Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
0
Helpful
1
Replies

ACS two factor authentication from Same End Device

rroulhac
Cisco Employee
Cisco Employee

‎03-28-2016 03:22 PM

Hello All,

This question is a question based on configuration between the ASA and the ACS in a deployment.

I have a customer that would like to accomplish one of two scenarios:

Scenario 1:

The desire is that if we have two factor authentication we need for the first authentication to be processed by ACS based on AD user credentials.

The second authentication we would like to source from a different interface/IP address of the ASA so that we can filter that authentication attempt based on NAD IP in ACS to apply a completely different authorization profile that checks for users from the helpdesk group only.

We need for the auth to fail if we dont have the second helpdesk user login credentials.

Second Scenario:

The desire is that if we have two factor authentication we need for the first authentication to be processed by ACS based on AD user credentials.

The second authentication we would like to send to a different interface/IP address of the ACS so that we can filter that authentication attempt based on called-station-ip in ACS to apply a completely different authorization profile that checks for users from the helpdesk group only.

We need for the auth to fail if we dont have the second helpdesk user login credentials.

Between these two scenarios which one is possible and more plausible.

We are using the ASA and AnyConnect to prompt for both usernames and passwords simultaneously.

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

Labels:
0 Helpful
1 Reply 1

kthiruve
Cisco Employee
Cisco Employee

‎04-07-2016 03:52 PM

Hi Robert,

Not sure if you actually need two factor authentication for this, unless you are really verifying two factors, what you know and what you have.

ACS allows flexibility to create Service Selection rules. The compund conditions in the service selection rules allows you to separate incoming requests based on different things including attributes, NDG location, device type. Once the users based on the underlying access service authentication policy selected in the service selection policy you can authorize based on several conditions in the authorization policy.

Hope this helps.

Thanks

Krishnan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents