03-15-2016 05:23 PM
ASA5520 (v9.0.4)
- We are running an RSA 2FA
- We would like to establish different VPN access profiles that enable us to segregate the traffic that we’re passing on to our internal FW based on which VPN profile the user chooses.
- We would like to control the above with AD accounts and AD group memberships. (LDAP)
-
Solved! Go to Solution.
03-16-2016 06:42 PM
Hi Lovleen,
The feature allowing this has been introduced on the ASA as of Cisco ASA 5500 Versions 8.2(1). Please read the description found in "Table 12 New Features for ASA Version 8.2(1)", third row : "Double Authentication", it briefly explains what the feature can do, what are the configuration commands and restrictions. URL : http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html To summarize : the feature you are looking for is only available when using AnyConnect Client on a Windows platform and if RSA (2 factor authentication) is set as the primary authentication method while an additional AAA authentication method such as AD is set as secondary. The RSA/SDI authentication method cannot be set secondary. I would recommend using the latest AC v3 release. Please also find included below an example which I'm hoping will be helpful : (1) Assuming that currently the configuration only uses AD as authentication method the tunnel group configuration will look like this : tunnel-group Employees type remote-access tunnel-group Employees general-attributes authentication-server-group LDAP-AD11 default-group-policy Employees tunnel-group Employees webvpn-attributes group-url https://vpn.com/Employees enable (2) Then, once you have configured your SDI server, you need to configure it as primary authentication method and the old method as secondary. Commands: tunnel-group XXXX general-attributes secondary-authentication-server-group "Server Name" Note: Native RSA/SDI is not supported as the secondary authentication server. It must be configured as the primary authentication aaa-server SdiServers protocol sdi aaa-server SdiServers host 1.1.1.1 SharedSecret aaa-server SdiServers host 1.1.1.2 SharedSecret Example: tunnel-group Employees general-attributes authentication-server-group SdiServers <--- RSA/SDI secondary-authentication-server-group LDAP-AD11 <--- LDAP Let me know if this helps.
Regards
03-16-2016 06:42 PM
Hi Lovleen,
The feature allowing this has been introduced on the ASA as of Cisco ASA 5500 Versions 8.2(1). Please read the description found in "Table 12 New Features for ASA Version 8.2(1)", third row : "Double Authentication", it briefly explains what the feature can do, what are the configuration commands and restrictions. URL : http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.html To summarize : the feature you are looking for is only available when using AnyConnect Client on a Windows platform and if RSA (2 factor authentication) is set as the primary authentication method while an additional AAA authentication method such as AD is set as secondary. The RSA/SDI authentication method cannot be set secondary. I would recommend using the latest AC v3 release. Please also find included below an example which I'm hoping will be helpful : (1) Assuming that currently the configuration only uses AD as authentication method the tunnel group configuration will look like this : tunnel-group Employees type remote-access tunnel-group Employees general-attributes authentication-server-group LDAP-AD11 default-group-policy Employees tunnel-group Employees webvpn-attributes group-url https://vpn.com/Employees enable (2) Then, once you have configured your SDI server, you need to configure it as primary authentication method and the old method as secondary. Commands: tunnel-group XXXX general-attributes secondary-authentication-server-group "Server Name" Note: Native RSA/SDI is not supported as the secondary authentication server. It must be configured as the primary authentication aaa-server SdiServers protocol sdi aaa-server SdiServers host 1.1.1.1 SharedSecret aaa-server SdiServers host 1.1.1.2 SharedSecret Example: tunnel-group Employees general-attributes authentication-server-group SdiServers <--- RSA/SDI secondary-authentication-server-group LDAP-AD11 <--- LDAP Let me know if this helps.
Regards
03-30-2017 12:50 PM
Just a quick comment-
I just used this method and it worked great. The only thing I ran into is that mine didn't work if I made the RSA server the primary authentication and LDAP the secondary. So I tried LDAP as the primary and RSA as the secondary and it's working great.
I am, however, using radius as the protocol for the RSA server, not SDI.
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide