cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3271
Views
0
Helpful
5
Replies
Highlighted

Clientless SSL VPN - RSA & LDAP

Hi,

Im not sure what Im asking for is even possible. What I would like to do is have the clientless ssl vpn authenticate via RSA and LDAP at the login page. I've been able to configure it for RSA or LDAP but not both. So in the end a user would go to https://outside_int_ip and see the clientless ssl vpn login page and are required to provide username, password, and RSA token number to gain access.

Any thoughts?

Thanks!

-Alex

5 REPLIES 5
Highlighted
Participant

Hi,

This is possible using the double authentication feature introduced in ASA 8.2 release.

http://www.ciscosystems.li/en/US/docs/security/asa/asa82/release/notes/asarn82.html#wp340497

Under the "Clientless Connection Profile", you will now see "Seconday Authentication" option. 

Q: Is there any restriction? Can I have two LDAP, two RADIUS, RADIUS first then LDAP, LDAP first then RADIUS?

A: Yes, all variants are supported. However, Native RSA/SDI is not supported as the secondary authentication server. It must be configured as the primary authentication.

Thanks,

Kiran

Highlighted

Anyone know why RSA Cannot be configured as the secondary ?

This creates a problem for us. Our users are accustomed to putting in their id, their password, and then their PIN+Passcode.

We're forced to prompted them in reverse. This causes issues. Also it's not easily apparent on how to chance the login prompts. ie.. "Second Password" is not very helpful as a prompt.

Any inside would be greatly appreciated.

Thanks,
Justin

Highlighted

Hi,

Please see the attached pics. You can re-order the login prompts and also modify the text in the login prompts using the Customization Editor in ASDM.

Thanks,

Kiran

Highlighted

I got really excited for a second but this doesnt apply to the client right ?

This is just the clientless portal ?

THanks,

Justin

Highlighted

Yes, this is limited to Clientless Portal.

From a recent exchange with developer:

We only support new pin / Next token modes on the primary  server and this is why we make that statement. You can use RSA as a secondary authentication server  if you are not using new pin / Next token modes.

Thanks,

Kiran

Content for Community-Ad