Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SamiH
Contributor

LDAP user and RADIUS MFA

I have a working setup where gateway uses user@domain to map user to an external profile, which has RADIUS defined as authentication method. After that the RADIUS server performs MFA. The problem is, all users accessing gw have the same external profile and therefore all of them have the same user group, therefore I cannot distinguish the users by e.g. LDAP user group membership and use those group memberships in Access Roles.

I have tried to find a way to perform authentication so that the user authenticates via LDAP account unit - but would perform MFA via RADIUS server after that. That way the LDAP user group membership could be verified and access defined in more granular way. 

I noticed there is also a schema extension to LDAP server for fw attributes, but I don't want to do that just for fun since they cannot be removed from the schema if not working. There is an fw1authmethod attribute to define the authentication method in user object and an fw1authserver attribute too, which makes me imagine gateway would read and perform the authentication after LDAP in RADIUS. 

My question is: has someone managed to create such configuration somehow?
Either via external user profile or schema extension or some other way?

 

0 Kudos
1 Reply
SamiH
Contributor

Got some progress here. 

I defined LDAP account unit so that the default authentication method is RADIUS. Now the VPN user is associated with one primary group based on the group in RemoteAccess community. I.e. if user has login privilege via certain LDAP group, it also gets associated to that group. The problem is, that group is the only associated group, so only it can be used in Access Roles. What I would need to do is to include AD security groups in access roles, but identity awareness for remote access doesn't check or cannot see the group membership. 

I can of course create LDAP groups for each and every different access role and include them all in the RemoteAccess community, but that seems kind of stupid. What I want is that I have one LDAP group that defines if the user has VPN rights - i.e. that group is a member of RemoteAcces community. And then the Access Roles would use a Security Group membership for allowing into separate resources. If I do it with including everything in RA community, it will get impossible if I need to associate someone with multiple roles.

Does anybody have any success in using AD Security Groups in Access Roles? 

0 Kudos