Anyway, after setting up an authentication source using a Windows 2003/2008 Active Directory domain controller and importing a batch of time based RSA key token, I set up the ASA to authenticate off the Radius server. Here's the necessary config on the ASA:
aaa-server rsaapp protocol sdi aaa-server rsaapp (INSIDE) host 10.14.14.50 MY_PASSWORD_FOR_RADIUS_CLIENT tunnel-group employees type remote-access tunnel-group employees general-attributes address-pool employees-pool authentication-server-group rsaapp default-group-policy operations tunnel-group operations ipsec-attributes pre-shared-key * Here are several important things to do: 1. set up DNS entries for the RSA box and the ASA, both forward and reverse/PTR. The box seems to be looking for its FQDN. You can use the host file for setup. 2. make sure the ASA, RSA box, and domain controller all have accurate time (via NTP, etc.) 3. setup a radius client on the RSA box and use the same pass phrase you used in the ASA aaa-server config 4. assign token devices to users... start off with one user for testing. 5. Re-synchronize the token. I'm not 100% sure this is necessary, but I tried several tokens, and this seemed necessary. 6. Have the user log into the self-service console: https://myrsaappliance.mydomain.local:7004/console-selfservice He or she should log into the console with their active directory username and password. He or she should then set a PIN on the token. 7. Wait for a minute or a two, and then have the user log into the VPN appliance with the Cisco client. This seemed to be necessary, as the token didn't seem to work at first. After running through the configuration again, I tried waiting, and this worked.
12 comments:
As soon as i saw the headline i couldn't wait to get to start reading
the comments.Thank you all so much for your comments and support.Great resource for educators as well!
appliance repair vancouver
Wow! I'm stunned that anyone reads this blog. I've been posting for a while with no comments from anyone... I kind of used it like a personal wiki.
I hope you find it of some use. It is rather eclectic, as you can see. I try to update it at least once a month. You can follow the RSS feed, if you'd like. Thanks for commenting!
just wanted to pop in and say thanks. This post was exactly what i needed!
Thanks, Tony. I'm glad that other people occasionally read this blog. I like to document things I find tedious or perplexing so I don't have to figure them out again.
Good document,this is what i wanted to read. Thanks keep up the good work. Now subscribed to yuoor site via RSS
Have you tried to configure different webvpn groups and authenticate with SecureID ?
Thank you for the nice post. Then I have a question about hot to restrict VPN users access ( using group lock) in different level when SDI protocol is used.
is there a way that Cisco ASA can receive the user attirbute from the ACE server via SDI protocol and do the group lock according to the user attributes?
I mean there are two groups for vpn users. every groups has different ACL.
Thanks again and waiting ....
Hi Rivald,
one question to this topic:
we´re trying to use an RSA Server which is located at a different site, so the asa actually has to talk to the RSA Server through an existing VPN Tunnel. We don´t get it working... any ideas would be appreciated
thx
Loppo:
How do you have the aaa configured on the ASA? Specifically, which interface does it use to query the remote RSA over VPN?
If it is the inside (or equivalent,) can you ping the rsa using the inside interface over the ipsec tunnel (i.e., ping inside rsa.ip.address)
Toko:
I'll have to think about that one. I'm not doing group level acls using the RSA, currently. I've this using LDAP, but not an RSA appliance. At the very least, I can dig up the LDAP configuration I wrote as an example.
This article is a life saver, the resynchronize token is exactly what cause my problem. Thank a lot mate. Keep up the good work. Cheer :)
Excellent thanks for the post
Post a Comment