Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7110
Views
0
Helpful
2
Replies

ASA VPN + AD + SecurID

BEN ROBINSON
Level 1
Level 1

‎07-21-2010 12:27 PM - edited ‎03-10-2019 05:16 PM

Hello!

Is there a doc or such that points to a configuration for having VPN users coming into the ASA with authentication against AD in addition to a SecurID for two-factor auth?

so for example, when a user VPNs in, they are prompted for AD credentials, then for a PIN of the SecurID. Thanks!

ben

1 person had this problem
Labels:
0 Helpful
2 Replies 2

nowen
Level 1
Level 1

‎07-22-2010 07:41 AM

Ben:

This might help you, though it is neither Cisco nor SecurID, but the principals are the same.  You basically want the Cisco to use Radius to talk to the MS radius plugin NPS, formerly known as IAS. Then you want NPS/IAS to proxy the request to the two-factor authentication server.  Radius can handle all of this.

http://www.networkworld.com/news/2010/050710-two-factor-authentication-through-windows-server.html?hpg1=bn

However, this is slightly different than what you asked. The user enters their AD username and the one-time passcode NOT their AD password.  I'm not sure if the latter can be done with NPS/IAS and Cisco.  I would argue that using the password outside of the LAN is not necessary and, in fact, that security is increased if the LAN password is not used outside the LAN. The PIN is the "thing you know" so knowing the password is redundant. 

0 Helpful

BEN ROBINSON
Level 1
Level 1
In response to nowen

‎07-22-2010 01:00 PM

I think in ASA 8.2.1 this is it -

The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.

Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.

Double authentication requires the following new tunnel-group general-attributes configuration mode commands:

secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.

secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.

secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.

authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.

authenticated-session-username—Specifies which authentication username is associated with the session.

Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents