topic Re: Double authentication using LDAP and RSA in Network Access Control

Double authentication using LDAP and RSA

Matt Lang — Fri, 21 Feb 2020 18:25:17 GMT

I would like to use LDAP and RSA (double authentication) for my SSL VPN clients. I can successfully authenticate users if my login page forces the users to enter a second username. If I have the configuration set so they only have to enter their username once, no authentication attempts are being passed to the authentication servers. I am running debug on LDAP and RADIUS (for RSA) which is how I know that authentication is never being passed if they only have to enter their username once on the login page.

If I do not specify 'use-primary-username' at the end of the 'secondary-authentication-server-group' command, the users must enter their username twice and authentication is successful.

Does anyone know how to configure the ASA so they only have to enter their username one time while utilizing both LDAP (as primary) and RSA (RADIUS) (as secondary)?

Thanks in advance.

Matt

Re: Double authentication using LDAP and RSA

Herbert Baerten — Sat, 16 Oct 2010 21:18:48 GMT

Hi Matt,

I just tried it on 8.3(2) and it works as expected. I suspect you're running into this bug:

CSCte66568 Double authentication broken in 8.2.2 when use-primary-username is conf.

If you're running 8.2, upgrade to 8.2(3) and you shoud be fine.

hth

Herbert

Re: Double authentication using LDAP and RSA

Matt Lang — Mon, 08 Nov 2010 22:21:21 GMT

Herbert,

Thanks for the reply. I was finally able to get this scheduled and upgrading to 8.2.3 resolved the issue.

Matt