I've been searching and reading a lot about this scenario (AD -> RSA SecurID -> ACS -> ASA SSL VPN), and after I thought I had it all clear I realized I was a bit confused... This is why...
I want to poll the AD from the RSA SecurID and then poll the RSA SecurID from the ACS so that I don't have to change the current policies configured on the ACS. (the production scenario right now is AD -> ACS -> ASA SSL VPN)
The idea is to have a Two-Factor authentication for the SSL VPN. Doing it that way I won't need to touch the ASA AAA configuration as will still be pointing to the ACS.
I thought that adding the RSA SecurID (after configuring it to poll the AD) using the sdconf.rec file into the ACS was enough to make work a Two-Factor Authentication for the ASA SSL VPN, using the policies already configured on the ACS, but according to what I have read apparently this is not possible.
Could you help me to determine if when the ACS polls the RSA SecurID for the Two-Factor authentication (pin+token), it will receive an "allow this user to connect" using the current policies of the ACS (AD groups/users)?
I'll be implementing this solution next week but I need to offer a design first. What would you recommend me?