Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Administrator Authentication Realm based on Group Membership in 9.1R11

SOLVED
Go to solution
michael.l.fusco@jpl.nasa.gov
Occasional Contributor
‎07-26-2021 12:50:PM
‎07-26-2021 12:50:PM

Administrator Authentication Realm based on Group Membership in 9.1R11

Hello Community,

 

We read thru the manuals, checked the 9.1R11 Administrator Authentication Realms for Role Mapping... and do not see an option or "Group Memebership" like we do unser User Realms Role Mapping.

Also when using the Custom Expression, there is no tab for defining the groups...

So has anyone got Administrator Authentication Realm to use "memeberOf" vs. static list of "is username"

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
michael.l.fusco@jpl.nasa.gov
Occasional Contributor
‎07-27-2021 08:51:AM
‎07-27-2021 08:51:AM

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Figured Out:

Admin Realms > Admin RSA > General
Define Directory/Attribute Server to be LDAP

                              

Admin Realms > Admin RSA > Role Mapping

New Rule:

Rule based on:   Group Membership (Option does not appear unless Above is done)

Add the Group(s) to the PCS
then define the MemberOf rules.



View solution in original post

3 REPLIES 3
michael.l.fusco@jpl.nasa.gov
Occasional Contributor
‎07-27-2021 08:51:AM
‎07-27-2021 08:51:AM

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Figured Out:

Admin Realms > Admin RSA > General
Define Directory/Attribute Server to be LDAP

                              

Admin Realms > Admin RSA > Role Mapping

New Rule:

Rule based on:   Group Membership (Option does not appear unless Above is done)

Add the Group(s) to the PCS
then define the MemberOf rules.



tnguyendoit
Contributor
‎08-13-2021 02:30:PM
‎08-13-2021 02:30:PM

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

[email protected] 

 

Just curious.  If you configured your Admin Realm to use LDAP authentication (LDAPS or StartTLS) exclusively, if for whatever reasons LDAP stops working or doesn't work correctly, won't you get yourself locked out of the appliance totally?

 

Or does your use case consist of multiple Admin Realms:

 

- one Admin Realm which uses the "Administrators" (Local Authentication) Auth Server for super admin / last resort

 

- and another LDAP-based Admin Realm which uses LDAP Auth Server for both Authentication and Directory/Attribute and checks for membership in groups whose DN are defined in the LDAP Auth Server's Server Catalog - Groups?

michael.l.fusco@jpl.nasa.gov
Occasional Contributor
‎08-23-2021 07:04:AM
‎08-23-2021 07:04:AM

Re: Administrator Authentication Realm based on Group Membership in 9.1R11

Multiple Admin URLs:
One for LDAP(S) based which uses LDAP user/pass
One for back up with a local account(s) which rotate passwords every 30 days and Source Based to specific subnets... so think Out-Of-Band.
The multiple admin Realms allow for vareity of back end AAA services.

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.