Secure Mobile Access 12.4 Administration Guide

Defining Multiple Authentication Servers

The SMA appliance supports the definition and use of multiple authentication servers. A realm references one or two authentication servers and determines which access agents are provisioned to your users and what End Point Control restrictions (if any) are imposed. See Users, Groups, Communities, and Realms for more about realms.

Following are examples of using multiple authentication servers referenced by realms:

  • Chained authentication (two authentication servers)

    Example: RADIUS with Token/SecurID and LDAP with username/password

    Users logging in to a realm are authenticated against two servers. You can configure AMC so that users see only one prompt. See Configuring Chained Authentication for details.

  • Use different servers to handle authentication and authorization

    Example: RADIUS with Token/SecurID and Active Directory (for group information)

    The user authenticates against one repository, and then the user’s group information is passed from a second one. For more information, see Enabling Group Affinity Checking in a Realm.

  • Multiple credential types and a single authentication server

    Example: RADIUS with username/password and RADIUS with Token/SecurID

    Suppose your company employees log in with username and password, but the employees of your call-center log in with SecurID tokens. You could create an employee realm and a callcenter realm, each referencing the appropriate credential type and RADIUS server.

  • Multiple instances of the same directory/authentication method using different back-end servers

    Example: Two RADIUS/password instances using different RADIUS servers

    In this case you would define two authentication servers, each with the appropriate server information.

  • Multiple instances of the same directory/authentication method on the same server, configured differently

    Example: Two instances of LDAP with username/password on the same server but using different search bases

    In this case each realm would search a different subtree within the directory. For example, suppose Partner A is in one LDAP subtree and Partner B is in another. You could define a partnerA realm and a partnerB realm, each configured with the appropriate search base.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.