AD -> RSA SecurID (Two-Factor Auth) -> ACS 5.3 -> ASA SSL VPN, possible?

mauricio.parra · ‎11-15-2012

Hey guys,

I've been searching and reading a lot about this scenario (AD -> RSA SecurID -> ACS -> ASA SSL VPN), and after I thought I had it all clear I realized I was a bit confused... This is why...

I want to poll the AD from the RSA SecurID and then poll the RSA SecurID from the ACS so that I don't have to change the current policies configured on the ACS. (the production scenario right now is AD -> ACS -> ASA SSL VPN)

The idea is to have a Two-Factor authentication for the SSL VPN. Doing it that way I won't need to touch the ASA AAA configuration as will still be pointing to the ACS.

I thought that adding the RSA SecurID (after configuring it to poll the AD) using the sdconf.rec file into the ACS was enough to make work a Two-Factor Authentication for the ASA SSL VPN, using the policies already configured on the ACS, but according to what I have read apparently this is not possible.

Could you help me to determine if when the ACS polls the RSA SecurID for the Two-Factor authentication (pin+token), it will receive an "allow this user to connect" using the current policies of the ACS (AD groups/users)?

I'll be implementing this solution next week but I need to offer a design first. What would you recommend me?

My client is using ACS 5.3.

Thanks in advance.

Mauricio.

hamza.ahmed · ‎06-18-2013

Did you figure it out. I want to use the same setup. Cisco ASA VPN to point to Cisco ACS 5.3 and use the secure ID authentication as well. I need to know how to configure this.