You can configure RSA two-factor authentication for the RA VPN. With two-factor authentication, the user must supply a username and static password, plus an additional item such as an RSA token or a Duo passcode.
Two-factor authentication differs from using a second authentication source in that two-factor is configured on a single authentication source, with the relationship to the RSA server tied to the primary authentication source.
The system has been tested with RSA tokens pushed to mobile for the second factor in conjunction with any RADIUS or AD Server as the first factor in the two-factor authentication process.
Important: CDO can only discover the DUO LDAP identity source object present in the RA VPN configuration of an onboarded device. It doesn't allow the creation or modification of this object.
You can configure RSA using one of the following approaches:
- Define the RSA Server directly in CDO as a RADIUS server and use the server as the primary authentication source in the RA VPN.
When using this approach, the user must authenticate using a username that is configured in the RSA RADIUS server and concatenates the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.
In this configuration, it is typical to use a separate RADIUS server (such as one supplied in Cisco ISE) to provide authorization services. You would configure the second RADIUS server as the authorization and, optionally, accounting server.
- Integrate the RSA server with a RADIUS or AD server that supports direct integration and configure the RA VPN to use the non-RSA RADIUS or AD server as the primary authentication source. In this case, the RADIUS/AD server uses RSA-SDI to delegate and orchestrate the two-factor authentication between the client and the RSA Server.
When using this approach, the user must authenticate using a username that is configured in the non-RSA RADIUS or AD server and concatenate the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.
In this configuration, you would also use the non-RSA RADIUS server as the authorization and, optionally, accounting server.
See the RSA documentation for information about the RSA-side configuration. https://community.rsa.com/.