10-21-2010 06:32 PM - edited 03-10-2019 05:30 PM
Current Setup:
User Token & PIN authenticates to -> ASA5510 8.2 Clientless VPN -> passes to RSA Auth manager 7.2 via SDI.
I've got authentication working great, on first login users can sign in with their AD user names and RSA tokens and generate their pin.
We used to use ACS express and their AD information for vpn authentication but now we need to do two factor authentication.
Is it possible to some how maintain SSO so that when the user authenticates via his RSA token they can still browse OWA, Sharepoint, CIFS (File Shares) without having to enter their AD credentials?
Any help or information is much appreciated.
Thanks
Solved! Go to Solution.
10-24-2012 01:08 PM
You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM. Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.
The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl. Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).
10-25-2012 01:07 AM
Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.
To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.
This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).
The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).
The ASA will then perform 2 authentication checks and only allow the user in if both are successful.
There is one restriction: SDI can only be used as primary protocol, not as secondary.
For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.
Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:
CSCO_WEBVPN_PRIMARY_USERNAME
CSCO_WEBVPN_SECONDARY_USERNAME
CSCO_WEBVPN_PRIMARY_PASSWORD
CSCO_WEBVPN_SECONDARY_PASSWORD
hth
Herbert
10-27-2010 12:05 AM
hi,
so do I understand correctly you want to have 3 fields on the login screen:
username
ADpassword
tokencode
Then when for SSO you would like to use the username and ADpassword ?
What kind of SSO is it? auto-signon, macro's in a bookmark?
Would it be ok to use Radius instead of SDI towards the RSA server?
Herbert
10-24-2012 01:08 PM
You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM. Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.
The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl. Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).
10-25-2012 01:07 AM
Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.
To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.
This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).
The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).
The ASA will then perform 2 authentication checks and only allow the user in if both are successful.
There is one restriction: SDI can only be used as primary protocol, not as secondary.
For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.
Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:
CSCO_WEBVPN_PRIMARY_USERNAME
CSCO_WEBVPN_SECONDARY_USERNAME
CSCO_WEBVPN_PRIMARY_PASSWORD
CSCO_WEBVPN_SECONDARY_PASSWORD
hth
Herbert
07-22-2014 09:45 AM
Hello friends,
Please allow me to resurect an old post!
I have working in my ASA webvpn and anyconnect Remote Access VPN, authenticating through an ACS Radius server. We are thinking to integrate RSA token. So, the question is if it is going to work well with webvpn?
I will appreciate your comments and/or documentation.
Regards!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide