Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

SSO with ASA WebVPN Using RSA Tokens

Current Setup:

User Token & PIN authenticates to  -> ASA5510 8.2 Clientless VPN -> passes to RSA Auth manager 7.2 via SDI.

I've got authentication working great, on first login users can sign in with their AD user names and RSA tokens and generate their pin.

We used to use ACS express and their AD information for vpn authentication but now we need to do two factor authentication.

Is it possible to some how maintain SSO so that when the user authenticates via his RSA token they can still browse OWA, Sharepoint, CIFS (File Shares) without having to enter their AD credentials?

Any help or information is much appreciated.

Thanks

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

SSO with ASA WebVPN Using RSA Tokens

You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM.  Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.

The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl.   Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).

Cisco Employee

SSO with ASA WebVPN Using RSA Tokens

Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.

To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.

This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).

The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).

The ASA will then perform 2 authentication checks and only allow the user in if both are successful.

There is one restriction: SDI can only be used as primary protocol, not as secondary.

For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.

Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_PASSWORD

hth

Herbert

4 REPLIES
Cisco Employee

Re: SSO with ASA WebVPN Using RSA Tokens

hi,

so do I understand correctly you want to have 3 fields on the login screen:

username

ADpassword

tokencode

Then when for SSO  you would like to  use the username and ADpassword ?

What kind of SSO  is it? auto-signon, macro's in a bookmark?

Would it be ok to use Radius instead of SDI towards the RSA server?

Herbert

Community Member

SSO with ASA WebVPN Using RSA Tokens

You can enable the 'internal password' field on the customization for WebVPN and also re-name it (say 'AD Password') and then set up auto-signon entries for the internal URLs over NTLM.  Such that when the servers prompt the WebVPN session will send the username used to log into the ASA but send the internal password captured at login instead of the passcode used to log into WebVPN itself.

The only problem I've seen when testing this, there didn't seam to be a graceful way of fixing a bad or missing password, so NTLM would fail and fall back to basic over ssl.   Eventually this would lock out the AD accounts depending on how many URLs the user tried when the entered password at login was bad or missing (as it's not required to pass to log into the WebVPN).

Cisco Employee

SSO with ASA WebVPN Using RSA Tokens

Since the original poster mentioned 2-factor authentication as a requirement, I would like to point out that the "internal password" feature, while correctly explained by kellerja1, does not provide 2-factor auth since the internal password is not validated by the ASA, i.e. it simply caches it and uses it for SSO without checking if it is correct.

To have true 2-factor auth, you would have to use "double authentication", a feature introduced in 8.2.

This allows you to specify 2 authentication-server-groups, e.g. one SDI and one LDAP (for AD).

The user will then get 3 or 4 fields on the login screen: either 1 username and 2 password fields or 2 username and 2 password fields (configurable).

The ASA will then perform 2 authentication checks and only allow the user in if both are successful.

There is one restriction: SDI can only be used as primary protocol, not as secondary.

For SSO, by default the primary credentals will be used, but by configuring "authenticated-session-username secondary" the secondary credentials will be used.

Alternatively, if e.g. some bookmarks require the primary and others require the secondary, you can use the following macros in the bookmark definitions:

CSCO_WEBVPN_PRIMARY_USERNAME

CSCO_WEBVPN_SECONDARY_USERNAME

CSCO_WEBVPN_PRIMARY_PASSWORD

CSCO_WEBVPN_SECONDARY_PASSWORD

hth

Herbert

Community Member

Hello friends,Please allow me

Hello friends,

Please allow me to resurect an old post!

I have working in my ASA webvpn and anyconnect Remote Access VPN, authenticating through an ACS Radius server. We are thinking to integrate RSA token. So, the question is if it is going to work well with webvpn?

I will appreciate your comments and/or documentation.

Regards!

1882
Views
0
Helpful
4
Replies
CreatePlease to create content