Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
775
Views
0
Helpful
2
Replies

VPN Double authentication question

lynne.meeks
Level 1
Level 1

ā€Ž08-11-2010 01:00 PM

We have an ASA configured with sslvpn and using AnyConnect clients. Currently we authenticate via LDAP and automatically set the group-policy value via an LDAP value. We have several  groups with unique IPs and therefore special access due to their assigned IP address.

We'd like to add SecureID authentication for some of these groups. I've set up a second profile with double authentication, using LDAP with group assignen and that works fine.

The issue we are facing is that I can find no way to limit access to the double authentication groups from the standard profile, because both profiles are authenticating to the same LDAP server, and the LDAP policy map is configured with the LDAP server.

So all the groups are accessible (with the right credentials) from both the standard single auth profile and the double-auth profile, and there's no way to force the use of the double-auth profile- at least none that I can find.

thanks for any thoughts on this.

Lynne

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

ā€Ž08-12-2010 03:22 PM

Lynne,

I'm sorry I might be a bit lost in the description (late at night here).

Would this be anything close to what you're lookink for?

  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1644911

Marcin

0 Helpful

lynne.meeks
Level 1
Level 1
In response to Marcin Latosiewicz

ā€Ž08-16-2010 05:40 AM

Thanks for the suggestion, but that's not really what we need.

The double authentication IS working. The problem is that both the

single auth and double auth profiles use the same LDAP server in order

to get NetIDs placed in the proper VPN groups. Therefore both profiles

share the same LDAP Attibute Map, which means that there's no way to

force someone to choose the double-auth profile, since they can still

access 'their' group by using the single-auth profile...

I can't find any way to use the same LDAP server with different LDAP

attribute maps on the same ASA.

It seems like we would need either a different LDAP server with a unique

attribute map for the double-auth profile OR a separate ASA with the

same LDAP server but again a unique attribute map.

thanks,

Lynne

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents