Hi,

tahscolony · ‎11-29-2016

Has anyone had luck doing this? We have a working RSA with DACL for 2 factor, but moving to new firewalls, with Anyconnect and Cut Through Proxy, and want to use PINGid to authenticate.

So far I got Cut Through working, but the radius requests get to ACS and are not being forwarded to the PINGid server. I am missing something but don't know what.

Not able to find documentation, and I did not set up the RSA DACL on the ACS, but using what is configured as a template. Looks like I am missing the point that directs to the PING Radius, and can't seem to figure it out.

Any one done this before?

kushsriva · ‎11-30-2016

Hi,

If you want to configure Radius Proxy on the ACS, please have a look at

"RADIUS Proxy Requests" section in the following document:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1153241

Regards,

Kush

tahscolony · ‎11-30-2016

Thanks, I had looked into that already and it doesn't have the ability to apply DACL to the user, which is the reason we are trying to do that. We have a working RSA, but trying to move away from it to PING.

I opened a case with TAC, just waiting for them to get back now.

tahscolony · ‎12-27-2016

Resolved for the most part. Order of the universe was the issue. well, actually order of the application. Found where I had the order wrong, moved it up and it started working. Have a different issue trying to get worked out, but this one is good for the most part.

Answer is, yes it works.

Using Ping Identity with ACS and Cut Through Proxy for 2 Factor