Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Correlating two auth levels

SOLVED
Go to solution
virgil.chereches
New Contributor
‎12-17-2010 05:21:AM
‎12-17-2010 05:21:AM

Correlating two auth levels

I have the following SA setup: a set of resources protected with AD credentials and with a second RADIUS auth server (OTP).

I must add that one OTP token is shared by multiple users (so we do not have a one to one mapping of users and tokens).

I need to control which users authenticate with some tokens (in the sense that a group of users must use only few tokens to log in). I thought about using custom expressions in order to achieve this but I have some difficulties in handling multivalued LDAP attributes, specifically with separator syntax (as can be read in Admin guide): <variable sep='str'>. Where must this be defined: in server catalog or in mapping rule?

How I can use this to simply use a LDAP multi-valued attribute in building a string like 'string1' or 'string2' or 'string3' and compare with [email protected] auth server?

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
virgil.chereches
New Contributor
‎12-28-2010 10:57:PM
‎12-28-2010 10:57:PM

Re: Correlating two auth levels

I found an easy way to implement this. All you must do is to extend the AD schema with some multi-valued attribute, AuthToken let's say and populate user entries in AD with the OTP corresponding users. Then change (if not already) AD authentication in JSA with a LDAP based auth server and add this attribute (AuthToken) to LDAP Server Catalog attributes.

All you must do now is to change the default custom expression on Role mapping tab with:

[email protected]{RadiusAuth} [email protected]{LDAPAuth}.AuthToken

where RadiusAuth is OTP auth server and LDAPAuth is AD auth server.

Quite simple, isn't it?

View solution in original post

0 Kudos
3 REPLIES 3
zanyterp_
Respected Contributor
‎12-23-2010 12:00:AM
‎12-23-2010 12:00:AM

Re: Correlating two auth levels

I don't think you will be able to do this as there is no checking during authentication/authorization of the token other than making sure it is valid on the IVE. If the backend server can monitor, that would work. Otherwise, on the SA I don't think it will be possible.

The attribute string goes in the server definition.

0 Kudos
virgil.chereches
New Contributor
‎12-28-2010 10:57:PM
‎12-28-2010 10:57:PM

Re: Correlating two auth levels

I found an easy way to implement this. All you must do is to extend the AD schema with some multi-valued attribute, AuthToken let's say and populate user entries in AD with the OTP corresponding users. Then change (if not already) AD authentication in JSA with a LDAP based auth server and add this attribute (AuthToken) to LDAP Server Catalog attributes.

All you must do now is to change the default custom expression on Role mapping tab with:

[email protected]{RadiusAuth} [email protected]{LDAPAuth}.AuthToken

where RadiusAuth is OTP auth server and LDAPAuth is AD auth server.

Quite simple, isn't it?

0 Kudos
zanyterp_
Respected Contributor
‎12-29-2010 07:53:AM
‎12-29-2010 07:53:AM

Re: Correlating two auth levels

Thank you for sharing the information; I apologize for not realizing this could be done.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.