cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
0
Helpful
2
Replies

ASA Dual Factor Authentication Only

Nathaniel Wood
Level 1
Level 1

My company is currently testing out dual factor authentication for specific users. To authenticate we use SecureAuth keys and an existing AD server which is also used to authenticate for our other VPN groups. Because of this members in the dual auth group can authenticate in the current VPN groups by using only their AD credentials.

Is their a way for me to configure this group to only be able to gain VPN access if they go through the dual factor method?

Basically if the users in the dual auth group don't connect using the dual auth group in anyconnect, they will not be able to establish a vpn connection is what I'm looking to setup.

Any input is appreciated!

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Having allowed all AD users to authenticate is only the first A of AAA.

You can control what they are authorized to do (or connect to) based on username or membership in a group.

You may need to make a new AD group for everyone but them and make membership in that a group a requirement for the default profile. Then make another AD group for the new dual factor users and make membership in that group a requirement for that new profile.

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Having allowed all AD users to authenticate is only the first A of AAA.

You can control what they are authorized to do (or connect to) based on username or membership in a group.

You may need to make a new AD group for everyone but them and make membership in that a group a requirement for the default profile. Then make another AD group for the new dual factor users and make membership in that group a requirement for that new profile.

Hi Marvin,

Thanks for your response, I really appreciate your time.

I think we've narrowed down the issue to the configuration on the secondary authentication server. Right now it's allowing anyone within our AD to register on that server as opposed to specifying the user group to limit access.

So as it seems the issue is not in the configuration on the ASA, but more the authentication server by not restricting authentication more specifically to a single group.