08-11-2013 07:12 PM - edited 02-21-2020 10:28 AM
Hi,
Is it possible for cisco ASA to support rsa second factor authentication for server access.
i.e the servers will be accessed from certain network segments, after the first level
username-password prompt , and upon user input of these credentials, the ASA should
prompt again for a second authentication.
Will the ASA prompt for this second authentication?
Thanks
Solved! Go to Solution.
08-12-2013 12:11 AM
For non-VPN through traffic the ASA supports something known as "aaa authentication match" method. I've not used it personally, only learned about it in CCNP Security material but there is a nice TAC tech note on it here:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
You should be able to use that with the authentication source (aaa server) being RSA.
08-11-2013 11:24 PM
Yes the ASA supports two factor (or more accurately in this case, dual method) authentication. Assuming this is for a remote access VPN, when editing your AnyConnect Connection profile, there is an option under the advanced menu to enable a secondary authentication method.
I believe RSA might insist on being the first method according to one other post I have seen but it can definitely be one of the two methods.
See screenshot below (click to enlarge):
08-11-2013 11:53 PM
Appreciate your reply Marvin, thanks.
This is not exactly for remote VPN , but this is more for server access.
Few servers are connected behind the firewall, admins access these servers for terminal services like ssh etc.
We want the asa to prompt for second authentication ( RSA ) when admins access these servers from network portion.
Please help with inputs.
08-12-2013 12:11 AM
For non-VPN through traffic the ASA supports something known as "aaa authentication match" method. I've not used it personally, only learned about it in CCNP Security material but there is a nice TAC tech note on it here:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml
You should be able to use that with the authentication source (aaa server) being RSA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide