ASA double authentication only

My company is currently testing on authentication dual factor for specific users. We use to authenticate, SecureAuth keys and an existing AD server, which is also used to authenticate for our other groups VPN. For this reason members of the auth group double can authenticate current VPN groups using only their letters of credence to AD.

Is the way for me to configure this group only being able to obtain VPN access if they go through the method of the double factor?

Essentially if the double group auth users connect via the Group dual auth in anyconnect, they will not be able to establish a vpn connection what do I try to install.

Any contribution is appreciated!

Have allowed all users to AD authenticate are only the first A of AAA.

You can control what they are allowed to make (or connect to) based on the name belonging to a group or user.

You may need to make a new ad group for everyone, but they and make membership in that group a requirement for the default profile. Do another group of ads for new users of two-factor and make membership in this group a requirement for this new profile.

Tags: Cisco Security

Similar Questions

  • double authentication with Cisco's VPN IPSEC client

    Cisco VPN client (the legacy IPSEC client) does support dual authentication with RSA token AND ActiveDirectory credentials?

    I know that AnyConnect supports it and the commandsecondary- authentication -Server- group' is only for ssl connections, but must be confirmed.

    Kind regards


    Hi Mohammad,.

    What is double authentication support for Cisco VPN Client?

    A. No. Double authentication only is not supported on the Cisco VPN Client.

    You can find more information on the customer Cisco VPN here.

    As you said the only client that supports dual authentication is the Cisco AnyConnect secure mobility Client.

    Please note and mark it as correct this Post!

    Let me know if there are still questions about it!

    David Castro,

  • Double authentication using LDAP and RSA

    I would use LDAP and RSA (double authentication) for my SSL VPN clients.  Can I authenticated users if my logon page requires users to enter a second username.  If I have the configuration so that they have to enter their username once, no authentication attempt is passed on to the authentication servers.  I'm under debug on LDAP and RADIUS (for RSA), which is what I know that authentication is never over if they are to enter their user name once on the login page.

    If I don't specify "use-primary-username" at the end of the 'secondary-authentication-server-group' command, users must enter their username twice and the authentication is successful.

    Does anyone know how to configure the ASA so that they have to enter their username once while using the LDAP (as principal) and RSA (RADIUS) (secondary)?

    Thanks in advance.


    Hi Matt,

    I just tried on 8.3 (2) and it works as expected. I suspect that you are running in this bug:

    CSCte66568    Double authentication broken in 8.2.2 during use-primary-username is CONF.

    If you are running 8.2, upgrade to 8.2 (3) and you shoud be fine.



  • disable the cisco ASA connection using only activate password via asdm

    Hi all

    How to disable the connection to my cisco asa 5520 using only activate password via asdm? I like to asdm connection using the user name and password. TIA!

    The command:

     aaa authentication http console LOCAL

    .. .will be force users accessing to ASDM (which uses transport http (s)) to be authenticated on the LOCAL database.

    You can also specify another list of defined authentication method, such as RADIUS, RADIUS or AD. (Although t wew love to leave a LOCAL method on the spot, in which case your external authentication server is not available.)

  • ASA for vpn only


    I would like to configure the ASA for vpn only. By default, ASA allows traffic from the interface of high security to low security interface. I want to stop it. Is it possible to do without resorting to access lists.

    Thank you


    Define interfaces for the same level of security and make sure that you do not have same-security-traffic permits inter-interface enabled.

    Hope that helps.

  • pain double authentication: asa webVPN access and browse networks

    I'm an asa for device configuration web access: SSL VPN service. Can I have a user authenticates web session with their domain credentials to active directory (username and password). Once their web session began, moving to the function 'Browse networks' for a viewing of part requires to authenticate once again - "authenitcation required." I would like to set up the device so that authentication for windows file sharing will be attempted using the credentials previously entered.

    How could do this if it is possible?

    It is an ASA5510 with 8.4 (3) sw.

    Thank you



    Start here:

    Auto signon or single signon is the typical sentence.


  • ASA allows 1 only RAS VPN Client IPSEC

    Hi all

    I have a strange problem where an ASA 5510 configured for IPSEC - over - udp VPN RAS allows only one 1 customer vpn traffic through.

