ASA 8.04 Remote Access VPN LDAP Integration and RSA Integration

pmccubbin · ‎08-29-2008

Hi,

Someone please point me to a document or tell me if this situation is even possible:

ASA 8.04 is being used as a VPN concentrator. We have configured the integration with Active Directory. We are wondering if there is a way to then have the end users authenticate via an RSA PIN and Token.

There doesn't seem to be a way to have both LDAP and SDI in the same Tunnel Group.

Do I need a RADIUS server in this mix?

Thank you in advance.

Paul

palomoj · ‎09-07-2008

Cisco ACS can be used to query both AD and RSA. If you have another RADIUS server other than CACS that supports RSA and AD then you can that. I've used CACS and RSA - works great.

pmccubbin · ‎09-08-2008

Hi Joe,

Thanks for the reply.

Please let me ask a follow-up question:

Have you used Cisco ACS in a situation where you first wanted a IPSec VPN user to query Active Directory for authentication and authorization, then have the same user once authorized be prompted for their RSA Pin and Token?

Thank you in advance.

Paul

palomoj · ‎09-08-2008

yes, CACS queries RSA, and RSA handles the AD/token part of it

pmccubbin · ‎09-08-2008

Hi Joe,

Thanks again for your replies.

Please correct me if I am wrong, but the RSA can query AD for authentication but it can't handle the authorization. I want to make sure

that people trying to access via IPSec are authorized, as well as authenticated.

In sum, I know we can use Cisco ACS to query AD for authentication and authorization. I want remote IPSec users to be checked against AD then, if authorized, have them prompted for the RSA PIN and Token. This is chained authentication.

What is the topology needed to make this happen?

Remote user--->ASA--->??

Does the ASA send the request and subsequently the ACS handles both AD authentication/authorization and then sends a request for the end user to RSA Authentication Manager?

Is the RSA a client of the ACS or is it the other way around? I know we can install a client on the ACS for RSA but is that what is needed for this situation?

Thanks in advance. You are a true NetPro for reading this and giving it your consideration.

Best,

Paul

palomoj · ‎09-12-2008

Sorry, been OOO the past few days. I *think* I am following you. Sounds like you may want to use IAS and RSA instead of CACS/RSA. You should be able to configure the remote access policy on IAS to query for dial-in permissions from AD and then forward to the RSA as an external RADIUS group for token. This isn't how I have used RSA in the past but you might be able to achieve what you are looking for.

Good luck.

pmccubbin · ‎09-12-2008

Hi Joe,

A "5" from NYC for all your time and effort.

I'll let you know how it works out.

Thanks.

Paul

janf · ‎03-17-2009

Hi Paul!

Just wondering if you ever found a solution to this. I too want to do something very similar. That is have our ASA (remember, you helped install it) SSL VPN authentication work with the existing SDI / RSA tokens but also authenticate the SecureID token users (same username as in AD) to AD so that they are not prompted again to authenticate when hitting AD resources from the SSL web portal.

Do you have any hints as how to do this?

Thanks!!!

Jan

pmccubbin · ‎03-22-2009

Hi Jan,

I remember your firewall very well and the fact you did most of the troubleshooting!

The best thing to do for this case is to get RSA on the phone and have them assess the situation. There were a number of inconsistencies from their people as to whether this would work and what version of software needed to be installed. Call RSA first. The Cisco piece was fairly straight-forward. I would leverage both companies for their technical expertise, as they are in the best position to give you the latest information.

Cheers!