Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2535
Views
5
Helpful
2
Replies

AD Groups integration with ASA SSL VPN RSA 2-factor Authentication

Go to solution
Lovleen Arora
Level 1
Level 1

‎03-15-2016 05:23 PM

ASA5520 (v9.0.4)
-          We are running an RSA 2FA
-          We would like to establish different VPN access profiles that enable us to segregate the traffic that we’re passing on to our internal FW based on which VPN profile the user chooses.
-          We would like to control the above with AD accounts and AD group memberships. (LDAP)
-

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎03-16-2016 06:42 PM

Hi Lovleen,

 The feature allowing this has been introduced on the
ASA as of Cisco ASA 5500 Versions 8.2(1).

Please read the description found in "Table 12 New Features for ASA Version 8.2(1)",
third row : "Double Authentication", it briefly explains what the feature
can do, what are the configuration commands and restrictions.

URL : http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html


To summarize : the feature you are looking for is only available when using
AnyConnect Client on a Windows platform and if RSA (2 factor authentication) is
set as the primary authentication method while an additional AAA authentication method
such as AD is set as secondary. The RSA/SDI authentication method cannot be set
secondary. I would recommend using the latest AC v3 release.


Please also find included below an example which I'm hoping will be helpful :


(1) Assuming that currently the configuration only uses AD as authentication method
the tunnel group configuration will look like this :

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
authentication-server-group LDAP-AD11
default-group-policy Employees
tunnel-group Employees webvpn-attributes
group-url https://vpn.com/Employees enable

(2) Then, once you have configured your SDI server, you need to configure it as primary
authentication method and the old method as secondary.


Commands:

tunnel-group XXXX general-attributes
     secondary-authentication-server-group "Server Name"

Note: Native RSA/SDI is not supported as the secondary authentication
server. It must be configured as the primary authentication

aaa-server SdiServers protocol sdi
aaa-server SdiServers host 1.1.1.1 SharedSecret
aaa-server SdiServers host 1.1.1.2 SharedSecret

Example:

tunnel-group Employees general-attributes
authentication-server-group SdiServers          <--- RSA/SDI
secondary-authentication-server-group LDAP-AD11 <--- LDAP


Let me know if this helps.

Regards

View solution in original post

2 Replies 2

Go to solution
pjain2
Cisco Employee
Cisco Employee

‎03-16-2016 06:42 PM

Hi Lovleen,

 The feature allowing this has been introduced on the
ASA as of Cisco ASA 5500 Versions 8.2(1).

Please read the description found in "Table 12 New Features for ASA Version 8.2(1)",
third row : "Double Authentication", it briefly explains what the feature
can do, what are the configuration commands and restrictions.

URL : http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html


To summarize : the feature you are looking for is only available when using
AnyConnect Client on a Windows platform and if RSA (2 factor authentication) is
set as the primary authentication method while an additional AAA authentication method
such as AD is set as secondary. The RSA/SDI authentication method cannot be set
secondary. I would recommend using the latest AC v3 release.


Please also find included below an example which I'm hoping will be helpful :


(1) Assuming that currently the configuration only uses AD as authentication method
the tunnel group configuration will look like this :

tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
authentication-server-group LDAP-AD11
default-group-policy Employees
tunnel-group Employees webvpn-attributes
group-url https://vpn.com/Employees enable

(2) Then, once you have configured your SDI server, you need to configure it as primary
authentication method and the old method as secondary.


Commands:

tunnel-group XXXX general-attributes
     secondary-authentication-server-group "Server Name"

Note: Native RSA/SDI is not supported as the secondary authentication
server. It must be configured as the primary authentication

aaa-server SdiServers protocol sdi
aaa-server SdiServers host 1.1.1.1 SharedSecret
aaa-server SdiServers host 1.1.1.2 SharedSecret

Example:

tunnel-group Employees general-attributes
authentication-server-group SdiServers          <--- RSA/SDI
secondary-authentication-server-group LDAP-AD11 <--- LDAP


Let me know if this helps.

Regards

Go to solution
ben.weber
Level 1
Level 1
In response to pjain2

‎03-30-2017 12:50 PM

Just a quick comment-

I just used this method and it worked great.  The only thing I ran into is that mine didn't work if I made the RSA server the primary authentication and LDAP the secondary.  So I tried LDAP as the primary and RSA as the secondary and it's working great.

I am, however, using radius as the protocol for the RSA server, not SDI.

Ben

0 Helpful
Customers Also Viewed These Support Documents