https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635345#M56046 <P>I have the same issue have you found a solution?</P> Fri, 14 Aug 2015 21:26:30 GMT Rodrigo Gurriti 2015-08-14T21:26:30Z https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635344#M56044 <P>Hello,</P><P>I need to incorporate two factor authentication to our current VPN AnyConnect/ASA/ISE environment. Currently, users are able to authenticate using AD or RSA credentials, however, I need to force certain users based on AD groups to ONLY authenticate using RSA, and be denied service if they try to use their AD passwords... Without needing to add another internet facing ASA.</P><P>I am trying to use ISE with two external identity sources (Active Directory&nbsp;and RSA SecurID servers) for VPN AnyConnect access through an ASA. If users are members of specific AD groups they need to be forced to authenticate using their tokens&nbsp;to the RSA server through ISE. However, in every configuration I try the users are also able to enter their AD passwords and still authenticate. I need an authorization rule that says, "if users in AD group XYZ authenticate with AD credentials, then deny access, but allow access if they authenticate to RSA".&nbsp;But that does not seem to be an option with external identity sources, only local identity groups.</P><P>Is there a way to do this with ISE? I can't seem to find it.</P><P>&nbsp;</P><P>Thank you in advance for any help.</P> Mon, 11 Mar 2019 05:37:52 GMT https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635344#M56044 Larry Smith 2019-03-11T05:37:52Z https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635345#M56046 <P>I have the same issue have you found a solution?</P> Fri, 14 Aug 2015 21:26:30 GMT https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635345#M56046 Rodrigo Gurriti 2015-08-14T21:26:30Z https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635346#M56051 <P>We worked out a way to do this.&nbsp; The thing that makes it hard is that AD has to be in the picture.&nbsp; We have it in a separate policy set - it may take a bit of work to separate it from other ASA users.</P> <P>Authentication Policy</P> <P>&nbsp;&nbsp; if (VPN user of some kind) Allow Protocols : Default Network Access and</P> <P>&nbsp;&nbsp;&nbsp;&nbsp; Default&nbsp; :use RSA</P> <P>!! set "if user not found" to "reject".&nbsp;</P> <P>&nbsp; Default Rule (if no match) Allow Protocols: Default Network Access and use: Deny Access</P> <P></P> <P>Authorization Policy</P> <P>&nbsp; if (AD:ExternalGroups EQUALS /Groups/UseRSAforVPN) AND</P> <P>&nbsp;&nbsp;&nbsp; (Network Access:AuthenticationIdentityStore EQUALS RSA)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; then VPN_RSA</P> <P>&nbsp; if (AD:ExternalGroups EQUALS /Groups/UseADforVPN)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; then VPN_AD</P> <P></P> <P>Obviously use your own names to replace the ones I used.&nbsp; Good luck!</P> Wed, 11 Nov 2015 12:40:31 GMT https://community.cisco.com/t5/network-access-control/ise-using-active-directory-rsa-dual-authentication-vpn-help/m-p/2635346#M56051 rob.drye 2015-11-11T12:40:31Z