The setup items under my defined AD/NT auth servers

In the realm setting are you checking the box for "Additional authentication server" or are you trying to use AD as an authorization server on the primary auth(RSA)? Like I said you can't use native AD as authorzation server, native AD requires the users UN/PW in order to function, but you should be able configure it as an additional authenticaion server.

See message 4 attachment in this thread.

Modeling this same setup should allow the OP to get RSA authentication going. Same setup I'm using except we are using Mi-Token over RSA (way better IMHO).

@filbert: What I want is AD as an authentication server (first spot in the realm's auth server selection), and RSA as a secondary (authorization - second spot). I seem to be unable to do this, probably because AD is configured in native mode, not LDAP, like you said. What I don't understand here is why native does not work while LDAP does. And no, I am not selecting the "additional authentication server" option.

@NateK: Your solutions looks interesting, however, the "additional authentication server" option that you used is usually not for token stuff, it's ment to be for SSO. So I am not sure I want to use this. Does anyone have any thoughts on this?

I will probably just end up defining AD through LDAP and be done with it, but I still would like to understand.

Thanks

RSA cannot be used for authorization; only LDAP and RADIUS have this potential

The secondary authentication server is not only for SSO; it is for if an additional verification is desired, such as what you are doing.

---

@zanyterp wrote:

RSA cannot be used for authorization; only LDAP and RADIUS have this potential

The secondary authentication server is not only for SSO; it is for if an additional verification is desired, such as what you are doing.

---

Thanks. That's odd though, because I can definitely select RSA as an authorization server when I put an LDAP server in the first spot.

Is there some documentation about this somewhere that goes into the details?

You have probably already seen this:

http://www.juniper.net/techpubs/en_US/sa/topics/task/configuration/secure-access-cluster-authenticat... has some details.

There is also a PDF if you Google 'Juniper Secure Access RSA'.

Our Mi-Token setup does use RADIUS at its core.

Might have to pop open a JTAC ticket to get specifics for what you are after.

---

@zanyterp wrote:
As NateK indicated: are you using RSA-as-RADIUS or the RSA (SecurID) server type?

---

I am using the native RSA SecurID server type.