Forum Discussion

Michael_Levinso's avatar
Michael_Levinso
Icon for Nimbostratus rankNimbostratus
Aug 16, 2007

Firepass Using AD for Groups and Radius (RSA)

Hello All:

 

 

We are currently using Firepass v6.0.1 fp4 and have a situation which has us up against a wall. We have a situation where we are using Active Directory and Radius (RSA). So the situation is as follows. End user with a company laptop goes to login to Firepass. They login with their username, they enter their Radius information (PIN&Token) on 2nd line and AD password on 3rd line (for SSO). The whole and only reason we are using Radius (RSA) is to protect the Network Connect function. No Token = No Network Connect link. The end user has the ability for less access by only entering username and domain password. The issue here is that when a user goes to login to the Firepass and enters token information and AD, the Firepass will place the end user in the Radius Master Group instead of a AD master group. This is a large challenge and is not what we are trying to accomplish. This configuration also is causing problems when end users AD password expires. In this situation the Firepass will still attempt to send password information to the Radius server to auth even when you are trying to change your password. The change password screen also creates confussion for the end user as it will display the Radius box, the domain box and then two additional boxes for the password change. If the end user is only attempting to change their domain password, they enter their OLD domain password in the Radius box, then enter the new password in the new password box. Once that is completed the end user then gets a webtop, no SSO capibilities at that point. That also creates bad end user experienc. Further the end user experience when a password is wrong or Radius is wrong is tough to understand. The Firepass does not tell the end user which of their credientials are incorrect and can result in locked out accounts in both Radius and AD.

 

 

My search here is does anyone else user both Radius or RSA and Acitve Directory together in end user authentication? How are you handling the situation I mention above?

 

 

Michael Levinson

 

CNA Insurance

1 Reply

  • Michael:

     

    Can't you just set the AD group mapping in your Master group mapping table to have a higher priority than RADIUS group mapping?

     

     

    The secondary AD authentication is a nice feature but it could use some work. Here are some of the gripes I have:

     

     

    1)You should be able to enable it by group instead of globally. This way you could have secondary AD auth only if a user comes in on a specific virtual host or has a certain session variable (endpoint check). Right now, the user is given a second password prompt even if it is disabled in the Master Group Authentication settings. If you have a group that uses AD-only authentication the user has to enter the AD password twice - once to log into FirePass and again to be used for SSO.

     

     

    2)If one of your passwords fails you have no idea which one. This has been causing some pain with our users - locked accounts, etc.

     

     

    3)When your AD password expires, you have to perform RADIUS authentication before you can change your AD password.

     

     

    Matt