cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

16462
Views
12
Helpful
8
Replies
Highlighted
Enthusiast

Anyconnect VPN with 2 Factor Authentication on ISE

Hello,

Using ISE to authenticate VPN Clients on Anyconnect is supported using external identity sources such as RSA Token Server.

However, what happens if I want 2 factor authentication:

1. User Connects to Anyconnect

2. User provides AD Credentials

3. User is then prompted to provide RSA code

4. Access is granted

I've seen this in production many times before but not sure if a separate product is required.

Is this achievable solely using ISE? As I cannot find where you can do this  ISE, I thought it may have been identity source sequences, but this just specifies alternatives sources in case of auth failure.

How is this achieved? Does ISE "chain" or "cache" the credentials from AD, then goes to RSA to check 2nd stage?

Everyone's tags (8)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Anyconnect VPN with 2 Factor Authentication on ISE

I think you may be looking for double authentication feature on ASA. See the following ASA RN:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/release/notes/asarn82.html#pgfId-424773

If using ISE as both primary and secondary authentication, then you will need to make sure the ASA is configured to send a 'hint' to the ISE that one is primary and the other is secondary authentication request so ISE can process them properly to the appropriate identity store in the back end. I suspect ASA DAP feature can be leveraged to populate a RADIUS attribute to provide differentiation, though have not tried it myself. If not using ISE posture, then you could point each of the authentication to a different ISE PSN node in the back end and use that to differentiate between the primary and secondary authentication. Other easier way is to simply use ISE for one of the authentication and use LDAP or other auth method for the other authentication on the ASA it self.

Hosuk

8 REPLIES 8
VIP Engager

Re: Anyconnect VPN with 2 Factor Authentication on ISE

Josh,

I know this isn't the answer, but just want to make sure you are aware that you can do RSA, which is two factor authentication, with AD authorization.  So during the authentication phase the username and RSA code is provided and authenticated via the RSA integrated with ISE.  During the authorization section the username is checked against AD for group membership requirements, account locked, etc.

Cisco Employee

Re: Anyconnect VPN with 2 Factor Authentication on ISE

I think you may be looking for double authentication feature on ASA. See the following ASA RN:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/release/notes/asarn82.html#pgfId-424773

If using ISE as both primary and secondary authentication, then you will need to make sure the ASA is configured to send a 'hint' to the ISE that one is primary and the other is secondary authentication request so ISE can process them properly to the appropriate identity store in the back end. I suspect ASA DAP feature can be leveraged to populate a RADIUS attribute to provide differentiation, though have not tried it myself. If not using ISE posture, then you could point each of the authentication to a different ISE PSN node in the back end and use that to differentiate between the primary and secondary authentication. Other easier way is to simply use ISE for one of the authentication and use LDAP or other auth method for the other authentication on the ASA it self.

Hosuk

Contributor

Re: Anyconnect VPN with 2 Factor Authentication on ISE

I think the RSA token authentication itself is two factor auth. You want to do double authentication I think. This may help:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/vpn-groups.html#ID-2439-00000208

You could have one of the authentications go to ISE (AD?) and the other to RSA directly. The other option is to do authentication using just RSA but do authorization against AD checking for AD group membership.

George

Enthusiast

Re: Anyconnect VPN with 2 Factor Authentication on ISE

Thanks all, I think the idea is we want to use ISE as central authentication for Wired, Wireless and VPN. With ISE pointing to AD and RSA.

Rather than have part of authentication handled by ASA or RSA.

VIP Engager

Re: Anyconnect VPN with 2 Factor Authentication on ISE

Josh,

This is the norm, but requiring AD authentication along with RSA is not the norm in my experience. As we have already said RSA is two-factor authentication, adding AD authentication doesn’t make much sense to me. Adding AD authorization to the RSA authentication sequence as I and George have laid out is quite common.

What is the customers use case for adding AD authentication to a two-factor authentication scheme?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

VIP Advocate

Re: Anyconnect VPN with 2 Factor Authentication on ISE

Sorry for waking up this thread.

I have a similar request an I'm currently looking at this secondary authentication, which will probably solve my issue.

In my case it's currently like this: user logs in and gets authenticated on my Windows Radius servers, which are connected to our DC. The radius server then provides some attributes, including the group-lock attribute.

This way my users aren't required to select a group profile in the AnyConnect and will always be enforced into the correct group.

I'd like to add now 2 FA for all users. I already have a 2 FA solution. The problem with this solution is the lack of radius attributes for AD synced users. It's not possible to add any radius attributes to ad synced users. In other words, I would loose the group lock feature, if I'd only use the 2 FA solution for first and second authentication. This is something I clearly don't want to lose.

So my idea is now to send the radius authentication for username+password+attributes to the Windows Radius and username+token (username is in both cases the same) to the 2FA Radius, this should be possible, right?

[edit]

After some more testing I managed to get this working Perfect!

Beginner

Re: Anyconnect VPN with 2 Factor Authentication on ISE

Hi.

I have same requirement from customer. How did you get it work?

I have already working AD authentication through ISE with radius group-lock attribute and need to add token authentication now. Beside some users don't have token, so only AD username is used for those that don't have token...

Can you share asa configuration anyconnect part?

Regards.

Cisco Employee

Re: Anyconnect VPN with 2 Factor Authentication on ISE