Different auth behaviour dependant on the interface

sez sharp · ‎08-14-2010

Is there a way of enforcing different auth behaviour dependant on the interface involved on the NAS?

NAS in question ASA firewall pointing AAA to ACS 5.1

The ASA has SSL VPN connections to Inside and Outside interfaces and config needs:-

- any SSL VPN connection to outside interface to trigger two factor auth through ACS

- any SSL VPN connection to inside interface to use normal auth to ACS

i.e. if user connects to inside interface only normal username/password required but if user connects to outside interface username/password+token required

Sez

Jennifer Halim · ‎08-14-2010

No, not possible if you are using the same ACS server. If you are using 2 different ACS there might be a possibility with configuring 2 different SSL group and request the users to actually log in to 2 different group, ie: if user connects from outside, ask them to connect to SSL VPN group A, and if user connects from inside, ask them to connect to SSL VPN group B. However, that would require 2 separate ACS servers, or you can use 2 factor authentication using ACS server, and internally connect SSL VPN using the ASA local database to authenticate the user.

Well, i guess it also depends on how many users you have and whether it's possible to administer that.