RADIUS Clients / More Than One Group
I have several RADIUS clients configured within the Security Console. I also have different RADIUS profiles created to access those devices. Device specific attributes have been created which distinguish between admin and operators for the device in question. However, I'm unable to assign more than one group / profile to a client / RSA agent. This is forcing me to treat all users as though they are part of the same group, which I do not want. How do I assign or enable multiple groups to authenticate against a single RSA agent / RADIUS client?
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- radius client
- radius profile
- RSA SecurID
- RSA SecurID Access
I believe that since the RADIUS embedded in Authentication Manager (Funk/Juniper Steel Belted RADIUS) is not a full licensed RADIUS server, this is a limit. Some might have some ideas on work-arounds, but I think you would need to put something in front of Authentication Manager such as a Cisco ASA in order to control Access with RADIUS attributes and profiles to that degree, where the user can be in different groups based on different RADIUS profiles for different RADIUS clients.
Maybe you can glean something out of the attached PDF, which Frank 'The RADIUS Guy' Miller wrote years ago, to return AD group information as a RADIUS attribute. Often we found that when multiple groups were returned for a user, many RADIUS clients could not pick out the needed group to grant access so gave the lowest access.