Solved: Re: ASA SSL VPN with RSA Authentication

markturner · ‎05-30-2006

Has anyone implemented SSL VPN on an ASA appliance using Securid keyfob tokens ? The datasheets indicate native RSA can be used for authentication but does this work with SSL VPN's ?

Thanks

a-vazquez · ‎06-05-2006

Try this link

http://www.cisco.com/en/US/products/ps6120/prod_release_note09186a0080688004.html

View solution in original post

a-vazquez · ‎06-05-2006

Try this link

http://www.cisco.com/en/US/products/ps6120/prod_release_note09186a0080688004.html

david.buitendag · ‎11-14-2006

Hi

Were you ever able to get this to work? I am implementing the same thing using token authentication.

Thanks!

markturner · ‎11-14-2006

Hi David,

I went for the token RSA appliance which had an out of the box setup.

On the ASA here's a sample config to get the client authentication to work for IPSEC:

aaa-server SDI protocol sdi

aaa-server SDI host 192.168.1.1

tunnel-group clientvpn type ipsec-ra

tunnel-group clientvpn general-attributes

address-pool vpnpool

authentication-server-group SDI

default-group-policy clientvpn

authorization-required

Best regards,

Mark

wong.jason · ‎11-21-2007

Hi Mark,

This seems to apply a default group to all client authenticate by SecurID. Were you able to assign groups so that different clients has different policy ? Thanks.

markturner · ‎11-21-2007

Hi Jason,

I've seen this done. You specify the default group policy in each separate tunnel-group then create a separate group policy for each one.

e.g.

group-policy clientvpn internal

group-policy clientvpn attributes

wins-server value 192.168.1.2

dns-server value 192.168.1.139 192.168.1.3

vpn-idle-timeout none

vpn-session-timeout none

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy excludespecified

split-tunnel-network-list value clientsplit

default-domain value mydomain.local

Then you might have a different policy for another group say without split tunneling. etc.

Cheers,

Mark