Solved: Re: Firepower FTD 6.4 two-factor authentication with AD and RSA

ivan.kusturic · ‎11-24-2019

Hello everybody,

I have a question regarding multi-factor authentication on Firepower device. Appliance is 2110, managed via FDM. FTD version is 6.4. Request is to use client certificate and RSA server token. Is that combination possible?

From what I have read so far I saw two ways to configure two-factor authentication: one is with RSA configured as RADIUS server, and the other is with NON-RSA or AD server that has been integrated with RSA server. In that scenario you are providing password,token, and for authentication use RADIUS group with AD or RADIUS server in it. I guess we would use authentication with AAA + client certificate along with AD defined as authentication server (that is the request - AD for user authentication), counting RSA integration has already been set up.

Thanks in advance,

Ivan

Marvin Rhoads · ‎11-25-2019

I don't have first hand experience to confirm.

However, when using client certificates alone (where the certificate doesn't serve to map the client using CN or OU etc.), there's the option to have no user prompt for the password. So adding a second factor in that setup should mean that your clients provide only the RSA tokencode with the certificate authentication happening quietly without user interaction.

The setup should be labbed to conform the options you want are available - I was not able to find any lab guides detailing this exact scenario.

View solution in original post

Marvin Rhoads · ‎11-24-2019

RSA server token authentication is only possible with FDM-managed FTD devices indirectly . That is, when RSA is integrated with some other identity source like AD.

You can use that approach in conjunction with multi-factor authentication, including client certificates as one factor.

6.4 FDM reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ravpn.html#concept_7C94823B46BF477CB04FF41485E71694

6.5 FDM reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ravpn.html#concept_7C94823B46BF477CB04FF41485E71694

ivan.kusturic · ‎11-24-2019

Hello Marvin,

Thank you for the reply. I have already read explanation and configuration on links you have provided, but still not sure if I use client certificate + RSA, do I only need to provide RSA token? How will AnyConnect client respond?

Because, as I previously said, in the configuration guide the way to send credentials is password, token. And if I use certificates without AAA how would I send credentials - only token?

Marvin Rhoads · ‎11-25-2019

I don't have first hand experience to confirm.

However, when using client certificates alone (where the certificate doesn't serve to map the client using CN or OU etc.), there's the option to have no user prompt for the password. So adding a second factor in that setup should mean that your clients provide only the RSA tokencode with the certificate authentication happening quietly without user interaction.

The setup should be labbed to conform the options you want are available - I was not able to find any lab guides detailing this exact scenario.

ivan.kusturic · ‎11-29-2019

Thank you for the answer. I will mark this as a solution.

Other comments are welcomed.