I am not using AD/LDAP as authentication server. I have Radius server (Cisco ACS). I am using this radius server as authentication server.
When I use AD as authentication server then I can make role mapping rules based on groups name (fetched by group lookup and select group name) and give the access. But how can I do the same using radius server as authentication server?
Assuming the Radius Server returns group information as part of the return attributes then on SA you need to create a Role mapping rule based on 'User Attribute' and rom drop select the attribute that will be returned by the Radius server.
See screenshot for sample config
Thank you very much for the reply. I really appreciate if you could tell me how I can check on radius server what attribute he is returning? Is it group name?
check with your RADIUS admin. if he is not sure, you can also check what is veing returned by looking at a tcp dump of login with wireshark (filter for radius)
The radius server is Cisco ACS. I checked the configuration on ACS. It is lik:
 Class OU=ALDAR
So on SSL VPN, which radius attribute should I need to use to map with role?
Its not clear if
1. your Radius return attribute is Class and the value 'OU=ALDAR' (in that case you can select Class from the drop down aption)
2. your Radius return attribute is Class OU and the value is ALDAR (in that case you will have to create a custom expression for role mapping. Similar to userAttr.Class OU = 'ALDAR')
I think it should be # 1 however I can't say for sure based on the info in your post.
this should be something coming through on your policy trace as well that you can use to determine how the rule needs to be created
You want to specify your AD/LDAP server as your authorization server.
I do authentication against a Radius server which proxies authentications to a number of RSA ACE servers. I then use the user ID from that authentication to do a search on our AD as a LDAP server. So, in my realm definition, the Radius server is listed as the authentication server, and the LDAP as the authorization server.