VPN Double authentication question

Unanswered Question
Aug 11th, 2010

We have an ASA configured with sslvpn and using AnyConnect clients. Currently we authenticate via LDAP and automatically set the group-policy value via an LDAP value. We have several  groups with unique IPs and therefore special access due to their assigned IP address.

We'd like to add SecureID authentication for some of these groups. I've set up a second profile with double authentication, using LDAP with group assignen and that works fine.

The issue we are facing is that I can find no way to limit access to the double authentication groups from the standard profile, because both profiles are authenticating to the same LDAP server, and the LDAP policy map is configured with the LDAP server.

So all the groups are accessible (with the right credentials) from both the standard single auth profile and the double-auth profile, and there's no way to force the use of the double-auth profile- at least none that I can find.

thanks for any thoughts on this.

Lynne

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Thu, 08/12/2010 - 15:22

Lynne,

I'm sorry I might be a bit lost in the description (late at night here).

Would this be anything close to what you're lookink for?

  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1644911

Marcin

lynne.meeks Mon, 08/16/2010 - 05:40

Thanks for the suggestion, but that's not really what we need.

The double authentication IS working. The problem is that both the

single auth and double auth profiles use the same LDAP server in order

to get NetIDs placed in the proper VPN groups. Therefore both profiles

share the same LDAP Attibute Map, which means that there's no way to

force someone to choose the double-auth profile, since they can still

access 'their' group by using the single-auth profile...

I can't find any way to use the same LDAP server with different LDAP

attribute maps on the same ASA.

It seems like we would need either a different LDAP server with a unique

attribute map for the double-auth profile OR a separate ASA with the

same LDAP server but again a unique attribute map.

thanks,

Lynne

Actions

This Discussion