Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
10
Helpful
3
Replies

Double Authentication on ASA using ISE

Go to solution
umahar
Cisco Employee
Cisco Employee

‎10-23-2018 07:10 AM

Our customer uses double authentication for ASA VPN with ACS as primary authentication using AD and ISE as secondary authentication using Safenet and RSA (both in one single identity source).

They now want to move both primary and secondary authentications to ISE as they are getting rid of ACS.

I am reading below link

https://community.cisco.com/t5/identity-services-engine-ise/anyconnect-vpn-with-2-factor-authentication-on-ise/td-p/3464708

 

Was anyone able to find any attribute to distinguish between two radius requests ?

 

We have two datacenters with 4 PSNs. The idea to send different requests to different PSNs and making check on that also sounds feasible.

 

If none of the above works we will send AD authentications requests directly to AD from ASA.

 

Is there any other option anyone can think ? Maybe some kind of chaining

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2018 08:34 PM

I think it simpler to send the AD auth directly from ASA. If the 2 requests are sent to different sets of PSNs, then you may use "Network Access·ISE Host Name" as a condition.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-23-2018 08:34 PM

I think it simpler to send the AD auth directly from ASA. If the 2 requests are sent to different sets of PSNs, then you may use "Network Access·ISE Host Name" as a condition.

Go to solution
paul
Level 10
Level 10
In response to hslai

‎10-24-2018 05:43 AM

Hsing,

 

This is more of a product request, but one thing that would help in cases like this is if we were able to use the DestPort field in our rule set.  If you look at the RADIUS authentication details you can see the destination port of the RADIUS call (1645 or 1812).  If there were a Network Access:Destination Port value we could use it for several use cases:

 

  1. This use case where I want different RADIUS calls from the same host and same scenario to be treated differently.
  2. The RADIUS callback trick for portals in ISE.  We could do callbacks on different ports to differentiate which portal is making the call and allowing different AD groups to authenticate to the portal.

The data is already there.  It doesn't seem like it would be that hard to expose that data in the conditions. 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎10-25-2018 06:50 AM

Many thanks for your input. However, such might not be as simple. If both requests for one RA-VPN session gone into the same PSN, anything sensitive to the state of the session might mess up. If the requests gone into different PSNs, then it's unclear which PSN is the true owner of the session, as the whole deployment shares one session directory.

Customers Also Viewed These Support Documents