cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

263
Views
0
Helpful
0
Replies
Highlighted
Beginner

Multi MFA providers with ASA and ISE

Hi 

I currently have the following:

 

An ASA 5515 configured for radius pointing at an external RSA server (radius_group1), this provides MFA for Anyconnect users and has a dedicated group-policy and tunnel group. Users can authenticate using just the RSA passcode and gain access to the network.

 

I then have another radius group configured (radius_group2) for DUO MFA, the ASA has a separate group-policy and tunnel group configured specifically for DUO. The radius_group2 points to ISE in the first instance and then ISE points to the DUO proxy radius server. ISE is configured with a policy for authentication (DUO proxy - this is what initiates the DUO push to the mobiles), then authorisation is configured to check AD group membership and then the DACLs are applied. This part works perfectly.

 

What I need to do is configure the RSA solution in the same way with DACLs per AD group membership. Unfortunately the RSA is not secureID, only external radius. How would I configured the ASA to firstly authenticate the user using the external RSA radius server and then ask ISE for authorisation using a new or the existing policy? The current policy for DUO uses the following conditions - Device:Device type and Radius:NAS-port-type.

 

Thanks in advance