cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1116
Views
5
Helpful
3
Replies

rsa authentication

suthomas1
Level 6
Level 6

Hi,

Is it possible for cisco ASA to support rsa second factor authentication for server access.

i.e the servers will be accessed from certain network segments, after the first level

username-password prompt , and upon user input of these credentials, the ASA should

prompt again for a second authentication.

Will the ASA prompt for this second authentication?

Thanks

1 Accepted Solution

Accepted Solutions

For non-VPN through traffic the ASA supports something known as "aaa authentication match" method. I've not used it personally, only learned about it in CCNP Security material but there is a nice TAC tech note on it here:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

You should be able to use that with the authentication source (aaa server) being RSA.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Yes the ASA supports two factor (or more accurately in this case, dual method) authentication. Assuming this is for a remote access VPN, when editing your AnyConnect Connection profile, there is an option under the advanced menu to enable a secondary authentication method.

I believe RSA might insist on being the first method according to one other post I have seen but it can definitely be one of the two methods.

See screenshot below (click to enlarge):

Appreciate your reply Marvin, thanks.

This is not exactly for remote VPN , but this is more for server access.

Few servers are connected behind the firewall, admins access these servers for terminal services like ssh etc.

We want the asa to prompt for second authentication ( RSA ) when admins access these servers from network portion.

Please help with inputs.

For non-VPN through traffic the ASA supports something known as "aaa authentication match" method. I've not used it personally, only learned about it in CCNP Security material but there is a nice TAC tech note on it here:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba6110.shtml

You should be able to use that with the authentication source (aaa server) being RSA.