Re: Add RSA SecurID to existing ASA/ACS remote VPN

ajjohnson501 · ‎10-14-2010

Currently have this setup. SSL and IPSEC VPN client's to ASA authenticating to ACS. We also have some groups which have downloadable ACL's from the ACS. The ACS server is also handling TACACS auth/author for devices.

We want to add in RSA SecurID with software tokens. My question is do we integrate ACS to the RSA server and can we still have downloadable ACL's to groups? Or do we have to point the VPN ASA to the RSA Server and map to AD and loose the downloadable ACL features?

Thanks.

Jonatan Jonasson · ‎10-19-2010

You can integrate the RSA solution with ACS and keep on using all the features of ACS.

RSA will just be an "external database" in regards to the ACS.

So the ASA will send a radius request to the ACS. ACS will contact the RSA to complete the authentication.

And if success, the ACS will send an accept message to the ASA, with all radius attributes that are configured for that particular user or group.

ajjohnson501 · ‎10-19-2010

So today the only external database we have is a Windows database. We use this ACS for wireless authentication as well. If I add in the RSA external database how will this affect the TACACS and wireless authentication?

tprendergast · ‎10-19-2010

It will have no effect.

Basically, you can set up which users authenticate against which database.

In ACS4.x, you have to have a separate user for Wireless authentication via AD/ACS versus another user who logs in via VPN using RSA.

Example:

I login as "Tim" for Wireless (my AD account). I login as Tim2 for VPN, because if I log in as Tim it will try to authenticate against AD. If I log in as Tim2, that user is configured to authenticate against the RSA External Database.

ACS5.x solves this by giving you policy-based authentication. I can configure it so "Tim", when authenticating to VPN, goes to the RSA Server. "Tim" authenticating via wireless goes to the AD server.

Hope that helps. We used to do authentication for Wireless as domain\user, so we had to create duplicates of all the users. Everyone had a "domain\user" and a "user" account in ACS4.2, and each one authenticated against different databases.

Regards,

Tim

Jonatan Jonasson · ‎10-19-2010

You can also do the same thing with ACS 4.x using Network Access Profiles.

You can configure the ACS so all authentication requests that come from the ASA and are VPN authentication requests are sent to the RSA external database. So you can use the same username and different authentication methods based on from where the request is coming from.

I have configured a scenario like this with ACS 4.2, so that user "Tim" connecting via VPN was authenticating against the RSA database, and the user "Tim" connecting via wireless was authenticated against Active Directory, and user "Tim" ssh-ing into a router was authenticated against ACS local database.

tprendergast · ‎10-19-2010

Interesting, I was told by TAC that this wasn't possible in 4.2 but was in 5.x. You learn something new every day. Thanks!

hamza.ahmed · ‎06-18-2013

Folks Can I get a configuration guide on how to set up this scenario. I want to have specific users when connectig via VPN using RSA 2 factor get specific ACLs?

Users are all defined in AD.