03-28-2016 03:22 PM
Hello All,
This question is a question based on configuration between the ASA and the ACS in a deployment.
I have a customer that would like to accomplish one of two scenarios:
Scenario 1:
The desire is that if we have two factor authentication we need for the first authentication to be processed by ACS based on AD user credentials.
The second authentication we would like to source from a different interface/IP address of the ASA so that we can filter that authentication attempt based on NAD IP in ACS to apply a completely different authorization profile that checks for users from the helpdesk group only.
We need for the auth to fail if we dont have the second helpdesk user login credentials.
Second Scenario:
The desire is that if we have two factor authentication we need for the first authentication to be processed by ACS based on AD user credentials.
The second authentication we would like to send to a different interface/IP address of the ACS so that we can filter that authentication attempt based on called-station-ip in ACS to apply a completely different authorization profile that checks for users from the helpdesk group only.
We need for the auth to fail if we dont have the second helpdesk user login credentials.
Between these two scenarios which one is possible and more plausible.
We are using the ASA and AnyConnect to prompt for both usernames and passwords simultaneously.
--
Grace and Peace,
Robert E Roulhac Jr
Virtual Systems Engineer II
Cisco TSN (Technical Solutions Network)
Office: 919.5745455
04-07-2016 03:52 PM
Hi Robert,
Not sure if you actually need two factor authentication for this, unless you are really verifying two factors, what you know and what you have.
ACS allows flexibility to create Service Selection rules. The compund conditions in the service selection rules allows you to separate incoming requests based on different things including attributes, NDG location, device type. Once the users based on the underlying access service authentication policy selected in the service selection policy you can authorize based on several conditions in the authorization policy.
Hope this helps.
Thanks
Krishnan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide