•PCI compliance requires a high level of assurance for authenticating users.
•Adaptive Authentication offers multi-factor authentication method without the need for user certificates or fobs.
How does it work: Overview
1) User browses to the ASA login page
2) Enters username and password
3) Is redirected the RSA AA server to answer some addition security questions.
4) RSA redirects user back to the ASA and log-in continues.
How does it work: details
1) Client visits ASA webpage and puts in username/password.
2) ASA sends the user/pass via RADIUS to RSA AA server on it’s inside interface.
3) RSA AA server forwards the user/pass to MS AD for authentication (either via ldap or radius)
4) If the user/pass is correct then the MS AD authorizes the user and sends back an ‘Ok’ message to the RSA AA server.So at this point the RSA AA server has completed 1 factor authentication.
5) RSA AA server then sends a ‘Radius-Challenge’ message with a message that contains a string value X
6) ASA displays the message X and prompts for a response.
9)The RSA AA server sends some additional security questions to the end user.The end user replies and then the RSA AA server fully authenticates the user. The RSA AA then sends back a value Y to the client.
11)The ASA sends Y back to the RSA AA server on the inside as a “Challenge-Response” message in RADIUS
12)The RSA AA server then returns back to the ASA “Access-accept” RADIUS message
13)The ASA now allows the user access to resources.
This document is complementary for "Adpative Authentication Integration Guide for Cisco SSL-VPN.pdf" available from RSA Security, Inc. Please contact RSA Security, Inc. for detailed installation guides.
Basic installation steps:
1) Extract the "adapters-sslvpn-products-cisco-asa.zip" file to your computer
2) Edit the aa_config.js file to point to your RSA AA server url
3) Configure the ASA to use Radius for authentication under the tunnel-group. Configure the ASA to use the RSA AA server as the Radius server.
4) Import the contents of the zip file to the ASA as 'web-content'. Make sure to select "No" for 'Require authentication to access its content?'
5) Create a customization and add the following into the "copyright panel"
in this picture , we are seeing a scenario for ASA firewall . i'm gana ask a question for youe.. can we have one ip address with two mac-address on outbound interface ? if the answer is positive , how?there are two context , ctx1 and ctx2 on firewall .&nb...
Hi Team,we are using Solar winds monitoring tool and enabled NetFlow in ASA. everything is working perfectly expect bandwidth utilization is showing spikes. as per analysis there is no possibility for this spike because in the ISP side monitoring tool uti...
I use old good Cisco ASA 5550-failover clusters.I dont understand its current throughput.In Cisco datasheet info : Firewall Throughput Up to 1.2 Gbps ( 600 Mbps input + 600 Mbps output ) - right ? My config: Firewall mode: Transparent&...
Hi, I have FMC1000 appliance which running on version 6.3. I would like to verify hardware infomation of the FMC via CLI such as NIC, CPU cores, Memory, Event storage space and power supply status. Unfortunately, I have found only "show ver...
Team Hi,While reading about IPSec VPN the below mentioned statement has raised me a doubt "The peer that has traffic that should be protected will initiate the IKE phase 1 negotiation." So as per the above statement it states that the peer...