    Other clients can connect successfully (obtain IP/DNS etc., auth using LDAP) but only the all connected client is first able to browse internal resources. Others show 0 decrypted packets when I check the statistics. I have confirmed that it is not a problem with the license that the ipsec default license allows customers up to 250 I believe. Does anyone had this problem in the past?



    It is usually a problem with the translations, which intervened on the NAT/PAT device in front of these multiple machines:

    Check the translations look correct initially on this device. There should be a translation for each VPN.

    There were also a few bugs on multiple clients behind the same PAT, such as CSCse03299, but these had to do with IPSec over TCP connections.


  • Force authentication only on a predefined interface


    Is it possible to set up an IPSEC tunnel for a certain group only on a predefined interface? And how?

    The isamkp must be enabled on all the interface, because I tunnel on any interface.

    Thank you.


    Well you can remove the permit-vpn connection systop command and allow only virtual private networks via ACL. This command allows to bypass ACL control for crypto ending traffic by firewall; sound activated by default. Disable this and allow each SPECIFIC IP access to specific crypto interface. Or refuse some and allow others (this would be particularly true outside).

    ASA 8.1 added support for netflow but only on models of the upper range (5580-XX). Perhaps we see in the future on other models as well.



  • ASA 5510 using only the GB interfaces

    I am looking for should I use a 5510 to activate two interfaces for VPN connections broadband from only a few sites. Our 5505 s (I have dozens) can not manage speeds of more than 100 MB and I have now a few FIOS beyond that--150 to 300mpbs.  I want a 5510 basis who needs to manage a few voice / data sites and just use two interfaces. A basic 5510 allow 2 gigabytes or just ports FE interfaces?  I have to be able to use 2 GB interfaces and no one else. I don't know that the 5510 will probably support the same QOS settings that I use on the 5505 s... I just need more speed interface so that I'm not bottlenecking data (I know I could use several 5505 s and extend the charges but is not how I want to do it for other reasons). Thank you


    To my knowledge the ASA5510 supports 2 x 1 Gbps interfaces when you the Security license for the SAA. The basic license counts 100Mbps interfaces.

    Take a look at this document for more information on licensing above

    Its a document from the 8.2 version but its still even to 9.x on the license requirement more security get the 2 x 1 Gbps interfaces

    The documentation for ASA5500 series promises an 300Mbps for the ASA5510 model flow, but I guess that's a value of location. In the most recent document, two values of max flow max and Multiprotocol are given.

    Here's a link to the document


  • Double authentication with Oracle EBS at the APEX problem


    I am currently working on a project to integrate with Oracle EBS 12.1.3 4.2.4 APEX. We have completed the recommended white paper Oracle configuration.  I joined at the request of the APEX of a responsibility of BSE, when I click on the page of the APEX of the EBS, it navigates me to the login page of the APEX, and after I entered my credentials is to show the "No data found" error on the page. Then when I click the OK button again once he navigates me to the login page of the APEX and is validate my login information, allowing me to enter the APEX successfullly.

    It's really us boring for double login controls. Appreciate your help with this problem as soon as possible.

    Deployment environment


    Database: Oracle 11g (

    Version APEX: APEX 4.2.4

    Oracle EBS Version: R12.1.3

    Application servers: Apache TomCat 7.0.56 (for APEX), Oracle HTTP Server (EBS)

    Web listening port: Oracle REST Data Services (2.0.6)

    Authentication: Custom authentication (login page validates users EBS)

    Thank you


    It seems that the constructed URL is not allowed. We EBS do not build a valid string. You can see where he puts "CallFromForm" and then adds "& p =...". "URL.

    The white paper mentions a required patch, you need else to resolve this problem.

    Use the gateway FND. If you do not need to pass parameters through your form to Apex, Oracle now provides a GWY.jsp which allows you to launch the Apex. Install the patches of R12 12316083 and 12726556. Then use the GWY.jsp based on your shape as described in the white paper "Extending Oracle E-Business Suite Release 12 using Oracle Application Express".

    Patch 12316083 is mentioned in the white paper, you are missing the 12726556.


    This bug solves the problem of pitcher APEX, at the launch of a whole page of APEX

    Oracle E - Business Suite forms according to the user interface. An additional url

    parameter 'CallFromForm' used to be added to the URL of the APEX, which was originally

    APEX page to fail.

  • Delete the double tab ONLY in notes


    I'm new to GREP, but probably I need to use it to save tons of work.

    I am page a big book (1000 * pages) and I have to

    (1) delete all the double tab at the beginning of the references (see the first photo, black circle) <- and only the tab double early references, so that I can't use find it normal...

    (2) delete the tab all at the beginning of the paragraph (see the first photo, red circle) <- and only at the beginning of the paragraph so... can not use find it normal.

    find the first problem that I tried to use this code: ~F+\t\t replace with: an empty space and it kind of worked, but unfortunately it erases the reference number too (see photo 2, black circle)

    Any help?


    Any help will be appreciated, thanks a lot

    For notes you can use (?.)<=~F)\t+  (which="" will="" find="" one="" or="" more="" tabs="" after="" the="" marker)="" or="" you="" can="" use=""><=~F)\t{2} to="" find="" exactly="" two,="" or="" modify="" to="" suit="" yourself.="" the="" important="" part="" is="" the="">

    To your other paragraphs, use ^ \s+ to remove any white space at the beginning of a paragraph.

  • Authentication only the selected app pages


    I have a request that I have about 20-25 pages, all are mainly reports.
    In this request that page is there for any changes to the data.

    I want other pages to be PUBLIC, but when the end user go to edit this page, I want to check for authentication.

    So basically I want authentication for this single page only, not to any other page.

    Please suggest me how I can do this.

    Kind regards


    Go change the definition of the page and change the authentication "Page is Public" for public pages

    BR, Jari

    Published by: jarola on November 18, 2009 12:08

  • Fingerprint works Double authentication

    Hey everyone, I have a HP Pavilion DV6 with Simple pass Fingerprint Reader (Windows 7).

    I want to know if I can do a two-step authentication to my login screen. For example, once I reached my login screen, is it possible that the system asked me as well for my Windows password AND my fingerprint before allowing me to identify you (such as Lenovo)?

    Thank you.

    By itself the SimplePass application allows you to use your fingerprint to automatically enter your Windows password, there is no option to do both.


    I inadvertently "REMOVED" the recognition of 'network' of 5 ghz on a menu that allowed me to "remove unnecessary networks."  I thought I was doing the right thing, but deleted by mistake the 5 ghz. Now I just can't side 5 ghz of the card to show as an available network when I click available networks at the bottom right of my screen.

    My dual band router LInksys is certainly put 2 and 5 ghz because I can see them on other PCs in the House and my Iphone6. It's only the HP All In One which now lacks the recognition of 5 ghz.

    It was working fine before my despicable act. I could easily switch between 2 ghz or 5 ghz...

    I rebooted router and reset I can see the 'admin' menu for the router on this computer.  I restarted my HP. I tried to restore my pc soon, and no effect. It seems that somehow I just simply deleted a vital statement or turned a vital switch that prevent this receiver WiFi HP-receive adapter or by switching to the 5 ghz range and the value by default only the 2 ghz.

    My system details also show that it is a working adapter RALink 3290 80211 bgn

    Is there a way to turn this back on? How do I re - establish the 5 ghz network on this HP?

    Any help out there?

    George P

    You are the very welcome.

    That is right.  No 'a' doesn't = No 5 GHz.

    I can't explain why you thought you saw other 5 GHz networks on your PC.

    The only wireless networks that should be visible on your PC are only in the 2.4 GHz band, because it's all Ralink card in your model can see.

    You might be able to replace the card with a wireless card dual band but I can't say for sure.  Some PC have a BIOS lock that prevents users from installing a different wireless card.

    You would have to make sure your PC has two antennas connected to the current Ralink wireless card because all dual-band cards have at least two terminals of the antenna to connect to.

    I would say the best thing you can do would be to go to your local office supply store and pick up a wireless network adapter dual band USB external.

    They now power USB wireless adapters, so you can get one of these.

    You wouldn't have any compatibility or hardware issues with an external USB card and not worry about BIOS locks or the number of antennas inside your PC.

  • HTTPS ASA AAA authentication rules prompt

    I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).

    This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ

    It seems that https login page redirection is not allowed due to server address certificate incompatibility.

    Advice and suggestions will be greatly appreciated.

    Seems to be a known issue.

    Kind regards


    ~ Make rate of useful messages.

Maybe you are looking for