Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3089
Views
0
Helpful
4
Replies

ASA VPN with ISE and diffrent OTP backends

Mattias Andersson
Level 1
Level 1

‎05-28-2012 01:51 AM

Hi,

I have an AAA-problem I hope to get some help solving.

The problem in short is: How to make the ASA via ISE send Radius Access Requests to diffrent given OTP backends given a connection to a certain Tunnel Group.

BACKGROUND:

I will try to give you a brief picture of the scenario this is what I currently have.

A VPN system ( ASA 8.4(4) ) where I allow my users to choose from 3 different authentication methods being

1) Certificate (on smart-card)

2) Pledge - OTP token (One-Time-Password delivered via application in smartphone: using pledge from Nordic Edge OTP-Server)

3) SMS - OTP token (OTP via SMS from Nordic Edge OTP-Server)

The choice corresponds to different Connection Profiles/Tunnel Groups.

All authorization is currently done via LDAP to AD.

This is since it seams rare in Radius-servers to support only radius authorization requests without first doing authentication, think use case certificates.

(Would love to see the ISE support that as well, might already do with proper configuration?)

Today both OTP-services are address direct from the ASA and being run on the same server but with different profiles(behavior) being distinguished by incoming UDP port. That is since as far as I know the ASA does not send any useful attributes I can look at in the Access-Request.

THE PROBLEM:

The problem arises when I try to put in the ISE into the mix.

What I obviously(?) would like to do is to have all network authentications go thru my ISE platform to take advantage of centralized administration, monitoring etc.

Still I would need to use the different backend databases such as AD and Nordic Edge OTP-Server, but then proxied via ISE.

For me to be able to know to which backend AAA system to proxy I must somehow be able to distinguish the incoming Radius Access-Requests.

The ISE does not, as far as I have been told, support listening on multiple ports or IP-addresses(which could be one way of differentiating the requests). Ideally the ASA would give me information about the Connection Profile/Tunnel Group being used in one of the available attributes in the Access-Request, but currently that is not the case as far as I know.

So, this gives me for the moment a problem which I hope you could be able to help me solve.

One solution that has been suggested is to have user login using username such as user@domain or domain\user and use username strip options to extract the username before submitting to a external Token server using RADIUS proxy. The prefix/suffix cold be used to make proxy selection.

Domain would i this case be something bogus to indicate diffrent tunnel-groups.

From a technical perspectiv that will probalbly work, but from a administrativ perspective I will have a hard time instructing my users to change the behaviour. Could this in any way be done without having the users actually type domain info, i.e. have it automatically inserted?

I also heard roumors, not committed in roadmap, that there should be investigations in options to send specific ASA attributes in RADIUS request based on criteria such as Tunnel Group. That would be wonderfull.

Best regards

/Mattias

Labels:
0 Helpful
4 Replies 4

aallani
Level 4
Level 4

‎05-28-2012 10:43 AM

I have the same problem with Gemalto Protiva SA.

But googling sms otp request I found this. it should help you:

http://support.nordicedge.com/step-by-step-guide-to-implement-sms-authentication-to-cisco-asa-5500-%E2%80%93-clientless-ssl-vpn-and-cisco-vpn/#Important_information_regardin

Akram

0 Helpful

Mattias Andersson
Level 1
Level 1
In response to aallani

‎05-28-2012 11:42 PM

Hi Akram,

Thank you very much for your reply.

The documentation you are refeering to am I familiar with, we are actually using just that software.

What the documentation sugests is pretty much what we do today, just that we are using multiple variations of diffrent OTP-methods/Connection Profiles(Tunnel Groups).

The problem as I see it arises when I try to proxy all those authentication methods via a single ISE installation. I then have no way to know to which OTP backend to proxy/forward the request to since there is no attribute to distinguish one methods requests from the other.

/Mattias

0 Helpful

Mikael Gustafsson
Level 5
Level 5
In response to Mattias Andersson

‎10-16-2012 01:51 AM

Hi Mattias,

Did you get this to work or did you go for another solution?

Mikael

0 Helpful

Mattias Andersson
Level 1
Level 1
In response to Mikael Gustafsson

‎12-06-2012 05:44 AM

Hi Mikael,

I'm sorry for the very un-timly reply. I guess the answer might not be of use for you anymore, but hopefully it could help someone else any how.

Yes, I did get it to work.

I acctualy asked the same question in an diffrent thread on the forum and got help there.

I will cross-reference that thread here:

https://supportforums.cisco.com/thread/2152196

Best regards

/M

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents