This might help you, though it is neither Cisco nor SecurID, but the principals are the same. You basically want the Cisco to use Radius to talk to the MS radius plugin NPS, formerly known as IAS. Then you want NPS/IAS to proxy the request to the two-factor authentication server. Radius can handle all of this.
However, this is slightly different than what you asked. The user enters their AD username and the one-time passcode NOT their AD password. I'm not sure if the latter can be done with NPS/IAS and Cisco. I would argue that using the password outside of the LAN is not necessary and, in fact, that security is increased if the LAN password is not used outside the LAN. The PIN is the "thing you know" so knowing the password is redundant.
The double authentication feature implements two-factor authentication for remote access to the network, in accordance with the Payment Card Industry Standards Council Data Security Standard. This feature requires that the user enter two separate sets of login credentials at the login page. For example, the primary authentication might be a one-time password, and the secondary authentication might be a domain (Active Directory) credential. If either authentication fails, the connection is denied.
Both the AnyConnect VPN client and Clientless SSL VPN support double authentication. The AnyConnect client supports double authentication on Windows computers (including supported Windows Mobile devices and Start Before Logon), Mac computers, and Linux computers. The IPsec VPN client, SVC client, cut-through-proxy authentication, hardware client authentication, and management authentication do not support double authentication.
Double authentication requires the following new tunnel-group general-attributes configuration mode commands:
•secondary-authentication-server-group—Specifies the secondary AAA server group, which cannot be an SDI server group.
•secondary-username-from-certificate—Allows for extraction of a few standard DN fields from a certificate for use as a username.
•secondary-pre-fill-username—Enables username extraction for Clientless or AnyConnect client connection.
•authentication-attr-from-server—Specifies which authentication server authorization attributes are applied to the connection.
•authenticated-session-username—Specifies which authentication username is associated with the session.
Note The RSA/SDI authentication server type cannot be used as the secondary username/password credential. It can only be used for primary authentication.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...