Solved: ISE with 2FA First authentication with AD and 2FA

jewfcb001 · ‎12-24-2021

Hi Everyone ,

I have a question about Anyconnect VPN authentication via ISE use 2FA . My solution need to use first authentication with AD or LDAP and then use 2FA . Can i do this solution ?

Thank you .

Rob Ingram · ‎12-24-2021

@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.

View solution in original post

Rob Ingram · ‎12-24-2021

@jewfcb001 yes, just specify the AD/LDAP server as the primary authentication method and 2FA has the secondary.

jewfcb001 · ‎12-24-2021

@Rob Ingram you mean I configure new Identity Source Sequence ? If Yes ., I still don't understand process for authentication from AD/LDAP and then 2FA . Can you more explain to me Please ?

Currently I use solution with Internal user and choose password type to 2FA .

Rob Ingram · ‎12-24-2021

@jewfcb001 there are multiple ways to configure it, but you don't say which 2FA you are using. On the ASA (assuming you are using the ASA) you could configure the primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server. Or alternatively if using Cisco DUO for 2FA just point to ISE, as per example 1 here.

jewfcb001 · ‎12-24-2021

@Rob Ingram Thank you for information . I think my solution can match solution 3) Primary and Secondary Authentication servers but Can i use 3rd party(RSA or VASCO) 2FA in this solution ? I still confuse this word " primary authentication server as ISE to authenticate against AD/LDAP, then configure the secondary authentication server (on the ASA) as 2FA server " Please more explain me again .

Rob Ingram · ‎12-24-2021

@jewfcb001 yes, you can use option 3 on the ASA/FTD - just configure the primary (ISE) and secondary (RSA or VASCO) authentication servers on the ASA/FTD pointing to the different authentication servers.

jewfcb001 · ‎12-24-2021

@Rob Ingram Thank you for answer . I think https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768 that the URL step for configure secondary authentication or not ? So If I need to do this solution I must do configuration on ASA . Do you have a idea if not change configuration on Firewall ? In case Cisco ISE as Radius proxy . I cannot use first authentication with AD/LDAP and secondary authen with 2FA(RSA,VASCO) or not ?

Thank you for advise.

Rob Ingram · ‎12-24-2021

Yes that link is another example of the same scenario I've been describing, using a primary and secondary authentication servers on the ASA>

If you use ISE as a RADIUS proxy, it can send primary authentication to AD/LDAP. You define RSA or VASCO as the secondary authentication method on the ASA. The ASA configuration will look like this:-

tunnel-group RA general-attributes
 authentication-server-group ISE
 secondary-authentication-server-group RSA

jewfcb001 · ‎12-24-2021

@Rob Ingram Thank you for information . I have a small question . For Secondary-authentication I configure anyconnect profile or not ? Or configuration it's enough.

tunnel-group RA general-attributes
 authentication-server-group ISE
 secondary-authentication-server-group RSA

Rob Ingram · ‎12-24-2021

@jewfcb001 no you don't need to modify the anyconnect profile.