). I'm currently setup up for active directory authications and active directory is doing the role mapping as well.
Any help would be nice.
Solved! Go to Solution.
06-17-2008 01:52 PM
We currently have this configured. You would configure your RSA with the ACE option and your AD with the LDAP option. Both are these are configured under "Auth Servers". Upon completion, your would add these to your Relam. RSA for Authentication and AD for Directory. This will result in your RSA server providing authentication and your AD for mapping roles based on group membership.
06-17-2008 02:24 PM
The part I missing is the LDAP group. I have configured LDAP authications server. After authicating I get no roles. I don't get what part I'm missing in the LDAP authication server.
Thanks for your Help.
06-17-2008 06:04 PM
Your original message indicated you were trying to use RSA. Are you authenticating via RSA or AD? Once your LDAP server is defined as a Directory Server, you will be able to configure the groups for role mapping. Let me know.
06-17-2008 06:46 PM
I'm currently authenticating via Active Directory. I just Purchased an RSA System that I'm trying to implement. So when I switch it to RSA authenticating via ACE or RADIUS, I add the directory service with LDAP to my active directory server, that's when it I get the no roles problem. Of course I only have this one SA 2000 to do my configuring so I have to break it for general users while I check my configuration changes.
I guess, do I have to re-do my role mapping after I break it ?? Or can I use the current configuration of role mapping and have it still work. I'll try to add a screen shot, but last time it was too big. I'll see if I can do that again.
Thanks again for you help.
06-18-2008 03:57 AM
If this is a production box, I would create a new realm and sign-in URL to test. That way your users can still use the box. I was unable to open your snapshot, but I'm guessing you're having issues with Auth servers and role mapping. Try the following:
1. Create host agent on RSA and export the sdconf.rec.
2. Create an ACE auth server and import sdconf.rec.
3. Create an LDAP server and point to your AD.
4. Create a sign-in policy URL for testing
5. Create a Realm and specify your ACE (auth) and LDAP (Directory)
6. Create a group in AD for Role mapping
7. Add the proper role mapping for the realm and build the server catalogue (map using groups)
8. Configure the remaining SSL settings (bookmarks, policies, etc) and test
Let me know if which steps you get stuck on and I will try to provide more information.
06-18-2008 07:19 AM
Where I'm having the issue is when it goes to lookup the groups I guess. I'm not sure what to put in the filter ?? DC or CN. I have tried both and they won't bring anything back from the server. I'm not sure if i'm putting in the correct string. I have don CN=<DomainName> and DC=<DomainName>. The authication part is kinda through me for a loop as well. I think I might have to authicate for LDAP to work properly but not sure how to format that line either...
Sorry for all the stupid questions.
Thanks for the help.
06-18-2008 09:23 AM
Excellent, I'm glad you got it working.