cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1782
Views
0
Helpful
9
Replies

ISE with 2FA First authentication with AD and 2FA

jewfcb001
Level 4
Level 4

Hi Everyone ,

 

I have a question about Anyconnect VPN authentication via ISE use 2FA . My solution need to use first authentication with AD or LDAP and then  use 2FA . Can i do this solution ? 

 

Thank you .

1 Accepted Solution

Accepted Solutions

@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.

View solution in original post

9 Replies 9

@jewfcb001 yes, just specify the AD/LDAP server as the primary authentication method and 2FA has the secondary.

@Rob Ingram  you mean I configure new Identity Source Sequence  ? If Yes ., I still don't understand process for authentication from AD/LDAP and then 2FA . Can you more explain to me  Please ?

Currently I use solution with Internal user and choose password type to 2FA .  

@jewfcb001 there are multiple ways to configure it, but you don't say which 2FA you are using. On the ASA (assuming you are using the ASA) you could configure the primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server. Or alternatively if using Cisco DUO for 2FA just point to ISE, as per example 1 here.

@Rob Ingram  Thank you for information . I think  my solution can match solution 3) Primary and Secondary Authentication servers but Can i use 3rd party(RSA or VASCO) 2FA in this solution ?  I still confuse this word " primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server "   Please more explain me again .

@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.

@Rob Ingram   Thank you for answer . I think https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768  that the URL step for configure secondary authentication or not ? So If I need to do this solution I must do configuration on ASA .  Do you have a idea  if not change configuration on Firewall ? In case  Cisco ISE as Radius proxy . I cannot use first authentication with AD/LDAP and secondary authen with 2FA(RSA,VASCO)   or not ?

 

Thank you for advise.

Yes that link is another example of the same scenario I've been describing, using a primary and secondary authentication servers on the ASA>

 

If you use ISE as a RADIUS proxy, it can send primary authentication to AD/LDAP. You define RSA or VASCO as the secondary authentication method on the ASA. The ASA configuration will look like this:-

 

tunnel-group RA general-attributes
authentication-server-group ISE
secondary-authentication-server-group RSA

 

@Rob Ingram  Thank you for information . I have a small question . For Secondary-authentication  I configure anyconnect profile or not ? Or configuration it's enough.

tunnel-group RA general-attributes
authentication-server-group ISE
secondary-authentication-server-group RSA

 

@jewfcb001 no you don't need to modify the anyconnect profile.