cancel
Showing results for 
Search instead for 
Did you mean: 

How to define "Role Mapping" based on RSA-ACE user group?

Highlighted
New Contributor

How to define "Role Mapping" based on RSA-ACE user group?

RADIUS Attribute from RSA server works well but each user belongs to only one radius profile thus lack of granularity. We need to get few groups for each user corresponding with IVE roles.
Custom expression like << groups = 'VPNSSL' >> does not work.
The user session monitoring does not indicate a transmitted variable.
So we're stuck. Any idea?
4 REPLIES 4
Highlighted
Frequent Contributor

Re: How to define "Role Mapping" based on RSA-ACE user group?

If the "integrated" Radiusserver coming with the ACE-Server does not have the feature to forward a user's groupmemberships of ACE Server groups you won't be able to do a rolemapping based on that.
For my undestanding the ACE groups shall be primarily used for grouping agent hosts to a user. And since you do not use the ACE API directly to access userdata, you won't even see the groupmemberships on an authentication agent.
Due to the ACE server is just an auhentication machine for use, we use it directly (with no radius in between) for the authentication on the IVE and do the rolemapping based on directory attributes, based on the fact that the user/groulogin for the IVE-Agent can be found in our LDAP as well.

hth
Highlighted
New Contributor

Re: How to define "Role Mapping" based on RSA-ACE user group?

Thank you Ben, it works. Here's what i did.
In auth. Server, i declared our corporate ldap directory, where CN are consistent with ACE usernames. I set the base DN and the filter to get the user entry and also the base DN, the filter and the name of the member attribute to get the group membership of the user. My java LDAP Browser was very helpful.
In the target user-realm general tab, i declared my ace server as authentication and my ldap server as Directory/attribute server. Then in the role mapping tab when i was able to select Group membership in the "rule based on" combo-box. Then by pressing the "Groups..." button then the "Search..." button in the popup, i was able to select the ad-hoc ldap group that my ldap admin created. Then i selected the role for that role-mapping rule.
The test with the ad-hoc user worked as expected (well). The policy tracing confirmed that the group membership is determined by querying the ldap server.
Highlighted
Frequent Contributor

Re: How to define "Role Mapping" based on RSA-ACE user group?

Yes, that's the same way we do that here, even if we use the specific ldap attribute to "split" our different customers, that are authenticated to the ace server...
Highlighted
Contributor

Re: How to define "Role Mapping" based on RSA-ACE user group?

I think the best way to be:

1. Install RSA Radius Server on ACE Server

2. configure different Radius Profiles. Use Radius "Class" Attribute with a value like "Management", "Teleworkers", "Stuff" and so on

3. Assign on ACE Server the proper Radius Profile to the RSA Users on "Edit User" Tab

4. Configure your IVE system as Agent Host on Radius Server and Radius Client

5. On IVE configure on Realm Level as Auth-Server a new Radius Server - your ACE Radius Server

6. On Realm Role mapping, use Rolemap Rulez based on Attributes. If attribute is "Management", then apply Role "Managemt".

7. On Ressource Policy ... Network Connect ... Profiles configure IP Pool for "Management"

Then if a user from the management logs in, the RSA Radius Server will send the class attribute with value "Management" to your IVE System, and the user will be mapped to management role, and get an IP in the tunnel which is used for Management people.