Supported authentication
methodsThis technical integration guide describes how to integrate a Cisco ISE Series Adaptive Security Appliance and Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. The Cisco ISE allows your remote access Gateway (IPsec or SSL) to communicate with Identity as a Service. You can integrate Identity as a Service with a RADIUS server. In this environment, the Identity as a Service RADIUS agent intercepts messages between the VPN server and the RADIUS agent.
Before you begin, review the following:
Supported authentication
methods| Authentication method | Notes | Supported protocols |
Password |
Password authentication is first-factor authentication with Identity as a Service password feature. |
PAP |
RADIUS |
RADIUS authentication is first-factor authentication with a RADIUS server. |
PAP |
External |
External authentication is first-factor authentication with an LDAP-compliant directory or a Windows domain controller through Kerberos. |
PAP |
Grid* |
Two-step authentication only. |
PAP |
Token |
Hardware/software |
PAP |
Temporary Access Code |
|
PAP |
One-time password |
Two-step authentication only |
PAP |
Knowledge-based questions and answers |
The RADIUS proxy only supports a single question and answer. For CHAP and MS-CHAP, the answer must be an exact match. Two-step authentication only. |
PAP |
Risk-based |
IP/Geolocation only. Machine authentication must be disabled from the risk‑based policies. Normal or enhanced security level (not both). The VPN server must be able to transmit the VPN client’s IP address. |
PAP |
Note: The PA-VM supports only CHAP authentication methods with RADIUS.
PrerequisitesComplete the following steps before integrating your authentication system with Identity as a Service:
1. Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
2. Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.
3. Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
4. If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.
Complete the following steps to integrate Cisco ISE with IDaaS.
Step 1: Configure
Cisco ISE as an AAA clientThe following procedure describes how to configure the Cisco ASA to use the Cisco ISE. It is assumed that you are familiar with the administration interface of the CiscoASAv Series appliance. All examples use the Cisco ASDM interface.
To set up the Cisco ASAv Series appliance, you must add the Cisco ISE as an AAA (Authentication Authorization Accounting) client, and then configure an IPSec connection profile, or a Clientless SSL connection profile, or both.
Configure Cisco ISE as an AAA Client
1. Log into the Cisco ASDM Version 7.4(1) or later.
Note: Before you run the ASDM launcher you must install or downgrade the Java version 7 update 45.
2. Click the Configuration tab.
3. Click Remote Access VPN. The Introduction page appears.
4. In the Configuration > Remote Access VPN tree menu, expand AAA Local Users Setup and select AAA Server Groups.
The AAA Servers Group page appears.
5. In the AAA Server Groups pane, click Add. The Add AAA Server Group dialog box appears.
6. In the Add AAA Server Group page, do the following:
a. In the AAA Server Group field, enter the name of your AAA server group (for example, Identity as a Service).
b. In the Protocol drop-down menu, select LDAP.
c. Enter 5 in the Max Failed Attempts field.
d. Leave the other settings at the default values.
e. Click OK to save your new AAA server group and close the dialog box. You are returned to the AAA Servers Group page.
7. In the AAA Server Groups pane, select the server group you just created (for example, Identity as a Service).
8. In the Servers in the Selected Group pane, click Add. The Edit AAA Server dialog box appears.
9. Configure the new AAA server by doing the following:
a. In the Interface Name drop-down menu, select the appropriate interface.
Note: The interfaces in this menu are the interfaces that you configured when you installed your Cisco ASAv Series appliance. Select an interface on the corporate network side of the appliance where the Active Directory server can be reached.
b. In the Server Name or IP Address field, enter the IP address or host name of the Active Directory.
c. In the Timeout field, select 20 seconds or you can increase timeout settings as per the requirement.
d. Select the Enable LDAP Over SSL check box.
e. For the Server Type, select Microsoft from the drop-down list.
f. In the Base DN field, enter the domain name (for example, if your Active Directory has a domain name such as user.mycompany.com, then you need to specify Base DN dc=igsuser,dc=mycompany,dc=com).
g. From the Scope drop-down list, select All Levels beneath the Base DN.
h. Enter the Naming Attribute name (for example, sAMAccountName).
i. In the Login DN field, enter the login domain name (for example, cn=administrator,cn=users,dc=iguser,dc=mycompany,dc=com).
j. In the Login Password field, enter the Active Directory administrator account password.
k. Leave the other settings at the default values.
l. Click OK to save the new server.
10. To add a new RADIUS server, in the AAA Server Groups pane, click Add. The Add AAA Server Group dialog box appears.
11. In the Add AAA Server Group page, do the following:
a. In the AAA Server Group field, enter the name of your AAA server group (for example, Cisco ISE).
b. In the Protocol drop-down menu, select RADIUS.
c. Enter 5 in the Max Failed Attempts field.
d. Leave the other settings at the defaults values.
e. Click OK to save your new AAA server group and close the dialog box. You are returned to the AAA Servers Group page.
12. In the AAA Server Groups pane, select the server group you just created (for example, Identity as a Service).
13. In the Servers in the Selected Group pane, click Add. The Add AAA Server dialog box appears.
14. Configure the new AAA server by doing the following:
a. In the Interface Name drop-down menu, select the appropriate interface.
b. In the Server Name or IP Address field, enter the IP address or host name of the Cisco ISE.
c. In the Timeout field, set the overall request timeout for VPN to at least 90 seconds.
Note: You need to increase this value if you are using TVS (Mobile ST) authentication. This can also be confirmed by tracking how long a VPN request actual waits before it fails due to a timeout.
d. In the Server Authentication Port field, enter the port number of the RADIUS server where the Identity as a Service RADIUS proxy sends requests. The default Identity as a Service port is 1812. The port number may change if you are configuring multiple groups to work with Entrust Identity as a Service.
e. From the Retry Interval drop-down menu, select 10 seconds.
f. In the Server Secret Key field, enter the Cisco ISE shared secret.
g. If required, change any other values to meet your organization’s requirements.
Note: You can leave the Common Password field with the default value because it is only used with a RADIUS authorization server. Entrust Identity as a Service provides only authentication.
h. Select the Microsoft CHAPv2 Capable check box.
i. Click OK to save the new server.
15. If required, add another AAA server group.
Step 2: Configure
a clientless Web SSL connection profileThis configuration lets users establish a secure, remote-access VPN tunnel to the corporate network using a web browser.
Configure a clientless Web SSL connection profile
1. Log into the Cisco ASDM Version 7.4(1) or later.
Note: Before you run the ASDM launcher you must install or downgrade the Java version 7 update 45. Use Cisco documentation guide to download ASDM setup.
2. Click the Configuration tab.
3. Click Remote Access VPN. The Introduction page appears.
4. Select Clientless SSL VPN Remote Access (using Web Browser) on the right-pane in ASDM.
5. Click the ASDM Assistant link. The ASDM Assistant search results appear.
6. Scroll the ASDM Assistant search results until you see the Clientless SSL VPN Connection Profile, as shown in the above screenshot.
7. Click the Clientless SSL VPN Connection Profile link. The Connections Profile page appears.
8. In the Connections Profile pane, click Add.
The Add Clientless SSL VPN Connection Profile page appears.
9. In the tree view, select Basic and then complete the following:
a. In the Name field, enter a name for the clientless connection profile.
b. In the Aliases field, enter an alias for the connection profile. The alias is what the user will select from on the Web SSL login page. If the alias contains a space, enclose it in quotation marks (for example, "Sample Alias").
c. For the Authentication Method, select AAA.
d. From the AAA Server Group drop-down list, select the Active Directory server group.
e. From the DNS Server Group drop-down list, select the DefaultDNS server group.
f. In the Servers field, enter the IP address of the DNS server group.
g. In the Domain Name field, enter the DNS domain name.
h. From the Group Policy drop-down list, select a group policy.
i. For the Enable clientless SSL VPN protocol setting:
– Select this option when using browser-based SSL VPN access.
– Deselect this option when using the AnyConnect client in Web Launch mode.
Note: Consult the Cisco documentation for more information about this option.
10. In the tree view, expand Advanced > Secondary Authentication.
11. In Server Group drop-down list, select the secondary authentication type Cisco ISE.
12. Select the check box Use primary username (Hide secondary username on the login page) if you do not want to use the secondary username.
13. Click OK to close the Add Clientless SSL VPN Connection Profile dialog box.
14. In the tree view, expand Clientless SSL VPN Access and click Connection Profiles. The Connection Profiles page appears.
15. Under Login Page Setting, select Allow user to select connection profile on the login page if you want to allow users to select a connection profile on the login page.
Note: If you did not select the Allow user to select connection profile on the login page option, you must add a group URL to the connection profile.
16. Add a group URL to the connection profile by doing the following:
a. In the tree view, expand Clientless SSL VPN Access > Advanced and select Group Alias/Group URL.
b. In the Group URLs pane, click Add. The Add Group URL dialog box appears.
c. In the URL field, enter the URL with the group name. For example, https://mycompany.com/salesvpn
d. Select the Enabled check box.
e. Click OK to close the Add Group URL dialog box and add the group URL.
17. Click Apply to save the changes.
You have now configured an Adaptive Security Appliance for groups configured to use a Web VPN tunnel.
Step 3: Configure
a Cisco AnyConnect VPN connection profileThis configuration establishes a VPN tunnel by Cisco AnyConnect VPN Client running on the user’s PC. Once the network tunnel is established, the remote user can access the corporate network in the same way as being on-site.
Configure Cisco AnyConnect Secure Mobility VPN Client
1. Log into the Cisco ASDM Version 7.4(1) or later. The Cisco ASDM home page appears.
Note: Before you run the ASDM launcher you must install or downgrade the Java version 7 update 45. Refer to the Cisco documentation guide for download ASDM setup information.
2. Click Wizard > VPN Wizards > AnyConnect VPN Wizard as shown.
The AnyConnect VPN Connection Setup Wizard appears.
3. Click Next. The Connection Profile Identification page appears.
4. In the Connection Profile Name field, enter a name for your connection profile name, for example, AnyConnect-Profile.
5. From the VPN Access Interface, select the interface the remote access users will access for VPN connection from the drop-down list.
6. Click Next. The VPN Protocols page appears.
7. Select the VPN Protocols you would like to this connection profile to support (SSL, IPsec or both).
8. Select the Device Certificate from the drop-down list, or click Manage to create a self-signed certificate or deploy a certificate.
9. Click Next. The Client Images page appears.
10. Click Add to select an AnyConnect Image file. The Add Any Connect Client Image dialog appears.
11. Select Browse Flash or upload from the local folder if you have already downloaded AnyConnect *.pkg format file from the Cisco website.
12. Click OK and then click Next. You are returned to the Client Images page.
13. Click Next. The Authentication Methods page appears.
14. From the AAA Server Group drop-down list, select the Active_Directory server group, which you have added during AAA server group configuration.
If you have not yet added an AAA Server, click New to create an AAA Server.
15. Click Next. The Client Address Assignment page appears.
16. From the Address Pool drop-down list, select the address pool name. If you have not yet added an address pool, click New to create.
17. Click Next. The Network Name Resolution Servers page appears.
18. In the DNS Servers field, enter the DNS Server IP address.
19. In the Domain Name field, enter the domain name.
20. Click Next. The NAT Exempt page appears.
21. Select Exempt VPN traffic from the network address translation check box.
22. From the Inside Interface drop-down list, select the inside interface.
23. In the Local Network field, select any4.
24. Click Next. The AnyConnect Client Deployment page appears.
25. Select the Allow Web Launch check box and then click Next. A Summary page appears.
26. Click Finish to apply the AnyConnect configurations and close the VPN Wizard.
27. In the Remote Access VPN tree view, select AnyConnect Client Profile. The AnyConnect Client Profile page appears.
28. Click the AnyConnect profile that you have created and then click the Edit tab.
29. Click the VPN tree and select Preferences (Part 2) as shown to display the Preferences (Part 2) page.
30. Scroll the page until you see the Authentication Timeout settings.
31. In the Authentication Timeout field enter 90. (This setting allows users to have enough time to get the new transaction challenge message on mobile soft token.)
32. Click OK and then click Apply to save the changes.
Step 4: Configure
Cisco Identity Service EngineTo configure Cisco Identity Services Engine
1. Log into the Cisco Identity Services Engine.
The Cisco ISE dashboard appears.
