Hello,

Is it possible to use both RSA SecureID for Authentication and Windows 2008 LDAP as Authorization? Basically what I currently have now is RSA as a radius for authentication. But I would also like to use Dynamic Access Policy ACL based on their Active directory group Membership. Is that possible?

Thanks,
Mike

yes it is, I used it within asa for vpn authentication to put certain users within different tunnel groups depending on their ad names. It was setup for local as well. If you are used to cli, you are going to have to accomplish this within the asdm. There are some documents out there on how to setup dynamic acl's.

_________________
"I will prepare and some day my chance will come." - Abraham Lincoln
http://danielhertzberg.wordpress.com - I blog about networks!

Should be possible, although I've never used that exact combination. My setup doesn't require fundamental differences between AD groups for VPN access, so I'm able to run them all within the same tunnel-group, but I use DAP in conjunction with AD and it works great.

_________________
Reasonably un-nerdy blog:
americanwerewolfinbelgrade.wordpress.com/

I just searched this yesterday looking for the same answer. There is almost no documentation on this specific setup but there is a Cisco document "Kerberos Authentication and LDAP Authorization Server Groups". Link Only in our case SDI is for authentication and ldap for authorization.

Simply setup an aaa-server group for the rsa like you normally would for authentication. Then setup an aaa-server group for ldap the same way as if you are using it for authentication and add the appropriate ldap attribute maps to associate the ldap memberOf (AD groups) with group policy.

Then on your tunnel group select the rsa aaa-server group for authentication. Go to the authorization section and select the ldap aaa-server group for authorization.

That's it.