Showing results for 
Search instead for 
Did you mean: 

Role mapping with two-factor (RSA) and ldap (AD)

Occasional Contributor

Role mapping with two-factor (RSA) and ldap (AD)

We have successfully setup two-factor authentication with RSA and ldap (via AD). We have also successfully setup role mapping using AD groups and other attributes. At this point I would like to setup role mapping that includes whether or not a user has passed the "additional authentication server" auth. The "additional authentication server" is setup so that it will NOT end the session if auth fails. Currently ldap is our primary with RSA as our secondary.

I'm trying to setup something like this:

User logins with password only -> role 1
User logins with password + RSA + in proper AD group -> role 2

Has anyone done this? Any thoughts? I've done policy traces both with and without the 2nd authentication server and no usable attributes pop out at me.

Super Contributor

Re: Role mapping with two-factor (RSA) and ldap (AD)

I've done something like this, but never with native ACE. What I did find when using Radius for secondary authentication was that - when the secondary authentication failed - no variables of the form [email protected] were populated.

I just tried what I think you are attempting, and see a difference between the parameters when ACE authentication is successful and not successful. If authentication is successful, then the parameter [email protected] (assuming ACE is the name of the secondary auth server) is populated. If authentication is unsuccessful, then [email protected] is not populated. So, you might be able to make a decision based on that.

I would be concerned about the number of failing authentications you would have through the RSA server. If your population that has tokens uses them everytime, then all will be OK. If they sometimes log on without their token, then that would be a failed authentication to ACE. Too many of them in a row disables an ACE account.

Also, it does not appear that you can do secondary authentication and not enter a password for that authentication with the standard pages. You could do custom pages and fill in some dummy password if the user did not enter one.


Occasional Contributor

Re: Role mapping with two-factor (RSA) and ldap (AD)

I was having quite a difficult time with this setup a few years ago. Ideally I would have liked to do RSA as the primary and AD as the secondary. However, if AD is secondary I cannot pull back group memberships to do proper mapping (AD is our central book of records). Having AD as a primary would work, however putting AD up for the world to try and lock out seemed like a pretty bad idea...

In the end I came up with this solution (due to a multi-domain environment and the need for a single web site sign-in for all users):

RSA as primary sign in

RADIUS as secondary sign in, which does LDAP lookups, authentication and returns group memberships via custom scripts.