Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2902
Views
10
Helpful
4
Replies

[ISE] Anyconnect user authentication with RSA, authorization with ISE local groups

Go to solution
Bob Goal
Level 1
Level 1

‎10-28-2016 05:30 AM - edited ‎03-11-2019 12:11 AM

Hi Community,

I'm trying to configure Anyconnect 4.3 vpn access with ASA 9.6 with ISE 2.1 with RSA SecureId.

Desired flow: user establishes Anyconnect session with ASA. ASA uses RADIUS to communicate with ISE. ISE uses RSA SecurieID to check the passcode (authentication) and internal user database to verify user group and push appropriate attributes(authorization).

AuthC:

AuthZ:

The issue is that when I use SecureID at authentication phase, I must use it also in authorization. So my rules to match local for ISE user group does not match in authorization and I can't push policy to the user.

In Cisco ACS there is possible to create Identity Source Sequences to use one one search list for AuthC and other for AuthZ, it works fine:

In ISE there is option only for AuthC:

My final question: How to configure user authentication with SecureID Passcode and use local ISE groups for authorization?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bob Goal
Level 1
Level 1

‎10-31-2016 05:44 AM

I found a solution. You need to set "Password Type" on "RSA SecureID" for particular local user under: Administration > Identity Management > Identities > user like below:

View solution in original post

4 Replies 4

Go to solution
Bob Goal
Level 1
Level 1

‎10-31-2016 05:44 AM

I found a solution. You need to set "Password Type" on "RSA SecureID" for particular local user under: Administration > Identity Management > Identities > user like below:

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Bob Goal

‎10-31-2016 07:27 PM

Good job on finding a solution to your own problem/question! Also, thank you for taking the time to come back and post it here!

Neno

Go to solution
mj6833
Level 1
Level 1
In response to Bob Goal

‎08-22-2017 09:34 AM

Was there a specific guide you used to setup ISE, ASA, and AnyConnect.  I'm working on the same thing you setup, but from scratch.   AnyConnect to ASA, ASA via RADIUS to ISE and ISE passing authentication to RSA.  Any link or document you have would be appreciated.

 

Thanks

 

0 Helpful

Go to solution
claudioparker
Level 1
Level 1

‎01-03-2022 08:04 AM

I have same issue, authentication is OK, but authorization failed because the user not found in identity store, any workaround for this?

0 Helpful
Customers Also Viewed These Support Documents