Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISE Authentication Policy for RSA Securid and LDAP for VPN

We are working on replacing our existing ACS server with ISE.  We have 2 groups of users, customers and employees.  The employee's utilize RSA securid for authentication while the customers use Window authentication.  We have integrated the AD into ISE using LDAP and this has been tested.  We are now working on trying to get the rsa portion to work.  We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.

Here is my question:

Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users.  I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment.  With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA.  The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy.  The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues.  Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl. 

Thanks,

Joe

  • AAA Identity and NAC
916
Views
0
Helpful
0
Replies
This widget could not be displayed.