ASA VPN + AD + SecurID

Unanswered Question
Jul 21st, 2010

Hello!

Is there a doc or such that points to a configuration for having VPN users coming into the ASA with authentication against AD in addition to a SecurID for two-factor auth?

so for example, when a user VPNs in, they are prompted for AD credentials, then for a PIN of the SecurID. Thanks!

ben

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Ben:

This might help you, though it is neither Cisco nor SecurID, but the principals are the same.  You basically want the Cisco to use Radius to talk to the MS radius plugin NPS, formerly known as IAS. Then you want NPS/IAS to proxy the request to the two-factor authentication server.  Radius can handle all of this.

http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html?hpg1=bn

However, this is slightly different than what you asked. The user enters their AD username and the one-time passcode NOT their AD password.  I'm not sure if the latter can be done with NPS/IAS and Cisco.  I would argue that using the password outside of the LAN is not necessary and, in fact, that security is increased if the LAN password is not used outside the LAN. The PIN is the "thing you know" so knowing the password is redundant. 

BEN ROBINSON Thu, 07/22/2010 - 13:00

I think in ASA 8.2.1 this is it -

The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.

Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.

Double authentication requires the following new tunnel-group general-attributes configuration mode commands:

secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.

secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.

secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.

authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.

authenticated-session-username—Specifies which authentication username is associated with the session.

Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.

Actions

This Discussion

Related Content