Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA- ACS authentication

I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.

here is my scenario:

ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password

ACS -- AD - AD Group mapping to put user in the correct ACS group

ASA SSL - matches username in ACS group to display customized SSL bookmarks

all looks good

ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB

ASA IPSec - Authenticates with ACS

Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?

What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.

Thanks!

2 REPLIES

Re: ASA- ACS authentication

You need to look at NAP feature in acs,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html#wp1128143

A NAP, also known as a profile, is essentially a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network. Alternatively, you can aggregate all policies that handle the same device type, for example, VPNs or Access Points (APs).

Regards,

~JG

Do rate helpful posts

New Member

Re: ASA- ACS authentication

Thanks, I will review the link and other NAP info. I also heard about using the IETF RADIUS Attributes # 25 class to set this to match the profile name in the ASA. Will this do the trick and only allow users in the correct groups to authenticate and/or be allowed or denied by group membership?

482
Views
4
Helpful
2
Replies
CreatePlease login to create content