Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4292
Views
5
Helpful
4
Replies

Dual Factor Authentication for AnyConnect Clients

Pete89
Level 2
Level 2

‎11-17-2010 11:05 AM - edited ‎02-21-2020 04:58 PM

Hello,

I am looking to replace my aging RSA devices with something, and I want to know if Cisco sells something that integrates easier that RSA Auth Manager.

Here is my setup:

I have an ASA in the East coast office running 8.3(2) and hundreds of VPN clients with about 7 vpn groups. 3 of the vpn groups use token based access. No user can logon using another vpn group. I have another ASA on the West coast running 8.0.5 for DR.

I want to know if Cisco sells something that intergrates with the ASAs to do dual factor authentication and will authorize based on AD groups or some other attribute. The same token should work on the ASA on the West Coast if they had to logon there.

Thanks;

Pete

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎11-17-2010 01:35 PM

ASA can talked to Radius, TACACS and LDAP for user authentication.

If you RSA server don't support Radius, you can use Cisco ACS box for the authentication and RSA is configured in ACS as an external user database. So the authentication request will be sent to ACS and then ACS will check RSA server to authenticate user.

AD group mapping is available as well. On ASA, you just need to map the attrible returned by AD to IETF-Radius-Class. Then ASA will use it to map the user to the correct group-policy.

0 Helpful

Pete89
Level 2
Level 2
In response to Yudong Wu

‎11-18-2010 05:02 AM

So I am stuck with RSA. Fine. I am about to buy 21k worth of hardware and I cant get anyone at RSA to tell me if what I want to do is possible, they keep saying its a ASA problem.

What I want to do is insure that a user can only enter in through the VPN group where she is assigned. RSA keeps telling me all thier box does is give a thumbs up or down. So if I use one RSA box its gonna give a thumbs up to anyone who has the token passcode correct no matter what groupo they come in on.

P.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎11-17-2010 02:33 PM

Unfortunately, Cisco does not have any "token" product for authentication. We are relying on third party token vendor like RSA to perform 2 factor authentication unfortunately.

0 Helpful

lbn
Level 1
Level 1

‎11-18-2010 03:10 AM

If you are looking for alternatives to RSA, allow me to raise the attention to SMS authentication from www.smspasscode.com. This is a new two-factor authentication solution via SMS text messaging that works with the Cisco AnyConnect and SSL VPN systems/client s.. you can see a live demo of it on the website under products/howitworks. Lars Nielsen

Customers Also Viewed These Support Documents