Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
4
Replies

ACS: two factor authentication using AD group/internal user, external proxy

Dikkia
Level 1
Level 1

‎01-11-2016 07:47 AM - edited ‎03-10-2019 11:22 PM

Hi all,

as far as you know, it could be possible to have two factor authentication in acs 5.x?

What i want to achieve is:

1) if a VPN user try joint the network, a user lookup needs to be performed against a specific Group in AD, but the password needs to be verified by an external OTP server ( ActiveIdentity).

2) if the user is not found in the AD Group ABOVE, an internal lookup needs to be performed against  ACS database.

Do you know if it's possible?

Untill now i've been able ONLY to peform External autentication using ( configuring ACS as a proxy) but no lookup against AD as been performed.

many thx

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-11-2016 09:53 PM

(1). Configure ActiveIdentity as a RADIUS server for authentication, and then configure a DAP (Dynamic Access Policy) and do an LDAP lookup to confirm the user is a member of the AD group desired.  Check out this URL (search for Active Directory to get to the right bit quickly).

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

(2).  90% yes (haven't tried it myself but should work), with the same approach above.  Create two policies, but make the above a higher priority policy.

0 Helpful

Dikkia
Level 1
Level 1
In response to Philip D'Ath

‎01-12-2016 07:16 AM

many thx but doesn't work for me.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Dikkia

‎01-12-2016 09:29 AM

Which bit doesn't work?  (1) will definitely work.  RADIUS provides the authentication and AD provides the authorisation.

0 Helpful

Dikkia
Level 1
Level 1
In response to Philip D'Ath

‎01-13-2016 08:08 AM

i'll try to explain.

i have some difficulties in configuring DAP that's why doesn't work for me...btw i found a different way to accomplish it...a bit easiser

i just created an identity store sequences with the radius server ( acitveidentity in the top ) and than the internal database.

the access policy is configured as follow:

1)  identity: the new identity sequence store & protocol (in the "Rule based result selection"

2)  authorizaion there are 2 rules:

a) check the AD database  and protocol  ( for employee  authentication )

b) check protocol and any optional ACL's ( for external partner authentication )

This way it works for me cause users lookup is performed against Radius server first and ,if no user is found, is performed then  on the internal DB ( identity selection)

empoyee authorization is performed against specific AD Group ( authorization policy A ) and external authorization with restiction ( authorization policy B )

Hope it helps

0 Helpful
Customers Also Viewed These Support Documents