Question about SDI authentication on AnyConnct and ASA

Answered Question
Jul 1st, 2010

Hello everyone,

I would like to know about the flow of communication for SDI authentication on AnyConnect client and ASA 5520.

My customer wants to use RSA SecurID On-Demand Authenticator (RSA SecurID On-Demand token) between AnyConnect client and ASA 5520 for SSL VPN.

I understand ASA provides the following two modes to allow SDI authentication.

Native SDI - The ASA communicates directly to the SDI server for handling SDI authentication
RADIUS SDI - The ASA communicates to a RADUIS SDI proxy (such as Cisco ACS) and the RADIUS SDI proxy communicates to the SDI server, it means that the ASA does not communicates directly to the SDI server.

I think, In general (not consider ASA), the client (remote user) needs to access web page on SDI server to get a token for SDI authentication when it starts/setup SSL VPN connection. However, I don't understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow SDI authentication.

So my question is how SDI authentication works on ASA when I use ASA as secure gateway and configure ASA to allow SDI authentication (in either modes).

The customer does not want the AnyConnect client to communicate to the SDI server directly, but allow to communicate to ASA only because of their security issue. I don't know why the customer say so...

I found the following information out from CCO.

==========
When a remote user using RADIUS SDI authentication connects to the ASA with AnyConnect and attempts to authenticate using an RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server about the authentication.
==========

Does it mean that the AnyConnect client does not have to communicate to the SDI server directly for SDI authentication when it starts/setup SSL VPN connection and the AnyConnect client only needs to communicate to the ASA, because ASA communicates to SDI server (instead of the AnyConnect client) as proxy?

Your information would be appreciated.

Best regards,

Shinichi

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 5 months ago

Shinichi,

I had a quick look at the datasheet

http://www.rsa.com/node.aspx?id=3481

I could only find the SMS authentication code as "on demand", ie. RSA will communicate somehow with Cellular provider network to deliver SMS with token part to user. (Telephone number shoud uniquely identify a user)

Please note that it's a bit suspicious if the device you authenticate to provides you authentication credential :-)

Unless you mean of a scenario where user connect THROUGH ASA to request a token (be it via NAT or maybe via SSL portal?) in anyway, ASA is usually oblivious to the fact that user has their authentication derived from two parts.

Let me know if you meant different on demand token.I'm curious to see what RSA has in store for us.

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Fri, 07/02/2010 - 14:41

Shinichi,

Most modern authentication mechanisms do not require the VPN client (be it thin or fat client) to communicate directly to authentication server.

VPN headend will proxy (if you will) authentication requests to the authentication server.

In case of SDI you should be provided a token.

Typical scneario:

- Client establishes connection to headend

- Headend prompts to authenticate

- Client enters username and password (known username, set password + "random" part from token)

- Headend received the username and pass

- Headend sands the username and pass to authentication server.

- Authentication server replies with acceptance, rejection or failure.( and maybe some additional parameters, like in case of RADIUS)

- Headend accepts connection.

That's it in a nutshell.

Marcin

snakayama Sun, 07/04/2010 - 18:52

Hello Marcin,

Thank you very much for you reply and I understand the flow of communication for authentication.

I have however an additional question.

I think there are two methods below to get the token before authentication.

- hardware token devise
- RSA SecurID On-Demand Authenticator (On-Demand Token)

My question is that in case of using On-Demand Token, the ASA will be able to get the token instead of client as like proxy and then the ASA sends the token back to the client?

My customer wants to get the token from ASA that is get ASA worked as proxy to get the token and doesn't want the client to communicate directly to token server to get the token.

Best regards,

Shinichi

Correct Answer
Marcin Latosiewicz Mon, 07/05/2010 - 01:20

Shinichi,

I had a quick look at the datasheet

http://www.rsa.com/node.aspx?id=3481

I could only find the SMS authentication code as "on demand", ie. RSA will communicate somehow with Cellular provider network to deliver SMS with token part to user. (Telephone number shoud uniquely identify a user)

Please note that it's a bit suspicious if the device you authenticate to provides you authentication credential :-)

Unless you mean of a scenario where user connect THROUGH ASA to request a token (be it via NAT or maybe via SSL portal?) in anyway, ASA is usually oblivious to the fact that user has their authentication derived from two parts.

Let me know if you meant different on demand token.I'm curious to see what RSA has in store for us.

Marcin

snakayama Mon, 07/05/2010 - 17:43

Marcin,

Thank you very much for your reply.

I agree with you that the client has to get the token from token server itself even if the client communicates the token server through ASA which means the ASA does not work as proxy to provide token to the client.

I talked with the customer about this and I got why the customer wants to do it.

The customer has ASA and the token server resides on inside network and wants the clients reside on outside to get the token from the token server.
In this case, customer may has to configure "conduit/static" configuration on ASA to allow outside initiated communication to get the token from token server and pass it through the ASA, however the customer does not want to configure "conduit/static" configuration on ASA because it is troublesome task for the customer.


So the customer asked me whether the ASA can work as proxy or not.
However I didint understand clearly that the ASA does not work as proxy or not.


So I posted this for confirmation (and I got the answer from you...).

Again thank you very much for your reply.

Best regards,

Shinichi

Actions

This Discussion