Hi Olivier, You can select to

Eric Turenne · ‎03-09-2015

Hello,

I would like to integrate RSA SecurID to our current setup as a second factor authentication. I can authenticate with AD and RSA individually but not on the same authentication sequence.

The scenario include the Anyconnect VPN where the user is prompt to enter both AD credentials and the RSA token key. These credentials are then sent to ACS 5.3.

Anyconnect VPN > ACS > AD + RSA > Group policy based access

I did configure a ID store sequence for password based for both AD and RSA but it will always select the first ID store listed. How can I define in the Identity policy to wrap two processes for one user authentication?

Thanks,

Olivier

David Johan Castro Fernandez · ‎03-09-2015

Hi Olivier,

You can select to use the secondary, to inherit the attributes from that server, also use the primary username for both,

Though I have had this issue like ths before, could you please provide with the following information so I can analyze this:

- show version

- show run aaa-server

- show run tunnel-group <NAME>

- show run group-policy <Policy under the tunnel group>

- Which is the OS of the end users?

- show run all webvpn

------------------------------------------------------------------------------------------------------------------------

Recommendations:

* Upgrade the PKG client uploaded in the ASA and try to use the latest one and for the end users, then test the authentication

* if it does not work run debugs:

debug radius <255>

debug aaa commom 255

debug aaa authentication

Please don't forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

Eric Turenne · ‎03-10-2015

Hello David,

I added the requested output in the attachment. I don't know where to look as I see two requests going to ACS but requests AD authentication only.

Thanks,

Olivier

AD and ACS/RSA two factors authentication