Using Ping Identity with ACS and Cut Through Proxy for 2 Factor

tahscolony · ‎11-29-2016

Has anyone had luck doing this? We have a working RSA with DACL for 2 factor, but moving to new firewalls, with Anyconnect and Cut Through Proxy, and want to use PINGid to authenticate.

So far I got Cut Through working, but the radius requests get to ACS and are not being forwarded to the PINGid server. I am missing something but don't know what.

Not able to find documentation, and I did not set up the RSA DACL on the ACS, but using what is configured as a template. Looks like I am missing the point that directs to the PING Radius, and can't seem to figure it out.

Any one done this before?

kushsriva · ‎11-30-2016

Hi,

If you want to configure Radius Proxy on the ACS, please have a look at

"RADIUS Proxy Requests" section in the following document:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1153241

Regards,

Kush

tahscolony · ‎11-30-2016

Thanks, I had looked into that already and it doesn't have the ability to apply DACL to the user, which is the reason we are trying to do that. We have a working RSA, but trying to move away from it to PING.

I opened a case with TAC, just waiting for them to get back now.

tahscolony · ‎12-27-2016

Resolved for the most part. Order of the universe was the issue. well, actually order of the application. Found where I had the order wrong, moved it up and it started working. Have a different issue trying to get worked out, but this one is good for the most part.

Answer is, yes it works.