Hi all, i'm working on a project where i'm trying to support Active Directory base auth as well as SecureID based auth. I'm running into some RSA issues but i expect i'll have that addressed shortly.

The part i'm having a hard time wrapping my head around is how checkpoint will enumerate group membership. The idea we're testing out is default auth will be active directory except when a users login is bob@rsa which in theory will kick in the external user profile which is set to SecurID for auth. What i'm not understand is how will RSA figure out group membership? I'm being told RSA will communicate the group name the user is a member of. I'm not sure i agree but i'm basing that purely on checkpoint exp with RSA. Normally what i would see is generic* used and what i've seen is the checkpoint will look up group membership via ldap. This of course means the default auth is now securid as well.

My concern is checkpoint will only look up group membership via ldap for the default auth and not external. I don't know this is true i'm just basing this on some testing i was doing with radius, which is very apples to oranges i know. Maybe no matter what when SecurID is used checkpoint will look up group membership via ldap and there is nothing to worry about.

Anyway, thanks for any input.