•PCI compliance requires a high level of assurance for authenticating users.
•Adaptive Authentication offers multi-factor authentication method without the need for user certificates or fobs.
How does it work: Overview
1) User browses to the ASA login page
2) Enters username and password
3) Is redirected the RSA AA server to answer some addition security questions.
4) RSA redirects user back to the ASA and log-in continues.
How does it work: details
1) Client visits ASA webpage and puts in username/password.
2) ASA sends the user/pass via RADIUS to RSA AA server on it’s inside interface.
3) RSA AA server forwards the user/pass to MS AD for authentication (either via ldap or radius)
4) If the user/pass is correct then the MS AD authorizes the user and sends back an ‘Ok’ message to the RSA AA server.So at this point the RSA AA server has completed 1 factor authentication.
5) RSA AA server then sends a ‘Radius-Challenge’ message with a message that contains a string value X
6) ASA displays the message X and prompts for a response.
9)The RSA AA server sends some additional security questions to the end user.The end user replies and then the RSA AA server fully authenticates the user. The RSA AA then sends back a value Y to the client.
11)The ASA sends Y back to the RSA AA server on the inside as a “Challenge-Response” message in RADIUS
12)The RSA AA server then returns back to the ASA “Access-accept” RADIUS message
13)The ASA now allows the user access to resources.
This document is complementary for "Adpative Authentication Integration Guide for Cisco SSL-VPN.pdf" available from RSA Security, Inc. Please contact RSA Security, Inc. for detailed installation guides.
Basic installation steps:
1) Extract the "adapters-sslvpn-products-cisco-asa.zip" file to your computer
2) Edit the aa_config.js file to point to your RSA AA server url
3) Configure the ASA to use Radius for authentication under the tunnel-group. Configure the ASA to use the RSA AA server as the Radius server.
4) Import the contents of the zip file to the ASA as 'web-content'. Make sure to select "No" for 'Require authentication to access its content?'
5) Create a customization and add the following into the "copyright panel"
Hi,I appreciate any help if someone has tested the below scenario if it is doable or not Our customer got Firepower Appliances for Remote access VPN service using Anyconnect, and ISE as an Authentication server for remote access VPN...
Hi allI have a problem with NAT on ASA. I am trying to translate the destination IP based on source range and source port.I am getting a log below.Failed to locate egress interface for TCP from OAM_MDS_EXT:169.254.0.1/52464 to 184.108.40.206/161 .Range 220.127.116.11/2...
Hello All, We upgraded our esa's from 11.0-128 towards 12.5-066 Immediately after the upgrade we started to see TLS error ( for mails which come in from internet and gets routed over ESA towards our O365 tenant ) The errors are : Tue S...
Hi,Is anyone know when will Cisco release a new update to support iOS 13.0 beta and Catalina 10.15? My client (International School) upgraded their personal devices to the latest version and now they were not able to connect in BYOD.Hope Cisco d...