2. In the Cisco ISE dashboard page, go to Administration>Network Resources>Network Devices. The Network Device page appears.
3. In the Network Devices page, perform the following.
a. In Network Devices, click Add.
b. In the Name field, enter Cisco ASA.
c. In the IP address field, enter Cisco ASA IP address.
d. Select Radius Authentication settings.
e. In the Radius UDP Settings> Shared Secret, enter the same shared secret configured during AAA radius server on Cisco ASA.
f. Click Submit to save the changes.
Step 5: Configure
Cisco ISE external identity resourcesTo configure Cisco ISE External Identity Resources
1. In the Cisco ISE dashboard page, go to Administration>Identity Management>External Identity Sources. The External Identity Sources page appears.
2. In the External Identity Sources>RADIUS Token, do the following.
a. Click Add. The RADIUS Token Identity Sources page appears.
b. In General>Name field, enter name, for example, Identity as a Service.
c. In the Connection>Primary Server>Host IP, enter the IP address of RADIUS server being used by Identity as a Service.
d. In the Connection>Primary Server>Shared Secret field, enter a shared secret value.
e. In the Connection>Primary Server>Authentication Port field, enter 1812.
f. Leave the other settings at the default values.
3. Click Save.
Step 6: Configure
Cisco ISE external authentication policyTo configure Cisco ISE Policy
1. In the ISE Dashboard page, go to Policy>Policy Sets>Default. The Policy Sets Default page appears.
2. Click Authentication Policy to expand the menu.
3. In the Default row under Use, select the RADIUS Token Identity Source you created in Step 5: Configure Cisco ISE external identity resources (for example, Identity as a Service).
4. Click Save.
Step
7: Add Cisco ISE to Identity as a Service
Note: Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.
Integrate a RADIUS client
1. Click
> Security > Applications. The Applications
page appears.
2. Click Add. The Select an Application Template page appears.
3. Under RADIUS and VPN Integrations, click Cisco ISE. The Add Cisco ISE page appears.
4. Optional: Edit the Application Name.
5. Optional. Enter a Description for your application.
6. Optional. Add a custom application logo as follows:
a. Click 
next
to Application Logo. The Upload
Logo dialog box appears.
b. Click 
to select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
7. Click Next. The Setup page appears.
8. Click Add to next to Hosts to add the host name of the VPN server. The RADIUS agent receives the request on this host. The RADIUS Agent on the Gateway determines the RADIUS application the request is for based on the host name and port.
9. Enter the host name in the Host dialog box and then click OK. Repeat this step to add more host names.
10. In the Port field, enter the port on which the RADIUS agent accepts messages.
Tip: Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.
Attention: The RADIUS agent
uses the host name that sent a request and the port number that it
received the request from to determine which RADIUS application made
the request. Because of that:
–Two RADIUS applications with the same port value cannot share any
host names.
–Two RADIUS applications that have one or more matching host names
must have different port values.
11. In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.
12. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.
13. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.
14. In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.
15. In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests. The maximum value is 10,000.
16. In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.
17. From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are UTF-8 and ISO-8859-1.
18. Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.
19. Optional:
Enable the Authentication Settings.
Select Enable Push Authentication Fallback if you want to authentication to fallback to another authenticator in the event of a failure. If required, set the Push Authentication Fallback Timeout to the number of minutes before the push authentication times out.
Select When authenticating the user will be asked to select their second-factor authenticator. When selected, after the user responds to the first-factor challenge, they are prompted to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.
The following is a list of supported strings matched to the authentication types:
Grid: grid
Knowledge-based Authentication: kba
One-time password: email, sms, voice
Smart Credential Push: scpush
Temporary Access Code: tac
Token: token
Token push: push
Select Indicate if requests must include the message-authenticator attribute for incoming messages to include the message-authenticator attribute for incoming messages.
Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.
Select Remove domain from user ID for incoming requests to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format domain\username and the user ID in IDaaS is in the format username.
Select Indicate if Active Directory password authentication requests are handled by the same Gateway Instance that initiated the request to require that Active Directory password authentication and change requests that are initiated as part of the RADIUS authentication are handled by any Gateway Instance in the same Gateway cluster that initiated it. If disabled, the request is handled by any Gateway Instance.
Select Enable one-step multi-factor authentication. When enabled, the user enters their user ID and then their password and token response in the password field. If you select this option, second factor authenticators available in the resource rule are limited to token and temporary access code.
Enter the One-step multi-factor authentication security token length. This is the length of the token or temporary access code response if you enable one-step multi-factor authentication.
20. Optional.
Add Response Attributes. Response attributes are
returned to the RADIUS application after successful authentication.
Use this setting to configure RADIUS attributes to return information
such as the user's group information to the VPN server.
When adding response attributes, you optionally add group filters. For example:
Example:
Users in IDaaS may belong to one of the following groups CANADA,
US, UK, FRANCE.
The VPN server wants the FilterID attribute returned from the IDaaS
RADIUS agent to be the value NA or EUROPE, depending on whether
the user is in NA (Canada, US) or Europe (UK, France).
To do this, use a RADIUS attribute filter for the FilterID attribute
with a Groups value with the following filters:
- match CANADA, replace NA
- match US, replace NA
- match UK, replace EUROPE
- match FRANCE, replace EUROPE
Set the Response Attributes as follows:
Click
Add. The Add
a Response Attribute
dialog box appears.
Select the RADIUS Attribute ID from the drop-down list. The option you select depends on your VPN vendor.
Select the Value Type from the drop-down list.
To return a static value specific in the RADIUS attribute definition, select Static and enter a Value in the field and then click Add.
To return the user’s group membership, select Group and then optionally do the following:
Click Add to add filters.
Enter the Match and the Replace attribute filters.
Click Add to add more attribute filters.
If you add multiple filters, you can drag and drop them in order of preference.
Select Stop after matching filter if you only want one the filter to return one value. Using the example above, if you want NA to have preference over Europe, make sure to list Canada and US in the list of filters.
Multiple Values Per Attribute, enter the Value Separator and then click Add.
Note: If a user belongs to more
than one group, you can either add a separate attribute to your
RADIUS response for each group or you can combine all of the groups
into a single attribute. For example, if the user belongs to G1,G2,G3
then you would
- return a RADIUS response with three attributes
OR
- return a RADIUS response with one attribute and a value like
“G1,G2,G3” where the , is defined in the Value Separator setting
or a value like “G1 G2 G3” where the Value Separator is defined
as a space.
Attention: The default group separator is a space. If you have group names that are separated by a space, use another separator, such as a comma.
Repeat these steps to add more response attributes.
21. Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.
a. Select EAP Enabled to allow the RADIUS application to accept EAP messages.
– When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.
– When disabled, incoming authentication requests are processed by the RADIUS application as a standard RADIUS authentication request (even if the request includes EAP content). In this case, the application can accept only standard RADIUS authentication requests.
b. Select the EAP Protocol from the drop-down list. The options are PEAPv0 with MS-CHAPv2 and PEAPv1 with GTC.
This setting defines the type of EAP authentication protocol that is performed on EAP requests received by the RADIUS application. Consult the configuration requirements of your VPN server to determine which EAP protocol to select.
c. Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and mppe send keys in the Access-Accept message returned during a successful EAP authentication. The setting is enabled by default.
d. Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the mmpe recv and mppe send keys.
e. Leave the Minimum TLS Version, Maximum TLS Version and Allow Weak Ciphers at the default settings unless you have an older VPN and need to configure these settings to allow older versions of TLS or weaker ciphers to interoperate with older VPN servers that do not support the latest versions.
22. Configure the Deprecated Settings if your RADIUS application is connected to a Gateway version older than 3.0. These values are only required for backwards compatibility.
a. Select Token OTP Only, Password with second-factor, or No first-factor as the Authentication Type. This setting defines the level of authentication required to access a RADIUS application that relies on a gateway RADIUS agent configured before release 3.1.
Note: MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.
23. Click Submit.
Step 8: Protect
Cisco ISE with a resource rule● Resource rules for RADIUS applications only include the Date / Time, Geolocation and Source IP Address condition restriction.
● The Authentication Decision steps that you can select for a RADIUS application resource rule depend on whether the RADIUS application uses EAP RADIUS authentication.
