topic many thx but doesn't work for in Network Access Control

ACS: two factor authentication using AD group/internal user, external proxy

Dikkia — Mon, 11 Mar 2019 06:22:58 GMT

Hi all,

as far as you know, it could be possible to have two factor authentication in acs 5.x?

What i want to achieve is:

1) if a VPN user try joint the network, a user lookup needs to be performed against a specific Group in AD, but the password needs to be verified by an external OTP server ( ActiveIdentity).

2) if the user is not found in the AD Group ABOVE, an internal lookup needs to be performed against ACS database.

Do you know if it's possible?

Untill now i've been able ONLY to peform External autentication using ( configuring ACS as a proxy) but no lookup against AD as been performed.

many thx

(1). Configure ActiveIdentity

Philip D'Ath — Tue, 12 Jan 2016 05:53:16 GMT

(1). Configure ActiveIdentity as a RADIUS server for authentication, and then configure a DAP (Dynamic Access Policy) and do an LDAP lookup to confirm the user is a member of the AD group desired. Check out this URL (search for Active Directory to get to the right bit quickly).

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

(2). 90% yes (haven't tried it myself but should work), with the same approach above. Create two policies, but make the above a higher priority policy.

many thx but doesn't work for

Dikkia — Tue, 12 Jan 2016 15:16:54 GMT

many thx but doesn't work for me.

Which bit doesn't work? (1)

Philip D'Ath — Tue, 12 Jan 2016 17:29:17 GMT

Which bit doesn't work? (1) will definitely work. RADIUS provides the authentication and AD provides the authorisation.

i'll try to explain.

Dikkia — Wed, 13 Jan 2016 16:08:38 GMT

i'll try to explain.

i have some difficulties in configuring DAP that's why doesn't work for me...btw i found a different way to accomplish it...a bit easiser

i just created an identity store sequences with the radius server ( acitveidentity in the top ) and than the internal database.

the access policy is configured as follow:

1) identity: the new identity sequence store & protocol (in the "Rule based result selection"

2) authorizaion there are 2 rules:

a) check the AD database and protocol ( for employee authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This way it works for me cause users lookup is performed against Radius server first and ,if no user is found, is performed then on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restiction ( authorization policy B )

Hope it helps