[c-nsp] Cisco ACS/ASA/RSA SecurID with Group Locking

Hughes, Scott GRE-MG SHughes at grenergy.com
Tue Jan 15 20:28:01 EST 2013 

In ACS 5.2, you can configure an "Identity Store Sequence" which will authentication via RSA, and then pull additional attributes from AD (like group membership). Your usernames need to match between systems.

You can then send back RADIUS attributes to your ASA based on AD group membership.

Hope that helps. 

Scott

On Jan 15, 2013, at 12:21 PM, "Dikkema, Michael (Business Technology)" <MDikkema at postmedia.com> wrote:

> We currently have a Cisco ASA VPN deployment using ACS -> AD authentication. We're using the RADIUS Class attribute to do group locking between these systems. We have around 50 groups in use.
> 
> We're in the middle of an RSA SecurID deployment and can't seem to figure out how we maintain the group locking part of it. SecurID doesn't appear to care what's in the Class attribute, you can just ask whether or not it is present to authenticate. As far as I can tell, SecurID will authenticate anyone that has a valid AD account in any of the configured AD groups. We can work around this if we trust the group/password on the IPSec client (we don't), but don't see any way of enforcing group security with Anyconnect, which we will likely deploy soon.
> 
> The only workaround we have for this is that we can see right now is to limit RSA SecurID to only a very small amount of groups, and combine their access control policy on the firewall behind the VPN concentrator into a single policy. This is not ideal. We're looking for something like a authenticate-and-continue option in ACS, or a better understanding of how to do the right thing in SecurID.
> 
> Not sure if this is the right forum for a question like this, but would appreciate any help.
> 
> Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


NOTICE TO RECIPIENT: The information contained in this message from
Great River Energy and any attachments are confidential and intended
only for the named recipient(s). If you have received this message in 
error, you are prohibited from copying, distributing or using the
information. Please contact the sender immediately by return email and
delete the original message.

More information about the cisco-nsp mailing list