cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
configure & troubleshoot anyconnect

RSA Adaptive Authentication with ASA Clientless SSLVPN

6353
Views
5
Helpful
3
Comments

 

Introduction

What is RSA AA?

 

PCI compliance requires a high level of assurance for authenticating users.

Adaptive Authentication offers multi-factor authentication method without the need for user certificates or fobs.

 

How does it work:  Overview

1) User browses to the ASA login page
2) Enters username and password
3) Is redirected the RSA AA server to answer some addition security questions.
4) RSA redirects user back to the ASA and log-in continues.

 

 

How does it work: details

 

 

RSA wrote some javascript files are to be loaded into the ASA as web-content.  Then the ASA portal customization is altered to call/reference those javascript functions.  The functions act as the glue to help relay messages between the ASA and the RSA server.  The functions work in steps 7, 8, 9 and 10 below.
 

1) Client visits ASA webpage and puts in username/password.

2) ASA sends the user/pass via RADIUS to RSA AA server on it’s inside interface.

3) RSA AA server forwards the user/pass to MS AD for authentication (either via ldap or radius)

 

 

 

 

1-3.jpg

 

4) If the user/pass is correct then the MS AD authorizes the user and sends back an ‘Ok’ message to the RSA AA server.  So at this point the RSA AA server has completed 1 factor authentication.

5) RSA AA server then sends a ‘Radius-Challenge’ message with a message that contains a string value X

6) ASA displays the message X and prompts for a response.

7) The Javascript running in the client browser reads the page the ASA returned and extracts value X.

8) The Javascript takes the value X and sends it towards the public facing RSA AA interface.

 

4-8.jpg

 

 

9)The RSA AA server sends some additional security questions to the end user.  The end user replies and then the RSA AA server fully authenticates the user.  The RSA AA then sends back a value Y to the client.

 

 

10)The Javascript on the client takes that value Y and sends it back to the ASA as the response to the challenge in step 6.

 

 

 

11)The ASA sends Y back to the RSA AA server on the inside as a “Challenge-Response” message in RADIUS
12)The RSA AA server then returns back to the ASA “Access-accept” RADIUS message
13)The ASA now allows the user access to resources.
 
9-12.jpg
 

This document is complementary for "Adpative Authentication Integration
Guide for Cisco SSL-VPN.pdf" available from RSA Security, Inc.  Please contact RSA Security, Inc. for detailed installation guides.

 

Basic installation steps:

1)  Extract the "adapters-sslvpn-products-cisco-asa.zip" file to your computer

2)  Edit the aa_config.js file to point to your RSA AA server url

3)  Configure the ASA to use Radius for authentication under the tunnel-group.  Configure the ASA to use the RSA AA server as the Radius server.

4)  Import the contents of the zip file to the ASA as 'web-content'.  Make sure to select "No" for 'Require authentication to access its content?'

5)  Create a customization and add the following into the "copyright panel"

     <script src="/+CSCOU+/aa_config.js"></script><script src="/+CSCOU+/challenge.js"></script>

6)  Assign the customization to the tunnel-group that you are connecting to.

 
Comments
Community Member

Where do you get the file:

adapters-sslvpn-products-cisco-asa.zip

Cisco Employee

lucchejj,

That file is provided by RSA when you purchase the Adaptive Authentication product.  You will need to contact RSA for further information.  This document is really just an informal guide on how to integrate these products from the ASA side.

-Jay

 

Beginner

Hello Jay

is there any specific hardware or software requirement for ASA- RSA intergration as stated above, we have ASA5540 with Ver 8.4(7) and are facing multiple issues. Client successfully authenticates but is again prompted the Login page.

 We are following integration guide that is provided by RSA, but they tested this feature with ASA 9.3.x Code.

Any reference in this regard.

Thanks

Ahad