cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1132
Views
0
Helpful
3
Replies
Bob Goal
Beginner

[ISE] Anyconnect user authentication with RSA, authorization with ISE local groups

Hi Community,

I'm trying to configure Anyconnect 4.3 vpn access with ASA 9.6 with ISE 2.1 with RSA SecureId.

Desired flow: user establishes Anyconnect session with ASA. ASA uses RADIUS to communicate with ISE. ISE uses RSA SecurieID to check the passcode (authentication) and internal user database to verify user group and push appropriate attributes(authorization).

AuthC:

AuthZ:

The issue is that when I use SecureID at authentication phase, I must use it also in authorization. So my rules to match local for ISE user group does not match in authorization and I can't push policy to the user.

In Cisco ACS there is possible to create Identity Source Sequences to use one one search list for AuthC and other for AuthZ, it works fine:

In ISE there is option only for AuthC:

My final question: How to configure user authentication with SecureID Passcode and use local ISE groups for authorization?

1 ACCEPTED SOLUTION

Accepted Solutions
Bob Goal
Beginner

I found a solution. You need to set "Password Type" on "RSA SecureID" for particular local user under: Administration > Identity Management > Identities > user like below:

View solution in original post

3 REPLIES 3
Bob Goal
Beginner

I found a solution. You need to set "Password Type" on "RSA SecureID" for particular local user under: Administration > Identity Management > Identities > user like below:

View solution in original post

Good job on finding a solution to your own problem/question! Also, thank you for taking the time to come back and post it here!

Neno

Was there a specific guide you used to setup ISE, ASA, and AnyConnect.  I'm working on the same thing you setup, but from scratch.   AnyConnect to ASA, ASA via RADIUS to ISE and ISE passing authentication to RSA.  Any link or document you have would be appreciated.

 

Thanks

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel