Solved: SSL VPN Authentication using different Identity Sources Sequence

Si · ‎06-25-2013

Morning,

At the moment we have setup SSL vpns that pass security to ACS. This is acomplished using strong authentication. On ACS the

Identity Sources Sequence is OTP then AD.

We would like to setup on the same firewall a select few users that just abide by AD authentication, these will have a different tunnel group name etc when making the connection.

On ACS im not sure how i would setup two Identidy Sources Sequence to this effect using the same Service Selection Rule. At the moment i have IF RADIUS and IP is XXX then use XXX policy

We are currently installed ISE so in the not to distant future is ACS cannot do this can ISE?
If this is confusing i can expand were nesscessary
Thanks

S

Przemyslaw Konitz · ‎06-25-2013

hi,

I don't remember how it looked like on ACS but on ISE its quite flexible

so the rule is simple

if the radius request comes forma ASA device type then check tunnel-group-name attribute (146) and accourding to string value choose LOCAL or AD store.

hope this helps

regards

View solution in original post

Przemyslaw Konitz · ‎06-25-2013

hi,

I don't remember how it looked like on ACS but on ISE its quite flexible

so the rule is simple

if the radius request comes forma ASA device type then check tunnel-group-name attribute (146) and accourding to string value choose LOCAL or AD store.

hope this helps

regards

Si · ‎06-25-2013

Retracted the previous statement. Yes that makes sense now.
Thanks for that

Si

SSL VPN Authentication using different Identity Sources Sequences