07-21-2010 12:27 PM - edited 03-10-2019 05:16 PM
Hello!
Is there a doc or such that points to a configuration for having VPN users coming into the ASA with authentication against AD in addition to a SecurID for two-factor auth?
so for example, when a user VPNs in, they are prompted for AD credentials, then for a PIN of the SecurID. Thanks!
ben
07-22-2010 07:41 AM
Ben:
This might help you, though it is neither Cisco nor SecurID, but the principals are the same. You basically want the Cisco to use Radius to talk to the MS radius plugin NPS, formerly known as IAS. Then you want NPS/IAS to proxy the request to the two-factor authentication server. Radius can handle all of this.
However, this is slightly different than what you asked. The user enters their AD username and the one-time passcode NOT their AD password. I'm not sure if the latter can be done with NPS/IAS and Cisco. I would argue that using the password outside of the LAN is not necessary and, in fact, that security is increased if the LAN password is not used outside the LAN. The PIN is the "thing you know" so knowing the password is redundant.
07-22-2010 01:00 PM
I think in ASA 8.2.1 this is it -
The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes configuration mode commands:
•secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.
•secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.
•secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.
•authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.
•authenticated-session-username—Specifies which authentication username is associated with the session.
Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide