Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


ASA VPN + AD + SecurID


Is there a doc or such that points to a configuration for having VPN users coming into the ASA with authentication against AD in addition to a SecurID for two-factor auth?

so for example, when a user VPNs in, they are prompted for AD credentials, then for a PIN of the SecurID. Thanks!


Everyone's tags (4)

Re: ASA VPN + AD + SecurID


This might help you, though it is neither Cisco nor SecurID, but the principals are the same.  You basically want the Cisco to use Radius to talk to the MS radius plugin NPS, formerly known as IAS. Then you want NPS/IAS to proxy the request to the two-factor authentication server.  Radius can handle all of this.

However, this is slightly different than what you asked. The user enters their AD username and the one-time passcode NOT their AD password.  I'm not sure if the latter can be done with NPS/IAS and Cisco.  I would argue that using the password outside of the LAN is not necessary and, in fact, that security is increased if the LAN password is not used outside the LAN. The PIN is the "thing you know" so knowing the password is redundant. 


Re: ASA VPN + AD + SecurID

I think in ASA 8.2.1 this is it -

The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.

Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.

Double authentication requires the following new tunnel-group general-attributes configuration mode commands:

secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.

secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.

secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.

authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.

authenticated-session-username—Specifies which authentication username is associated with the session.

Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.