Cisco Systems, Inc.
Adaptive Security Appliance 9.10(1)
Peter waranowski, RSA Partner Engineering
Last Modified: 12/3/2018
Solution Summary
This section shows all of the ways that Cisco ASA can integrate with RSA SecurID Access. Use this information to determine which use case and integration type your deployment will employ.
Use Cases
- AnyConnect - When integrated, users must authenticate with RSA SecurID Access in order to establish VPN connection. AnyConnect can be integrated with RSA SecurID Access using RADIUS, SSO Agent and Authentication Agent.
- Clientless SSL VPN Portal - When integrated, users must authenticate with RSA SecurID Access in order to access the clientless SSL VPN Portal. Clientless SSL VPN Portal can be integrated with RSA SecurID Access using RADIUS, SSO Agent, Authentication Agent and Risk Based Authentication.
- Admin Access - When integrated, users must authenticate with RSA SecurID Access in order to gain access to Cisco ASA's administrative interfaces (ASDM, Telnet, SSH). Admin Access can be integrated with RSA SecurID Access using RADIUS and Authentication Agent.
- AAA Firewall Rule - When integrated, users must authenticate with RSA SecurID Access in order to be permitted network access as defined in the AAA Firewall rule. AAA Firewall Rule can be integrated with RSA SecurID Access using RADIUS and Authentication Agent.
Integration Types
- RADIUS integrations provide a text driven interface for RSA SecurID Access within the partner application. RADIUS provides support for most RSA SecurID Access authentication methods and flows.
- SSO Agent integrations use SAML 2.0 or HFED technologies to direct users’ web browsers to RSA SecurID Access for authentication. SSO Agents also provide Single Sign-On to other applications configured in the RSA Application Portal.
- Authentication agent integrations use an embedded RSA agent to provide RSA SecurID and Authenticate Tokencode authentication methods within the partner’s application.
- Risk Based Authentication integrations use customized scripts to direct users’ browsers to RSA SecurID Access for authentication. Risk-Based Authentication leverages an Authentication Agent or RADIUS integration to sign in to the partner application.
Supported Features
This section shows all of the supported features by integration type and by RSA SecurID Access component. Use this information to determine which integration type and which RSA SecurID Access component your deployment will use. The next section in this guide contains the instruction steps for how to integrate RSA SecurID Access with Cisco ASA using each integration type.
Cisco ASA integration with RSA Cloud Authentication Service
| Authentication Methods | Authentication API | RADIUS | Relying Party | SSO Agent SAML | SSO Agent HFED |
|---|---|---|---|---|---|
| RSA SecurID | - | ✔ | - | ✔ | - |
| LDAP Password | - | ✔ | - | ✔ | - |
| Authenticate Approve | - | ✔ | - | ✔ | - |
| Authenticate Tokencode | - | ✔ | - | ✔ | - |
| Device Biometrics | - | ✔ | - | ✔ | - |
| SMS Tokencode | - | ✔ | - | ✔ | - |
| Voice Tokencode | - | ✔ | - | ✔ | - |
| FIDO Token | n/a | n/a | - | ✔ | - |
Cisco ASA integration with RSA Authentication Manager
| Authentication Methods | Authentication API | RADIUS | Authentication Agent |
|---|---|---|---|
| RSA SecurID | - | ✔ | ✔ |
| On Demand Authentication | - | ✔ | ✔ |
| Risk-Based Authentication | n/a | ✔ | ✔ |
| ✔ | Supported |
| - | Not supported |
| n/t | Not yet tested or documented, but may be possible. |
| n/a | Not applicable |
Configuration Summary
This section contains links to the sections that contain instruction steps that show how to integrate Cisco ASA with RSA SecurID Access using all of the integration types and also how to apply them to each supported use case. First configure the integration type (e.g. RADIUS) then configure the use case (e.g. AnyConnect).
This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RSA SecurID Access and Cisco ASA components must be installed and working prior to the integration.
Integration Configuration
RADIUS with Authentication Manager
RADIUS with Cloud Authentication Service
Use Case Configuration
Certification Details
Date of testing: November 7th, 2018
RSA Cloud Authentication Service
RSA Authentication Manager 8.2 SP1, Virtual Appliance
Cisco ASA9.10(1)
Cisco AnyConnect 4.6.03049, Windows 10 64 bit
Cisco AnyConnect 4.6.03049, Mac OS 10
Known Issues
Clientless SSL VPN - "Wrong URL." After successful RBA Login
Depending on which versions of AM and ASA you are using, you may receive the error “Wrong URL” when you logon with RBA. To work-around the issue, make the following change to the am_integration.js file before uploading it to the Web Contents section in ASA:
Change line #41 of the am_integration.js file from:
origActionURL.setAttribute('value', toAbsolutePath(logonForm.action));
To:
origActionURL.setAttribute('value', 'https://$ASA_HOSTNAME$/%2Bwebvpn%2B/index.html');
Change $ASA_HOSTNAME$ to your ASA’s IP or hostname.
Firewall AAA rule
Although you can configure the ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported.