ASA 8.04 Remote Access VPN LDAP Integration and RSA Integration

Unanswered Question
Aug 29th, 2008
User Badges:
  • Silver, 250 points or more


Someone please point me to a document or tell me if this situation is even possible:

ASA 8.04 is being used as a VPN concentrator. We have configured the integration with Active Directory. We are wondering if there is a way to then have the end users authenticate via an RSA PIN and Token.

There doesn't seem to be a way to have both LDAP and SDI in the same Tunnel Group.

Do I need a RADIUS server in this mix?

Thank you in advance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
pmccubbin Mon, 09/08/2008 - 05:11
User Badges:
  • Silver, 250 points or more

Hi Joe,

Thanks for the reply.

Please let me ask a follow-up question:

Have you used Cisco ACS in a situation where you first wanted a IPSec VPN user to query Active Directory for authentication and authorization, then have the same user once authorized be prompted for their RSA Pin and Token?

Thank you in advance.


pmccubbin Mon, 09/08/2008 - 10:07
User Badges:
  • Silver, 250 points or more

Hi Joe,

Thanks again for your replies.

Please correct me if I am wrong, but the RSA can query AD for authentication but it can't handle the authorization. I want to make sure

that people trying to access via IPSec are authorized, as well as authenticated.

In sum, I know we can use Cisco ACS to query AD for authentication and authorization. I want remote IPSec users to be checked against AD then, if authorized, have them prompted for the RSA PIN and Token. This is chained authentication.

What is the topology needed to make this happen?

Remote user--->ASA--->??

Does the ASA send the request and subsequently the ACS handles both AD authentication/authorization and then sends a request for the end user to RSA Authentication Manager?

Is the RSA a client of the ACS or is it the other way around? I know we can install a client on the ACS for RSA but is that what is needed for this situation?

Thanks in advance. You are a true NetPro for reading this and giving it your consideration.



Sorry, been OOO the past few days. I *think* I am following you. Sounds like you may want to use IAS and RSA instead of CACS/RSA. You should be able to configure the remote access policy on IAS to query for dial-in permissions from AD and then forward to the RSA as an external RADIUS group for token. This isn't how I have used RSA in the past but you might be able to achieve what you are looking for.

Good luck.

pmccubbin Fri, 09/12/2008 - 02:48
User Badges:
  • Silver, 250 points or more

Hi Joe,

A "5" from NYC for all your time and effort.

I'll let you know how it works out.



janf Tue, 03/17/2009 - 06:04
User Badges:

Hi Paul!

Just wondering if you ever found a solution to this. I too want to do something very similar. That is have our ASA (remember, you helped install it) SSL VPN authentication work with the existing SDI / RSA tokens but also authenticate the SecureID token users (same username as in AD) to AD so that they are not prompted again to authenticate when hitting AD resources from the SSL web portal.

Do you have any hints as how to do this?



pmccubbin Sun, 03/22/2009 - 14:13
User Badges:
  • Silver, 250 points or more

Hi Jan,

I remember your firewall very well and the fact you did most of the troubleshooting!

The best thing to do for this case is to get RSA on the phone and have them assess the situation. There were a number of inconsistencies from their people as to whether this would work and what version of software needed to be installed. Call RSA first. The Cisco piece was fairly straight-forward. I would leverage both companies for their technical expertise, as they are in the best position to give you the latest information.



This Discussion