Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
2
Replies

ASA Dual Factor Authentication Only

Go to solution
Nathaniel Wood
Level 1
Level 1

‎01-27-2015 06:36 PM

My company is currently testing out dual factor authentication for specific users. To authenticate we use SecureAuth keys and an existing AD server which is also used to authenticate for our other VPN groups. Because of this members in the dual auth group can authenticate in the current VPN groups by using only their AD credentials.

Is their a way for me to configure this group to only be able to gain VPN access if they go through the dual factor method?

Basically if the users in the dual auth group don't connect using the dual auth group in anyconnect, they will not be able to establish a vpn connection is what I'm looking to setup.

Any input is appreciated!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-28-2015 02:47 PM

Having allowed all AD users to authenticate is only the first A of AAA.

You can control what they are authorized to do (or connect to) based on username or membership in a group.

You may need to make a new AD group for everyone but them and make membership in that a group a requirement for the default profile. Then make another AD group for the new dual factor users and make membership in that group a requirement for that new profile.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-28-2015 02:47 PM

Having allowed all AD users to authenticate is only the first A of AAA.

You can control what they are authorized to do (or connect to) based on username or membership in a group.

You may need to make a new AD group for everyone but them and make membership in that a group a requirement for the default profile. Then make another AD group for the new dual factor users and make membership in that group a requirement for that new profile.

0 Helpful

Go to solution
Nathaniel Wood
Level 1
Level 1
In response to Marvin Rhoads

‎01-29-2015 08:16 AM

Hi Marvin,

Thanks for your response, I really appreciate your time.

I think we've narrowed down the issue to the configuration on the secondary authentication server. Right now it's allowing anyone within our AD to register on that server as opposed to specifying the user group to limit access.

So as it seems the issue is not in the configuration on the ASA, but more the authentication server by not restricting authentication more specifically to a single group.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents