Showing results for 
Search instead for 
Did you mean: 

AD -> RSA SecurID (Two-Factor Auth) -> ACS 5.3 -> ASA SSL VPN, possible?


Hey guys,

I've been searching and reading a lot about this scenario (AD -> RSA SecurID -> ACS -> ASA SSL VPN), and after I thought I had it all clear I realized I was a bit confused... This is why...

I want to poll the AD from the RSA SecurID and then poll the RSA SecurID from the ACS so that I don't have to change the current policies configured on the ACS. (the production scenario right now is AD -> ACS -> ASA SSL VPN)

The idea is to have a Two-Factor authentication for the SSL VPN. Doing it that way I won't need to touch the ASA AAA configuration as will still be pointing to the ACS.

I thought that adding the RSA SecurID (after configuring it to poll the AD) using the sdconf.rec file into the ACS was enough to make work a Two-Factor Authentication for the ASA SSL VPN, using the policies already configured on the ACS, but according to what I have read apparently this is not possible.

Could you help me to determine if when the ACS polls the RSA SecurID for the Two-Factor authentication (pin+token), it will receive an "allow this user to connect" using the current policies of the ACS (AD groups/users)?

I'll be implementing this solution next week but I need to offer a design first. What would you recommend me?

My client is using ACS 5.3.

Thanks in advance.


1 Reply 1


Did you figure it out. I want to use the same setup. Cisco ASA VPN to point to Cisco ACS 5.3 and use the secure ID authentication as well. I need to know how to configure this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: