I have an sa4500 with 7.0R1 installed. I'd appreciate help setting up the unit so that when a user comes in from an external IP they get a login prompting for username/SecureID/AD_Password. Internal users should only have to login with Username/AD_Password. Is this possible to do using a single URL? I can do it with a separate URL with a separate Signin Page. We are at the user documentation stage of deployment and we are trying to keep things as simple as possible for our users.
Solved! Go to Solution.
Yes, this is doable. You can configure a custom login page, which based on source ip, sends the user to correct page.
Here's some sample code for LoginPage.thtml:
<% USE CGI %>
<% ipaddress = CGI.remote_addr() %>
<% matches10 = ipaddress.match('(^10\..)') %>
<% IF (matches10 = ipaddress.match('(^10\..)')) %>
You'll need to read the custom page how to, but this is not hard to do. We've done several things just like this.
Thanks for the help. I had tried using the role mapping at the user realm with an expression to pick the subnets. That hadn't worked. Setting the Authentication Policy with opposed subnet allow/deny did work. One thing additional, on the external policy I had to add a 0.0.0.0/0.0.0.0 allow after the deny. Otherwise all external connections were disallowed.
Do a custom sign-in page.
Sing URL uses both realms, user picks from list.
In the custon sign-in you choose the realm without RSA when the RSA code field is blank.