ASA 8.04 Remote Access VPN LDAP Integration and RSA Integration
Someone please point me to a document or tell me if this situation is even possible:
ASA 8.04 is being used as a VPN concentrator. We have configured the integration with Active Directory. We are wondering if there is a way to then have the end users authenticate via an RSA PIN and Token.
There doesn't seem to be a way to have both LDAP and SDI in the same Tunnel Group.
Have you used Cisco ACS in a situation where you first wanted a IPSec VPN user to query Active Directory for authentication and authorization, then have the same user once authorized be prompted for their RSA Pin and Token?
Please correct me if I am wrong, but the RSA can query AD for authentication but it can't handle the authorization. I want to make sure
that people trying to access via IPSec are authorized, as well as authenticated.
In sum, I know we can use Cisco ACS to query AD for authentication and authorization. I want remote IPSec users to be checked against AD then, if authorized, have them prompted for the RSA PIN and Token. This is chained authentication.
What is the topology needed to make this happen?
Does the ASA send the request and subsequently the ACS handles both AD authentication/authorization and then sends a request for the end user to RSA Authentication Manager?
Is the RSA a client of the ACS or is it the other way around? I know we can install a client on the ACS for RSA but is that what is needed for this situation?
Thanks in advance. You are a true NetPro for reading this and giving it your consideration.
Sorry, been OOO the past few days. I *think* I am following you. Sounds like you may want to use IAS and RSA instead of CACS/RSA. You should be able to configure the remote access policy on IAS to query for dial-in permissions from AD and then forward to the RSA as an external RADIUS group for token. This isn't how I have used RSA in the past but you might be able to achieve what you are looking for.
Just wondering if you ever found a solution to this. I too want to do something very similar. That is have our ASA (remember, you helped install it) SSL VPN authentication work with the existing SDI / RSA tokens but also authenticate the SecureID token users (same username as in AD) to AD so that they are not prompted again to authenticate when hitting AD resources from the SSL web portal.
I remember your firewall very well and the fact you did most of the troubleshooting!
The best thing to do for this case is to get RSA on the phone and have them assess the situation. There were a number of inconsistencies from their people as to whether this would work and what version of software needed to be installed. Call RSA first. The Cisco piece was fairly straight-forward. I would leverage both companies for their technical expertise, as they are in the best position to give you the latest information.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :