Forum Discussion
NimbostratusAPM Selection of Authentication Methods
Hi,
In APM i have to authenticate several users with diferent methods, some user authenticate against Radius, other users AD, others, etc. In VPE i know that i can use landing URI of each authentication methods. Are there other way to this authentication method selection if i only want use one URI?
Regards, MC
8 Replies
natheCirrocumulus
Marco,
New to APM but here's my thoughts. Could you use a Decision Box for the user to select what auth type they require? If they know of course!
Or, are there any way of determining which clients will need to authenticate in different ways? For example, if a user has a company client side cert you could check for that and then point them to AD auth. If they haven't then the fallback could be RADIUS auth.
May, or may not, help.
N
Marco_Castro_11Hi Nathan,
Thank you for your thoughts! I have already thought in Decision box but is not an option. This is a migration from firepass to APM and in firepass you can configure firepass local users for authenticate against Radius,LDAP,etc. but in APM i can't...So i am looking for an alternative.
Regards, MC
- natheFair enough. Hopefully someone who knows more about APM will advise
- Kevin_Stewart
Employee
As Nathan alludes, you need some way to know which method to choose. FirePass required some pre-configuration of the local users to do the same. And interestingly enough, APM now has support for local users in 11.4, so you could potentially store the user name in the local user database, and a reference to what auth method they need to use.
- Kevin_Stewart
It really just boils down to HOW to attribute a particular authentication type to a specific user, so you have to have this information somewhere. If you could add an entry to one of your directory services for all of the users and then indicate appropriate auth method there, then you could query that first and then do the auth. You could also technically try all of the auth methods in order until one of them worked. It'd produce a lot of "failed" log messages, but it's an option nonetheless.
- boneyard
MVP
wont different entry points work? like different virtual servers? or do the users not know they have different groups?
it will be different from the firepass for sure, but they are different devices.
- amolari
Cirrostratus
I suppose you were doing the following on Firepass: - have the users defined on the local FP db but with external auth. Each user was configured with a MasterGroup and each MasterGroup has its auth method. This scenario doesn't work with APM I think, as the local DB with external auth mechanism isn't implemented (yet? hopefully!) I have performed FP->APM migrations where there was a dynamic mapping LandingURI<>Mastergroup.. I've advised those customers to migrate out of LandingURI concept (VS is not matching the MasterGroup concept) to "VirtualHost" and then use directly the external Auth with one of APM's AAA method.
- amolari
FP have the limitation that you cannot mix LandingURI dyn mapping with virtualhost dyn mapping, many of my customer went for LandingURI dyn mapping (to MasterGroup). A MasterGroup has one auth method and then resources could be dynamically associated. You can have multiple auth method per VS (per Access Policy) but bear in mind that some settings (timeouts, customization for ex) are set at the Access Policy level and you have one Access Policy per VS. The easiest way for FP>APM migration IMHO is to think AccessPolicy=MasterGroup.
