Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
lynne.meeks
lynne.meeks
Community Member
‎08-11-2010 01:00 PM
‎08-11-2010 01:00 PM

VPN Double authentication question

We have an ASA configured with sslvpn and using AnyConnect clients. Currently we authenticate via LDAP and automatically set the group-policy value via an LDAP value. We have several  groups with unique IPs and therefore special access due to their assigned IP address.

We'd like to add SecureID authentication for some of these groups. I've set up a second profile with double authentication, using LDAP with group assignen and that works fine.

The issue we are facing is that I can find no way to limit access to the double authentication groups from the standard profile, because both profiles are authenticating to the same LDAP server, and the LDAP policy map is configured with the LDAP server.

So all the groups are accessible (with the right credentials) from both the standard single auth profile and the double-auth profile, and there's no way to force the use of the double-auth profile- at least none that I can find.

thanks for any thoughts on this.

Lynne

Labels:
0 Helpful
Reply
2 REPLIES
Marcin Latosiewicz
Marcin Latosiewicz Cisco Employee
Cisco Employee
‎08-12-2010 03:22 PM
‎08-12-2010 03:22 PM

Re: VPN Double authentication question

Lynne,

I'm sorry I might be a bit lost in the description (late at night here).

Would this be anything close to what you're lookink for?

  authentication-attr-from-server        Specify the authentication server that
                                         provides authorization attribute for
                                         the session

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a2.html#wp1644911

Marcin

0 Helpful
Reply
lynne.meeks
lynne.meeks
Community Member
‎08-16-2010 05:40 AM
‎08-16-2010 05:40 AM

Re: VPN Double authentication question

Thanks for the suggestion, but that's not really what we need.

The double authentication IS working. The problem is that both the

single auth and double auth profiles use the same LDAP server in order

to get NetIDs placed in the proper VPN groups. Therefore both profiles

share the same LDAP Attibute Map, which means that there's no way to

force someone to choose the double-auth profile, since they can still

access 'their' group by using the single-auth profile...

I can't find any way to use the same LDAP server with different LDAP

attribute maps on the same ASA.

It seems like we would need either a different LDAP server with a unique

attribute map for the double-auth profile OR a separate ASA with the

same LDAP server but again a unique attribute map.

thanks,

Lynne

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
591
Views
0
Helpful
2
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
75
36
75
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
25
2
25
All Blogs