We are in the process of implementing two factor VPN authentication using WIKID but we are having issues, specifically with our ACS. I use the ACS with the Cisco Remote Agent to provide VPN authentication based on AD. The problem is that I would need the ACS to proxy to my WIKID server to authenticate the PIN. I can setup my VPNSM to radius directly to the WIKID server but then I lose all the grouping and IP parameters I apply to users. On top of that, I would have to go to two places to setup/deactivate a new/terminated employee.
So basically, is there a way for me to use my ACS for Authorization (via Cisco Remote Agent) and forward the username and PIN to the WIKID server for authentication?
If you can setup your VPN to authenticate using RADIUS to the WIKID server, then you should be able to configure ACS to use RADIUS as an external user database (I believe you'd set it up as a RADIUS Token Server). ACS won't be able to directly see AD, but that is ok because the WIKID should take care of that.
By setting it up as a RADIUS Token Server, you no longer need the Cisco Remote Agent. If you are running ACS 4.x, you may want to also look at configuring a Network Access Profile if you need to configure more flexibility in your external database searching.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :