Assuming your Active Directory domain is called testad.local and you've named the appliance "rsaappliance.testad.local" in DNS...
1. You'll need to do the base configuration and set up the initial license file. It's important that the following is configured correctly:
2. The next work requires use of the operations-console:
Under the admin console -> deployment configuration -> Identity sources -> add new ->
(you'll probably be required to provide administrative credentials to get in)
Of course, you might have OUs set up for these sorts of things. If you had an OU in your domain called "utilityusers," the entry would be:
(for those of you unfamiliar with LDAP, cn should be the full name of the user.)
2b. click on the "map" tab and set your User Base DN and User Group base DN. If you're not using any OUs, you'll default to the standard cn=users,dc=testad,dc=local... otherwise, put in the appropriate OU. You can fine tune the LDAP search filters and mappings below, but all you need to get started is the User Base DN and User Group DN.
By the way, if you check "Directory is an Active Directory Global Catalog," you'll likely get an error in a later step:
"Cannot link the runtime identity source because no administrative identity sources reference this runtime source"
The easiest way to fix this is to uncheck "Directory is an Active Directory Global Catalog" - or do additional configuration.
3. You'll want to enable the Radius Server, if you're going to authenticate against this appliance from, say, a Cisco ASA:
Deployment Configuration -> RAIDUS -> Configure Server -> go ahead and create your RADIUS server... the defaults should be fine.
4. You'll need to link the newly created Identity Source to a realm (newly created or the default SystemDomain realm.)
Go to the security console:
5. From there, go to Administration -> REALMS -> Manage Existing (you can create a new realm, if you have the appropriate licensing)
select the "SystemDomain" realm (or the realm you created if you chose to create your own.)
Under Link Identity Source, select the active directory Identity source you created in step one and click the arrow pointing to the right to put it in the linked field. Now, save your entry.
If you get the dreaded "Cannot link the runtime identity source because no administrative identity sources reference this runtime source," this probably means you set the Active Directory Identity Source in step 1 to be a Global catalog.
You should be ready to add tokens. To do so under the security console:
Authentication -> Manage existing -> New Import SecurID Tokens Job ->
Provided the tokens import correctly, you should be able to start assigning them to users.
6. Finally, you'll probably need to add a Radius client if you you enabled the Radius server in step 3. From the Security console ( https://rsaappliance.testad.local:7004/console-am): RADIUS -> RADIUS clients -> add new: