cancel
Showing results for 
Search instead for 
Did you mean: 

Role Mapping User Role base on Group Membership from AD

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

I would recommend to use IAS (or on Server2008 NPS) als Radius Server to authenticate users AND to map the user to a IVE Role via Radius Attributes.

Dead easy - and stable like hell - and easy to troubleshoot - and you can also use radiusproxy to authenticate users from other ad domains.

Little HowTo

On the Windows Server..

1. Install IAS on your Server2003 Memberserver or on Domaincontroller

2. Register your IAS in your AD (rightklick on the mmc on IAS to do that)

3. Add your IVE internal IP Address as Radius Client to IAS. configure Radius shared secret.

4. Configure RAS Policy on IAS

Select "Windows Group" like "Management Users" (or even "Domain Users" for testing)

5. On IAS RAS Policy, Profile.. Advanced delete all Attributes.

Add attribute Class (25) with a Value like for example "1"

6. Restart IAS Server each time you change the configuration

7. Configure additional RAS Policies, for the "Stuff Users" in this example. Give Attribute "Class" the Value "2"

On IVE..

1. Configure your userroles like "Management Users" and "Stuff Users"

2. On Realm Level, configure Rolemapping Rules

2.a. IF User attribute Class (25) is "1" then assign Role "Management Users"

2.b. IF User attribute Class (25) is "2" then assign Role "Stuff Users"

Explanation:

If a user logs in to IVE, the credentials of the user are transmitted encrypted to the IAS Radius Server.

The Radius Server proves in AD if the usercredentials are ok and if the user is in the configured windows group.

If the user is member of the group "Management Users", this RAS Policy will match, and the IAS will send a "RAdius Accept" Message back to IVE. PLUS the IAS will send Attribute "Class" with Value "1" to IVE.

Then the IVE will match the user to the role "Management Users" because of the Value of Variable Class.

Why is this the best solution?

The IVE AD integration works with winbind. This is much more complicated and "more things can go wrong".

When you use AD for Authentication and Groupmembership, you have to use Global Catalog on IVE.

With Radius you have a dead easy, stable and scalable solution.

You can also easily use your IAS as RadiusProxy and also integrate Users from other Windows Domains, according to their "prefix" on logon, for example domain1\username and domain2\username.

You can troubleshoot the process easily via Windows System Events Log.

You can also use policytracer, tcpdump and network monitor to see which attributes the IAS is returning.

I installed several SAs and tried everything out, also did AD Authentication, but my expirience is - go with Radius and it will be done fast and with much less headache.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

Thank you for your alternative solution, really appreciate it.

But for the existing my client is using AD, and they want to authenticate using AD.

So i think cannot change to radius.

Thank you

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Well - then maybe THIS ONE could help?

http://www.juniperforum.com/index.php/topic,5170.0.html

Anyway, you could configure also IAS Auth, its just one click to switch between AD and Radius on IVE.

You could use a test sign-in policy and realm to test the IAS solution.

With AD Solution you need a very powerfull AD Administrator Account on your IVE with static password!

And the IVE needs to create a computeraccount in AD for itself.

Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

for admin username: is it has to use administrator ? or also can user other username that we create read only access?

Thanks

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Must be very powerfull AD User. Must have right to add objects to AD.

This user must create the AD Computeraccount for the IVE in Active Directory.

Dont create manually AD Computeraccount for IVE - wont work.

Yes, should be Domain Administrator.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

One more point...

If in the company the AD password policy enforces users to change their ad passwords on a regular basis,

the IVE will NOT present a message to the User to change his password.

The attribute "User must change his password" is not communicated to the user.

If you want to use password management, you should go for LDAP.

My solution - using Radius.

When a user can not log in cause he has to change his ad password, a error message is presented to the user (created on sign-in page, custom sign-in page) where a weblink is presented to the user so he can change his ad password via another solution for passwordchanging from outside the company.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

actually we use user account not administrator for auth. server SA to AD.

and if we look in AD, the computer name for SA has already added to AD.

I tested connection from SA to AD and their communication is okay and i can retrieve group membership in role mapping. The objectiive is I want to use role by group-user based on AD-group, example group-1,group-2.

the issue is when using role mapping by group, the user which belonging to those group-1 or group-2 cannot login to SA, but when using role mapping by username, those user can login to SA.

So, i'm still stuck to use role mapping based on group on AD.

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

do you use nested groups in your AD?

If so, do you have configured the SA to use nested groups?

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

Hi,

yes, using nested group.

how to configure nested group in SA?

Highlighted
Contributor

Re: Role Mapping User Role base on Group Membership from AD

under

Authentication -> Auth. Servers you have to choose your Auth.-Server (AD)

Under

Determing group membership

you can configure the nested groups option.

You can choose to "search all nested groups" which can be very slow.

I recommend to choose the nested groups level option, which is set to 2 on my SA