Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2168
Views
0
Helpful
2
Replies

ISE using Active Directory/RSA dual authentication VPN help

Larry Smith
Level 1
Level 1

‎04-12-2015 11:55 PM - edited ‎03-10-2019 10:37 PM

Hello,

I need to incorporate two factor authentication to our current VPN AnyConnect/ASA/ISE environment. Currently, users are able to authenticate using AD or RSA credentials, however, I need to force certain users based on AD groups to ONLY authenticate using RSA, and be denied service if they try to use their AD passwords... Without needing to add another internet facing ASA.

I am trying to use ISE with two external identity sources (Active Directory and RSA SecurID servers) for VPN AnyConnect access through an ASA. If users are members of specific AD groups they need to be forced to authenticate using their tokens to the RSA server through ISE. However, in every configuration I try the users are also able to enter their AD passwords and still authenticate. I need an authorization rule that says, "if users in AD group XYZ authenticate with AD credentials, then deny access, but allow access if they authenticate to RSA". But that does not seem to be an option with external identity sources, only local identity groups.

Is there a way to do this with ISE? I can't seem to find it.

 

Thank you in advance for any help.

Labels:
0 Helpful
2 Replies 2

Rodrigo Gurriti
Level 3
Level 3

‎08-14-2015 02:26 PM

I have the same issue have you found a solution?

0 Helpful

rob.drye
Level 1
Level 1
In response to Rodrigo Gurriti

‎11-11-2015 04:40 AM

We worked out a way to do this.  The thing that makes it hard is that AD has to be in the picture.  We have it in a separate policy set - it may take a bit of work to separate it from other ASA users.

Authentication Policy

   if (VPN user of some kind) Allow Protocols : Default Network Access and

     Default  :use RSA

!! set "if user not found" to "reject". 

  Default Rule (if no match) Allow Protocols: Default Network Access and use: Deny Access

Authorization Policy

  if (AD:ExternalGroups EQUALS /Groups/UseRSAforVPN) AND

    (Network Access:AuthenticationIdentityStore EQUALS RSA)       then VPN_RSA

  if (AD:ExternalGroups EQUALS /Groups/UseADforVPN)                 then VPN_AD

Obviously use your own names to replace the ones I used.  Good luck!

0 Helpful
Customers Also Viewed These Support Documents