Two factor authentication using LDAP with AD and SMS on Cisco ASA 8.2.3
we are using Cisco ASA 8.2.3 as RAS solution for our customers. Different kind of authentication mechanisms are already deployed yet.
Now we want to use two factor authentication, where first, user needs to be verified by AD (by secure LDAP) and secondly, user needs to be verified by SMS passcode to SMS text messaging server.
We already created a separate DAP, separate Anyconnect Connection profile, separate Group Policy and separate customization page for this.
I know ASA supports this functionality but when configuring authentication server group and secondary authentication server group together you will have to fill in credentials for both on the Logon page. This is not what we want. We want users to fill in credentials for AD on Logon screen and after this user should receive SMS text message and get (pop-up) second login screen where he can enter the SMS passcode. Then logon process is completed and he should get RAS portal page.
When we test using only primary authentication AD by secure LDAP connection functions. When enabling secondary authentication you have to fill in credentials also on first logon page (instead of second logon page we would like to have). Also then, customer does not see any requests coming in on SMS text message server.
How do we need to configure the RAS environment so that it functions the way we want to?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...