cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2950
Views
0
Helpful
4
Replies

SSO with ASA WebVPN Using RSA Tokens

jharris2006
Level 1
Level 1

Current Setup:

User Token & PIN authenticates to  -> ASA5510 8.2 Clientless VPN -> passes to RSA Auth manager 7.2 via SDI.

I've got authentication working great, on first login users can sign in with their AD user names and RSA tokens and generate their pin.

We used to use ACS express and their AD information for vpn authentication but now we need to do two factor authentication.

Is it possible to some how maintain SSO so that when the user authenticates via his RSA token they can still browse OWA, Sharepoint, CIFS (File Shares) without having to enter their AD credentials?

Any help or information is much appreciated.

Thanks

2 Accepted Solutions

Accepted Solutions

kellerja1
Level 1
Level 1

You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM.  Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.

The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl.   Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).

View solution in original post

Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.

To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.

This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).

The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).

The ASA will then perform 2 authentication checks and only allow the user in if both are successful.

There is one restriction: SDI can only be used as primary protocol, not as secondary.

For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.

Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_PASSWORD

hth

Herbert

View solution in original post

4 Replies 4

Herbert Baerten
Cisco Employee
Cisco Employee

hi,

so do I understand correctly you want to have 3 fields on the login screen:

username

ADpassword

tokencode

Then when for SSO  you would like to  use the username and ADpassword ?

What kind of SSO  is it? auto-signon, macro's in a bookmark?

Would it be ok to use Radius instead of SDI towards the RSA server?

Herbert

kellerja1
Level 1
Level 1

You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM.  Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.

The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl.   Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).

Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.

To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.

This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).

The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).

The ASA will then perform 2 authentication checks and only allow the user in if both are successful.

There is one restriction: SDI can only be used as primary protocol, not as secondary.

For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.

Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_PASSWORD

hth

Herbert

alexdelangel
Level 1
Level 1

Hello friends,

Please allow me to resurect an old post!

I have working in my ASA webvpn and anyconnect Remote Access VPN, authenticating through an ACS Radius server. We are thinking to integrate RSA token. So, the question is if it is going to work well with webvpn?

I will appreciate your comments and/or documentation.

Regards!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: