Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23504
Views
12
Helpful
9
Replies

Anyconnect VPN with 2 Factor Authentication on ISE

Go to solution
joshhunter
Level 4
Level 4

‎05-02-2017 01:04 PM

Hello,

Using ISE to authenticate VPN Clients on Anyconnect is supported using external identity sources such as RSA Token Server.

However, what happens if I want 2 factor authentication:

1. User Connects to Anyconnect

2. User provides AD Credentials

3. User is then prompted to provide RSA code

4. Access is granted

I've seen this in production many times before but not sure if a separate product is required.

Is this achievable solely using ISE? As I cannot find where you can do this  ISE, I thought it may have been identity source sequences, but this just specifies alternatives sources in case of auth failure.

How is this achieved? Does ISE "chain" or "cache" the credentials from AD, then goes to RSA to check 2nd stage?

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-02-2017 02:24 PM

I think you may be looking for double authentication feature on ASA. See the following ASA RN:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/release/notes/asarn82.html#pgfId-424773

If using ISE as both primary and secondary authentication, then you will need to make sure the ASA is configured to send a 'hint' to the ISE that one is primary and the other is secondary authentication request so ISE can process them properly to the appropriate identity store in the back end. I suspect ASA DAP feature can be leveraged to populate a RADIUS attribute to provide differentiation, though have not tried it myself. If not using ISE posture, then you could point each of the authentication to a different ISE PSN node in the back end and use that to differentiate between the primary and secondary authentication. Other easier way is to simply use ISE for one of the authentication and use LDAP or other auth method for the other authentication on the ASA it self.

Hosuk

View solution in original post

9 Replies 9

Go to solution
paul
Level 10
Level 10

‎05-02-2017 02:08 PM

Josh,

I know this isn't the answer, but just want to make sure you are aware that you can do RSA, which is two factor authentication, with AD authorization.  So during the authentication phase the username and RSA code is provided and authenticated via the RSA integrated with ISE.  During the authorization section the username is checked against AD for group membership requirements, account locked, etc.

Go to solution
howon
Cisco Employee
Cisco Employee

‎05-02-2017 02:24 PM

I think you may be looking for double authentication feature on ASA. See the following ASA RN:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/release/notes/asarn82.html#pgfId-424773

If using ISE as both primary and secondary authentication, then you will need to make sure the ASA is configured to send a 'hint' to the ISE that one is primary and the other is secondary authentication request so ISE can process them properly to the appropriate identity store in the back end. I suspect ASA DAP feature can be leveraged to populate a RADIUS attribute to provide differentiation, though have not tried it myself. If not using ISE posture, then you could point each of the authentication to a different ISE PSN node in the back end and use that to differentiate between the primary and secondary authentication. Other easier way is to simply use ISE for one of the authentication and use LDAP or other auth method for the other authentication on the ASA it self.

Hosuk

Go to solution
gbekmezi-DD
Level 5
Level 5

‎05-02-2017 03:48 PM

I think the RSA token authentication itself is two factor auth. You want to do double authentication I think. This may help:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/vpn/asa-94-vpn-config/vpn-groups.html#ID-2439-00000208

You could have one of the authentications go to ISE (AD?) and the other to RSA directly. The other option is to do authentication using just RSA but do authorization against AD checking for AD group membership.

George

Go to solution
joshhunter
Level 4
Level 4
In response to gbekmezi-DD

‎05-02-2017 04:02 PM

Thanks all, I think the idea is we want to use ISE as central authentication for Wired, Wireless and VPN. With ISE pointing to AD and RSA.

Rather than have part of authentication handled by ASA or RSA.

Go to solution
paul
Level 10
Level 10
In response to joshhunter

‎05-02-2017 04:11 PM

Josh,

This is the norm, but requiring AD authentication along with RSA is not the norm in my experience. As we have already said RSA is two-factor authentication, adding AD authentication doesn’t make much sense to me. Adding AD authorization to the RSA authentication sequence as I and George have laid out is quite common.

What is the customers use case for adding AD authentication to a two-factor authentication scheme?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to paul

‎02-23-2018 05:09 AM

Sorry for waking up this thread.

I have a similar request an I'm currently looking at this secondary authentication, which will probably solve my issue.

In my case it's currently like this: user logs in and gets authenticated on my Windows Radius servers, which are connected to our DC. The radius server then provides some attributes, including the group-lock attribute.

This way my users aren't required to select a group profile in the AnyConnect and will always be enforced into the correct group.

I'd like to add now 2 FA for all users. I already have a 2 FA solution. The problem with this solution is the lack of radius attributes for AD synced users. It's not possible to add any radius attributes to ad synced users. In other words, I would loose the group lock feature, if I'd only use the 2 FA solution for first and second authentication. This is something I clearly don't want to lose.

So my idea is now to send the radius authentication for username+password+attributes to the Windows Radius and username+token (username is in both cases the same) to the 2FA Radius, this should be possible, right?

[edit]

After some more testing I managed to get this working Perfect!

0 Helpful

Go to solution
varaki
Level 1
Level 1
In response to patoberli

‎07-13-2018 07:40 AM

Hi.

I have same requirement from customer. How did you get it work?

I have already working AD authentication through ISE with radius group-lock attribute and need to add token authentication now. Beside some users don't have token, so only AD username is used for those that don't have token...

Can you share asa configuration anyconnect part?

Regards.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to varaki

‎07-14-2018 10:15 AM

See Hosuk's answer @ Anyconnect VPN with 2 Factor Authentication on ISE

0 Helpful

Go to solution
stevenbahnsen1
Level 1
Level 1
In response to paul

‎10-28-2019 06:15 AM - edited ‎10-28-2019 06:16 AM

Just to clarify, an RSA token on its own is not 2FA as incorrectly stated above. It becomes a second factor when provided along with another form of authentication e.g. something you know - username/password or something you are - biometric.

 

Providing ad credentials along with a totp is very normal and it’s weird that ISE seemingly cannot do this, where as an ASA can.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents