Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Larry Smith

ISE using Active Directory/RSA dual authentication VPN help


I need to incorporate two factor authentication to our current VPN AnyConnect/ASA/ISE environment. Currently, users are able to authenticate using AD or RSA credentials, however, I need to force certain users based on AD groups to ONLY authenticate using RSA, and be denied service if they try to use their AD passwords... Without needing to add another internet facing ASA.

I am trying to use ISE with two external identity sources (Active Directory and RSA SecurID servers) for VPN AnyConnect access through an ASA. If users are members of specific AD groups they need to be forced to authenticate using their tokens to the RSA server through ISE. However, in every configuration I try the users are also able to enter their AD passwords and still authenticate. I need an authorization rule that says, "if users in AD group XYZ authenticate with AD credentials, then deny access, but allow access if they authenticate to RSA". But that does not seem to be an option with external identity sources, only local identity groups.

Is there a way to do this with ISE? I can't seem to find it.


Thank you in advance for any help.

Rodrigo Gurriti

I have the same issue have you found a solution?

We worked out a way to do this.  The thing that makes it hard is that AD has to be in the picture.  We have it in a separate policy set - it may take a bit of work to separate it from other ASA users.

Authentication Policy

   if (VPN user of some kind) Allow Protocols : Default Network Access and

     Default  :use RSA

!! set "if user not found" to "reject". 

  Default Rule (if no match) Allow Protocols: Default Network Access and use: Deny Access

Authorization Policy

  if (AD:ExternalGroups EQUALS /Groups/UseRSAforVPN) AND

    (Network Access:AuthenticationIdentityStore EQUALS RSA)       then VPN_RSA

  if (AD:ExternalGroups EQUALS /Groups/UseADforVPN)                 then VPN_AD

Obviously use your own names to replace the ones I used.  Good luck!

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube