Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2353
Views
0
Helpful
5
Replies

Anyconnect to ASA - ACS - RSA tokens

PAUL GILBERT ARIAS
Level 5
Level 5

ā€Ž08-05-2015 10:41 AM - edited ā€Ž03-10-2019 10:57 PM

Hello group,

 

I am having troubles setting up a configuration where the customer wants to enable Anyconnect access to the network using their existing ASA, ACS and RSA. The customer wants to use the user database from his AD.

The customer wants the ASA to use the ACS 5.X using Radius and wants his ACS to use the RSA server. The VPN users should use their tokens to connect.

I have found several configuration examples but I just can't figure out how to make it work. 

I have the ASA configured to authenticate the VPN users using the radius server. 

Here is the portion of configuration on the ASA:

AAA CONFIGURATION ā€“ ACS SERVER

aaa-server RADIUS protocol radius

aaa-server RADIUS (INSIDE) host 192.168.1.1

 key Thi$i$aT3sT

aaa-server RADIUS (INSIDE) host 192.168.1.2

 key Thi$i$aT3sT

 

SSL VPN CONFIGURATION

 

group-policy SSL-VPN internal

group-policy SSL-VPN attributes

 dns-server value 10.80.1.10 172.16.48.40

 vpn-tunnel-protocol ssl-client ssl-clientless

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value VPN-LIST

 default-domain value example.com

 webvpn

  customization value DfltCustomization

 

tunnel-group SSL-VPN type remote-access

tunnel-group SSL-VPN general-attributes

 address-pool vpnpool

 authentication-server-group RADIUS LOCAL

 default-group-policy SSL-VPN

tunnel-group SSL-VPN webvpn-attributes

 group-alias SSL-VPN enable

 

For the ACS and RSA I followed the following link:

https://supportforums.cisco.com/document/9869061/configuration-example-cisco-acs-5x-integration-rsa-secureid-token-server

 

I don't seem to find the right policy on the ACS to make this work. The link doesn't show how to configure the authentication/authorization policies.

I found this other link but it shows how to setup the configuration for device administration not for network access.

https://popravak.wordpress.com/2013/02/16/using-rsa-securid-external-database-with-cisco-acs-5-x/

 

 

Any advise?

 

2 people had this problem
Labels:
0 Helpful
5 Replies 5

yasir.ilyas
Level 1
Level 1

ā€Ž12-23-2015 07:22 PM

Paul,

having same issue here. were you able  to figure this out?

cant seem to find good doc on it.

thanks

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to yasir.ilyas

ā€Ž12-28-2015 03:50 PM

Configure the ACS server to use the rsa identity source for the vpn authentications. You may need to change your authentication policies to send all vpn requests to the rsa server and set any other radius request to the default identity store before you make this change. From there the integration between acs and rsa will complete it self.

Thanks,

0 Helpful

Florin Barhala
Level 6
Level 6
In response to Tarik Admani

ā€Ž01-05-2016 05:22 AM

I also intend to configure this short enough. Can someone add more details on this? Like full configuration of ASA and ACS?

0 Helpful

er.gbejarano
Level 1
Level 1
In response to Tarik Admani

ā€Ž02-02-2016 02:54 AM

Hi team,

I'm also interested in this deployment. We have the same elements and we are looking for the same goal: the 2-factor authentication for VPN via AnyConnect.

The flow should be:

AnyConnect Client -> Cisco ASA -> Cisco ACS -> (RSA) and (AD)

or

AnyConnect Client -> Cisco ASA -> (RSA) and (Cisco ACS -> AD)

Best Regards

0 Helpful

dvega
Level 1
Level 1

ā€Ž02-02-2016 08:09 AM

Hi Paul,

I'm having this issue as well. Could you please let me know how you resolve it? Which protocols have you used? It is possible to configure ACS in order to get two-factor authentication?

Thanks in advance!

0 Helpful
Customers Also Viewed These Support Documents