cancel
Showing results for 
Search instead for 
Did you mean: 

RSA on the outside, AD on the inside. One URL

SOLVED
Highlighted
Frequent Contributor

RSA on the outside, AD on the inside. One URL

Hello,

I have an sa4500 with 7.0R1 installed. I'd appreciate help setting up the unit so that when a user comes in from an external IP they get a login prompting for username/SecureID/AD_Password. Internal users should only have to login with Username/AD_Password. Is this possible to do using a single URL? I can do it with a separate URL with a separate Signin Page. We are at the user documentation stage of deployment and we are trying to keep things as simple as possible for our users.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Frequent Contributor

Re: RSA on the outside, AD on the inside. One URL

While I have never tried this, you could create two realms with the different passowrd scenarios and in the "Authentication Policy/ISouce IP" , enter in your internal IP address space and only allow users who are in the address space access to the "AD" realm, and deny users in this address space access to the "RSA" realm. You can then put both relams in the "sign-in" policy and the end users should get the one they are supposed allowed by what their IP address is... There may be other ways of doing it, but this is what comes to mind for me... We've done the same thing for "roles", but I don't see why it wouldn't work for "realms" as well.. -Stephen

View solution in original post

4 REPLIES 4
Highlighted
Frequent Contributor

Re: RSA on the outside, AD on the inside. One URL

While I have never tried this, you could create two realms with the different passowrd scenarios and in the "Authentication Policy/ISouce IP" , enter in your internal IP address space and only allow users who are in the address space access to the "AD" realm, and deny users in this address space access to the "RSA" realm. You can then put both relams in the "sign-in" policy and the end users should get the one they are supposed allowed by what their IP address is... There may be other ways of doing it, but this is what comes to mind for me... We've done the same thing for "roles", but I don't see why it wouldn't work for "realms" as well.. -Stephen

View solution in original post

Highlighted
Occasional Contributor

Re: RSA on the outside, AD on the inside. One URL

Yes, this is doable. You can configure a custom login page, which based on source ip, sends the user to correct page.

Here's some sample code for LoginPage.thtml:


<% USE CGI %>

<% ipaddress = CGI.remote_addr() %>
<% matches10 = ipaddress.match('(^10\..)') %>
<% IF (matches10 = ipaddress.match('(^10\..)')) %>

You'll need to read the custom page how to, but this is not hard to do. We've done several things just like this.

Highlighted
Frequent Contributor

Re: RSA on the outside, AD on the inside. One URL

Thanks for the help. I had tried using the role mapping at the user realm with an expression to pick the subnets. That hadn't worked. Setting the Authentication Policy with opposed subnet allow/deny did work. One thing additional, on the external policy I had to add a 0.0.0.0/0.0.0.0 allow after the deny. Otherwise all external connections were disallowed.

Highlighted
Contributor

Re: RSA on the outside, AD on the inside. One URL

Do a custom sign-in page.

Sing URL uses both realms, user picks from list.

In the custon sign-in you choose the realm without RSA when the RSA code field is blank.

Simple.

Cheers .-)