12-24-2021 12:56 AM
Hi Everyone ,
I have a question about Anyconnect VPN authentication via ISE use 2FA . My solution need to use first authentication with AD or LDAP and then use 2FA . Can i do this solution ?
Thank you .
Solved! Go to Solution.
12-24-2021 02:00 AM
@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.
12-24-2021 01:10 AM
@jewfcb001 yes, just specify the AD/LDAP server as the primary authentication method and 2FA has the secondary.
12-24-2021 01:15 AM - edited 12-24-2021 01:17 AM
@Rob Ingram you mean I configure new Identity Source Sequence ? If Yes ., I still don't understand process for authentication from AD/LDAP and then 2FA . Can you more explain to me Please ?
Currently I use solution with Internal user and choose password type to 2FA .
12-24-2021 01:24 AM
@jewfcb001 there are multiple ways to configure it, but you don't say which 2FA you are using. On the ASA (assuming you are using the ASA) you could configure the primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server. Or alternatively if using Cisco DUO for 2FA just point to ISE, as per example 1 here.
12-24-2021 01:52 AM - edited 12-24-2021 01:53 AM
@Rob Ingram Thank you for information . I think my solution can match solution 3) Primary and Secondary Authentication servers but Can i use 3rd party(RSA or VASCO) 2FA in this solution ? I still confuse this word " primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server " Please more explain me again .
12-24-2021 02:00 AM
@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.
12-24-2021 02:16 AM
@Rob Ingram Thank you for answer . I think https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768 that the URL step for configure secondary authentication or not ? So If I need to do this solution I must do configuration on ASA . Do you have a idea if not change configuration on Firewall ? In case Cisco ISE as Radius proxy . I cannot use first authentication with AD/LDAP and secondary authen with 2FA(RSA,VASCO) or not ?
Thank you for advise.
12-24-2021 02:23 AM
Yes that link is another example of the same scenario I've been describing, using a primary and secondary authentication servers on the ASA>
If you use ISE as a RADIUS proxy, it can send primary authentication to AD/LDAP. You define RSA or VASCO as the secondary authentication method on the ASA. The ASA configuration will look like this:-
tunnel-group RA general-attributes
authentication-server-group ISE
secondary-authentication-server-group RSA
12-24-2021 02:51 AM
@Rob Ingram Thank you for information . I have a small question . For Secondary-authentication I configure anyconnect profile or not ? Or configuration it's enough.
tunnel-group RA general-attributes
authentication-server-group ISE
secondary-authentication-server-group RSA
12-24-2021 03:26 AM
@jewfcb001 no you don't need to modify the anyconnect profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide