AnsweredAssumed Answered

How to integrate RSA Auth Mgr in with Cisco ASA for VPN access

Question asked by Lane Frazier on Jun 27, 2017
Latest reply on Jul 3, 2017 by Lane Frazier

We use RSA Auth Mgr 8.1 with web tier to secure access for VPN clients using Cisco Anyconnect on ASA 5520.

 

I am in the process of building a completely separate "test" RSA auth mgr primary and web tier. I think I'm about 90% complete but I don't know much about what has to be done on the ASA VPN firewall to get to where we can test vpn access

 

I want to make sure that the 2 RSA systems are totally separated...in other words I wanna know for sure I'm authenticating on the test RSA box when testing VPN....so for simplicity sake....say my Anyconnect profile is RSA-PROD for my production RSA system and RSA-TEST will be the Anyconnect profile to use Test RSA box.  Test RSA primary will have it's own small subset of token's we will distribute to testers

 

I'm not  familiar with the ASA firewall and need to find something that I can give the firewall admin. At this stage of the game all I know is that I have a an authentication agent on the RSA auth mgr and that we need to generate a completely different node secret and import that into the ASA.

 

We don't have any test asa's so the only thing I know of is that we are going to have to create and import a new sdi file from the RSA test system. There are 3 .sdi files in the asa now...as we have a primary and 2 replicas running....

 

so we'll add a 4th for the test rsa.

 

It would seem we will have to create a completely different logon profile in the asa for the group-name RSA-TEST so as to not interfere with the production side.

 

Can someone here give me some guidance on this so I can get the firewall admin what he needs....if there is some documentation out that describes the process I'd appreciate a link or knowing where to find it.

 

Thanks

Outcomes