Solved: Cisco FTD RAVPN with MFA w/ SecurID and AD (ISE as proxy for SecurID)

br-ext · ‎06-05-2025

Scenario;

- Remote Access VPN configured with MFA on a Cisco FTD, authentication will be using SercurID and AD via ISE, authorization is done via AD.

- The SecurID authentication is proxied via RADIUS using the ISE server as intermediate.

I can successfully get authentication working against ISE using only AD or only SecurID, but not both.

How would I set this up in ISE so that users are authenticated against the SecurID external identity source and then AD?

Do I need to set up 2 different policy sets? One for the SecurID and one for the AD? How do I distinguish in a condition that the first auth request is for SecurID? My understanding is that the FW will send the first request and then the second, however from my troubleshooting the ISE server just sees them as RADIUS requests from the same host so I can't identify/specify how do deal with them separately.

br-ext · ‎06-13-2025

I've managed to get to the bottom of this one............ Here's the solution/workaround/fix, I'll include as much as I can.

The issue arises due to the fact that Cisco FTD doesn't support SDI natively, the appliance needs to use a RADIUS proxy, in this/our case ISE. When MFA is configured the FTD will perform the first authentication and then the second, if you are using the same server (ISE) for AD authentication as for the RSA proxy then the ISE server effectively see's two near identical requests from the same host and therefore you cannot distinguish on the ISE policy set condition which one is which.

The workaround/solution;

- Configure your AAA server group hosts to be used for SecurID manually setting the interface for management within the host settings;

- Configure your Radius server group hosts for AD via ISE as default (routing), in this case its our inside interface;

The result is that you can then set your ISE policy set condition to match based on IP address of the request and assign a different authentication profile based on this. However, if you have all your FW IPs associated with a single node in ISE you need to separate them out into two, here I have the mgmt interfaces assigned to a different node with suffix "-MGMT". From my testing, if you don't do this then ISE treats the second request as a duplicate and tries to authenticate both requests via the same method - I don't know why this happens.

Also, if you are using ISE to authenticate management logins then you also need to set further conditions to match on PIX7x-Client-Type. Remembering this more specific policy set will need to go above the management logins. It will look similar to this;

For the above to work it assumes that your management interface has internal connectivity to your ISE server. If you don't then you could probably set up the inside with a sub-interface in a different VRF or use policy-based routing on the sub-interface IP somehow - luckily I didn't have that issue to confront.

View solution in original post

br-ext · ‎06-13-2025

I've managed to get to the bottom of this one............ Here's the solution/workaround/fix, I'll include as much as I can.

The issue arises due to the fact that Cisco FTD doesn't support SDI natively, the appliance needs to use a RADIUS proxy, in this/our case ISE. When MFA is configured the FTD will perform the first authentication and then the second, if you are using the same server (ISE) for AD authentication as for the RSA proxy then the ISE server effectively see's two near identical requests from the same host and therefore you cannot distinguish on the ISE policy set condition which one is which.

The workaround/solution;

- Configure your AAA server group hosts to be used for SecurID manually setting the interface for management within the host settings;

- Configure your Radius server group hosts for AD via ISE as default (routing), in this case its our inside interface;

The result is that you can then set your ISE policy set condition to match based on IP address of the request and assign a different authentication profile based on this. However, if you have all your FW IPs associated with a single node in ISE you need to separate them out into two, here I have the mgmt interfaces assigned to a different node with suffix "-MGMT". From my testing, if you don't do this then ISE treats the second request as a duplicate and tries to authenticate both requests via the same method - I don't know why this happens.

Also, if you are using ISE to authenticate management logins then you also need to set further conditions to match on PIX7x-Client-Type. Remembering this more specific policy set will need to go above the management logins. It will look similar to this;

For the above to work it assumes that your management interface has internal connectivity to your ISE server. If you don't then you could probably set up the inside with a sub-interface in a different VRF or use policy-based routing on the sub-interface IP somehow - luckily I didn't have that issue to confront.