Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA SSL VPN with RSA Authentication

Has anyone implemented SSL VPN on an ASA appliance using Securid keyfob tokens ? The datasheets indicate native RSA can be used for authentication but does this work with SSL VPN's ?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ASA SSL VPN with RSA Authentication

5 REPLIES
Silver

Re: ASA SSL VPN with RSA Authentication

New Member

Re: ASA SSL VPN with RSA Authentication

Hi

Were you ever able to get this to work? I am implementing the same thing using token authentication.

Thanks!

New Member

Re: ASA SSL VPN with RSA Authentication

Hi David,

I went for the token RSA appliance which had an out of the box setup.

On the ASA here's a sample config to get the client authentication to work for IPSEC:

aaa-server SDI protocol sdi

aaa-server SDI host 192.168.1.1

tunnel-group clientvpn type ipsec-ra

tunnel-group clientvpn general-attributes

address-pool vpnpool

authentication-server-group SDI

default-group-policy clientvpn

authorization-required

Best regards,

Mark

New Member

Re: ASA SSL VPN with RSA Authentication

Hi Mark,

This seems to apply a default group to all client authenticate by SecurID. Were you able to assign groups so that different clients has different policy ? Thanks.

New Member

Re: ASA SSL VPN with RSA Authentication

Hi Jason,

I've seen this done. You specify the default group policy in each separate tunnel-group then create a separate group policy for each one.

e.g.

group-policy clientvpn internal

group-policy clientvpn attributes

wins-server value 192.168.1.2

dns-server value 192.168.1.139 192.168.1.3

vpn-idle-timeout none

vpn-session-timeout none

ipsec-udp enable

ipsec-udp-port 10000

split-tunnel-policy excludespecified

split-tunnel-network-list value clientsplit

default-domain value mydomain.local

Then you might have a different policy for another group say without split tunneling. etc.

Cheers,

Mark

406
Views
0
Helpful
5
Replies
CreatePlease login to create content