•PCI compliance requires a high level of assurance for authenticating users.
•Adaptive Authentication offers multi-factor authentication method without the need for user certificates or fobs.
How does it work: Overview
1) User browses to the ASA login page
2) Enters username and password
3) Is redirected the RSA AA server to answer some addition security questions.
4) RSA redirects user back to the ASA and log-in continues.
How does it work: details
1) Client visits ASA webpage and puts in username/password.
2) ASA sends the user/pass via RADIUS to RSA AA server on it’s inside interface.
3) RSA AA server forwards the user/pass to MS AD for authentication (either via ldap or radius)
4) If the user/pass is correct then the MS AD authorizes the user and sends back an ‘Ok’ message to the RSA AA server.So at this point the RSA AA server has completed 1 factor authentication.
5) RSA AA server then sends a ‘Radius-Challenge’ message with a message that contains a string value X
6) ASA displays the message X and prompts for a response.
9)The RSA AA server sends some additional security questions to the end user.The end user replies and then the RSA AA server fully authenticates the user. The RSA AA then sends back a value Y to the client.
11)The ASA sends Y back to the RSA AA server on the inside as a “Challenge-Response” message in RADIUS
12)The RSA AA server then returns back to the ASA “Access-accept” RADIUS message
13)The ASA now allows the user access to resources.
This document is complementary for "Adpative Authentication Integration Guide for Cisco SSL-VPN.pdf" available from RSA Security, Inc. Please contact RSA Security, Inc. for detailed installation guides.
Basic installation steps:
1) Extract the "adapters-sslvpn-products-cisco-asa.zip" file to your computer
2) Edit the aa_config.js file to point to your RSA AA server url
3) Configure the ASA to use Radius for authentication under the tunnel-group. Configure the ASA to use the RSA AA server as the Radius server.
4) Import the contents of the zip file to the ASA as 'web-content'. Make sure to select "No" for 'Require authentication to access its content?'
5) Create a customization and add the following into the "copyright panel"
Dear Members, I am facing issue while joining to domain, it is giving below error. Please help how can i resolve this issue. The user ABC is authorized to join the domain. NTP is also synchronized Error Description: Access is deniedSupport Detai...
I have a question for the Guest Self-Registration with sponsor approval.
The situation as below:
A client connects to Guest Self-Registration with a sponsor, then they fill in the information to Register. A sponsor will get an em...
Hi Guys:I'm new in ISE and now I have a good challenge to enable a Posture module for a current environment with dot1x. my deal is I have 30 authorization rules with the syntaxes of:item 1 AD_group_A then applied VLAN_Aitem 2 AD_group_B then Applied...
Hi , I have been provided with 5 usable ip's x.x.x.x/29 from the ISPI need to assign 5 public ips to my ASA using VLANS How do i go about configuring the outside interface?Currently WAN connection goes to int 0/0 and I have assigned that an IP a...