Anyconnect to ASA - ACS - RSA tokens

PAUL GILBERT ARIAS · ‎08-05-2015

Hello group,

I am having troubles setting up a configuration where the customer wants to enable Anyconnect access to the network using their existing ASA, ACS and RSA. The customer wants to use the user database from his AD.

The customer wants the ASA to use the ACS 5.X using Radius and wants his ACS to use the RSA server. The VPN users should use their tokens to connect.

I have found several configuration examples but I just can't figure out how to make it work.

I have the ASA configured to authenticate the VPN users using the radius server.

Here is the portion of configuration on the ASA:

AAA CONFIGURATION – ACS SERVER

aaa-server RADIUS protocol radius

aaa-server RADIUS (INSIDE) host 192.168.1.1

key Thi$i$aT3sT

aaa-server RADIUS (INSIDE) host 192.168.1.2

key Thi$i$aT3sT

SSL VPN CONFIGURATION

group-policy SSL-VPN internal

group-policy SSL-VPN attributes

dns-server value 10.80.1.10 172.16.48.40

vpn-tunnel-protocol ssl-client ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-LIST

default-domain value example.com

webvpn

customization value DfltCustomization

tunnel-group SSL-VPN type remote-access

tunnel-group SSL-VPN general-attributes

address-pool vpnpool

authentication-server-group RADIUS LOCAL

default-group-policy SSL-VPN

tunnel-group SSL-VPN webvpn-attributes

group-alias SSL-VPN enable

For the ACS and RSA I followed the following link:

https://supportforums.cisco.com/document/9869061/configuration-example-cisco-acs-5x-integration-rsa-secureid-token-server

I don't seem to find the right policy on the ACS to make this work. The link doesn't show how to configure the authentication/authorization policies.

I found this other link but it shows how to setup the configuration for device administration not for network access.

https://popravak.wordpress.com/2013/02/16/using-rsa-securid-external-database-with-cisco-acs-5-x/

Any advise?

yasir.ilyas · ‎12-23-2015

Paul,

having same issue here. were you able to figure this out?

cant seem to find good doc on it.

thanks

Tarik Admani · ‎12-28-2015

Configure the ACS server to use the rsa identity source for the vpn authentications. You may need to change your authentication policies to send all vpn requests to the rsa server and set any other radius request to the default identity store before you make this change. From there the integration between acs and rsa will complete it self.

Thanks,

Florin Barhala · ‎01-05-2016

I also intend to configure this short enough. Can someone add more details on this? Like full configuration of ASA and ACS?

er.gbejarano · ‎02-02-2016

Hi team,

I'm also interested in this deployment. We have the same elements and we are looking for the same goal: the 2-factor authentication for VPN via AnyConnect.

The flow should be:

AnyConnect Client -> Cisco ASA -> Cisco ACS -> (RSA) and (AD)

or

AnyConnect Client -> Cisco ASA -> (RSA) and (Cisco ACS -> AD)

Best Regards

dvega · ‎02-02-2016

Hi Paul,

I'm having this issue as well. Could you please let me know how you resolve it? Which protocols have you used? It is possible to configure ACS in order to get two-factor authentication?

Thanks in advance!