•PCI compliance requires a high level of assurance for authenticating users.
•Adaptive Authentication offers multi-factor authentication method without the need for user certificates or fobs.
How does it work: Overview
1) User browses to the ASA login page
2) Enters username and password
3) Is redirected the RSA AA server to answer some addition security questions.
4) RSA redirects user back to the ASA and log-in continues.
How does it work: details
1) Client visits ASA webpage and puts in username/password.
2) ASA sends the user/pass via RADIUS to RSA AA server on it’s inside interface.
3) RSA AA server forwards the user/pass to MS AD for authentication (either via ldap or radius)
4) If the user/pass is correct then the MS AD authorizes the user and sends back an ‘Ok’ message to the RSA AA server.So at this point the RSA AA server has completed 1 factor authentication.
5) RSA AA server then sends a ‘Radius-Challenge’ message with a message that contains a string value X
6) ASA displays the message X and prompts for a response.
9)The RSA AA server sends some additional security questions to the end user.The end user replies and then the RSA AA server fully authenticates the user. The RSA AA then sends back a value Y to the client.
11)The ASA sends Y back to the RSA AA server on the inside as a “Challenge-Response” message in RADIUS
12)The RSA AA server then returns back to the ASA “Access-accept” RADIUS message
13)The ASA now allows the user access to resources.
This document is complementary for "Adpative Authentication Integration Guide for Cisco SSL-VPN.pdf" available from RSA Security, Inc. Please contact RSA Security, Inc. for detailed installation guides.
Basic installation steps:
1) Extract the "adapters-sslvpn-products-cisco-asa.zip" file to your computer
2) Edit the aa_config.js file to point to your RSA AA server url
3) Configure the ASA to use Radius for authentication under the tunnel-group. Configure the ASA to use the RSA AA server as the Radius server.
4) Import the contents of the zip file to the ASA as 'web-content'. Make sure to select "No" for 'Require authentication to access its content?'
5) Create a customization and add the following into the "copyright panel"
Hello Everyone, I need suggestion , I am trying to configure IPsec VPN with failover. The scenario ,I have two firewalls with Active/Standby configuration. I want to configure 2 VPN's from firepower to different remote peer IP address . I...
what is an actual stage of CSCvm41797 ?
CSCvm41797 Add to ISE possibility to support advanced flows without calling-station-id
This is an important feature requested by the top customer of DHL ?
I am new to ISE and after going through some of documentation I am having problems getting this specific setup to work. The version of ISE is 2.4 and it doesn't have any cumulative patches installed.
The context for the situa...
We are trying to remove all AAA configuration from an ASR9k. No matter how we try to remove we are getting commit failed. Does anyone know if there are specific steps required to remove AAA? We have removed all dependencies on AAA, so we...