11-24-2019 06:51 AM - edited 02-21-2020 09:43 AM
Hello everybody,
I have a question regarding multi-factor authentication on Firepower device. Appliance is 2110, managed via FDM. FTD version is 6.4. Request is to use client certificate and RSA server token. Is that combination possible?
From what I have read so far I saw two ways to configure two-factor authentication: one is with RSA configured as RADIUS server, and the other is with NON-RSA or AD server that has been integrated with RSA server. In that scenario you are providing password,token, and for authentication use RADIUS group with AD or RADIUS server in it. I guess we would use authentication with AAA + client certificate along with AD defined as authentication server (that is the request - AD for user authentication), counting RSA integration has already been set up.
Thanks in advance,
Ivan
Solved! Go to Solution.
11-25-2019 06:50 PM
I don't have first hand experience to confirm.
However, when using client certificates alone (where the certificate doesn't serve to map the client using CN or OU etc.), there's the option to have no user prompt for the password. So adding a second factor in that setup should mean that your clients provide only the RSA tokencode with the certificate authentication happening quietly without user interaction.
The setup should be labbed to conform the options you want are available - I was not able to find any lab guides detailing this exact scenario.
11-24-2019 10:12 PM
RSA server token authentication is only possible with FDM-managed FTD devices indirectly . That is, when RSA is integrated with some other identity source like AD.
You can use that approach in conjunction with multi-factor authentication, including client certificates as one factor.
6.4 FDM reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-ravpn.html#concept_7C94823B46BF477CB04FF41485E71694
6.5 FDM reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/650/fdm/fptd-fdm-config-guide-650/fptd-fdm-ravpn.html#concept_7C94823B46BF477CB04FF41485E71694
11-24-2019 11:40 PM
Hello Marvin,
Thank you for the reply. I have already read explanation and configuration on links you have provided, but still not sure if I use client certificate + RSA, do I only need to provide RSA token? How will AnyConnect client respond?
Because, as I previously said, in the configuration guide the way to send credentials is password, token. And if I use certificates without AAA how would I send credentials - only token?
11-25-2019 06:50 PM
I don't have first hand experience to confirm.
However, when using client certificates alone (where the certificate doesn't serve to map the client using CN or OU etc.), there's the option to have no user prompt for the password. So adding a second factor in that setup should mean that your clients provide only the RSA tokencode with the certificate authentication happening quietly without user interaction.
The setup should be labbed to conform the options you want are available - I was not able to find any lab guides detailing this exact scenario.
11-29-2019 06:28 AM
Thank you for the answer. I will mark this as a solution.
Other comments are welcomed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide