[c-nsp] Cisco ACS/ASA/RSA SecurID with Group Locking

Dikkema, Michael (Business Technology) MDikkema at postmedia.com
Tue Jan 15 11:50:51 EST 2013


We currently have a Cisco ASA VPN deployment using ACS -> AD authentication. We're using the RADIUS Class attribute to do group locking between these systems. We have around 50 groups in use.

We're in the middle of an RSA SecurID deployment and can't seem to figure out how we maintain the group locking part of it. SecurID doesn't appear to care what's in the Class attribute, you can just ask whether or not it is present to authenticate. As far as I can tell, SecurID will authenticate anyone that has a valid AD account in any of the configured AD groups. We can work around this if we trust the group/password on the IPSec client (we don't), but don't see any way of enforcing group security with Anyconnect, which we will likely deploy soon.

The only workaround we have for this is that we can see right now is to limit RSA SecurID to only a very small amount of groups, and combine their access control policy on the firewall behind the VPN concentrator into a single policy. This is not ideal. We're looking for something like a authenticate-and-continue option in ACS, or a better understanding of how to do the right thing in SecurID.

Not sure if this is the right forum for a question like this, but would appreciate any help.

Thanks.


More information about the cisco-nsp mailing list