● If the settings of a RADIUS application on Identity as a Service are modified so that the application uses EAP RADIUS authentication, or the type of EAP protocol used is changed, the resource rule associated with the RADIUS application is automatically updated.
● RADIUS applications with no EAP support the following second-factor authenticators: knowledge-based authentication, temporary access code, one-time password, grid, hardware/software token, token push, and smart credential push.
● RADIUS applications with RADIUS MSCHAPv2 support only temporary access code and hardware/software token second-factor authenticators.
● When creating a resource rule for a RADIUS application, you can select EXTERNAL+no second-factor.
● RADIUS applications with RADIUS GTC support the following second-factor authenticators: software/hardware token, one time password, grid, temporary access code, knowledge-based authentication.
Create a resource rule to protect access to a RADIUS application
1. Log in to your Identity as a Service administrator account.
2. Click
> Security
> Resource Rules. The Resource Rules List
page appears.
3. Click + next to the application you want to protect with a resource rule. The Add Resource Rules page appears.
4. Enter a Rule Name and Rule Description for the resource rule.
5. In the Groups list, select the group or groups of users restricted by the resource rule.
These are the groups to which the resource rule applies. If you do not select any groups, by default the resource rule applies to all groups.
Attention: You must maintain the default of all groups if you want to allow external authentication and bypass second-factor authentication for users who do not already exist in Identity as a Service. External Authentication without second-factor is only available to low risk users of RADIUS applications that support External Authentication.
6. Click Next. The Authentication Conditions Settings page appears.
7. If you do not Enable Advanced Risk Factors, do the following:
a. Select the Authentication Flow from the drop-down list. The Authentication Flow flowchart updates based on the selection.
b. Click Submit to save the Resource Rule.
8. If you want to Enable Advanced Risk Factors, complete the remaining steps in this procedure.
9. Select Enable Advanced Risk Factors to add additional risk factors to the resource rule.
10. Select Enable Strict Access for Application to set the resource rule to deny access regardless of the outcome from other resource rules. If this option is disabled for any resource rule that denies access, the user is allowed access if at least one resource rule allows access.
11. For each Advanced Risk Factor, click the Deny option to deny access to the application if the risk factor fails regardless of the results of the other risk factors.
12. Click Date/Time to set the conditions as follows:
a. Select one of the following:
– Allow Date/Time to set when a user can access the application.
– Deny Date/Time to set when the user cannot access the application.
The Date/Time Context Condition Settings appear.
b. Select the Condition Type:
– Specific Date Range Condition—Allows or denies access to the application during a select period of days.
– Time-of-day and/or Day of Week Recurring Conditions—Allows or denies access to the application on a specific time of day, day of the week, or both. Recurring times selected only apply to days not denied.
– Clear Selection—Clears existing Date and Time conditions.
c. Set the Condition Type settings, as follows:
i) Select Use local time zone to use the local time zone or deselect Use local time zone to use the local time zone and begin typing the time zone in the Begin Typing Timezone name field and select the time zone from the drop-down list.
ii) If you selected Specific Date Range Condition, click Start Date to select a start date from the pop-up calendar. Optionally, select the End Date.
iii) If you selected Time-of-Day and/or Day-of-Week, click Start Time and select the start time from the pop-up clock. Optionally set the End Time. You must also select the days of the week for the condition.
d. Click Save to return to the Authentication Conditions Settings page.
13. Click Geolocation to set the Location Condition Settings, as follows:
a. Select Allow or Deny to create an allowed or denied country list.
b. From the Selected Countries drop-down list, select the countries to add or deny access to the application. Repeat until you have added all the desired countries to the list.
c. Select Allow Anonymous IP Address to increase the risk of users authenticating from an anonymous IP.
d. Click Save to save to return to the Authentication Conditions Settings page.
14. Click Source IP Address. The IP Address Risk Setting dialog box appears. Do one of the following:
a. Select Custom and add the required IP Allowed Addresses and IP Denied Addresses.
b. Select IP List Address and select the IP List to allow or deny.
c. Select None to not restrict any IP addresses.
d. Click OK to return to the Authentication Conditions Settings.
15. Define the Location History / Known Locations and Travel Velocity conditions.
The Risk-Based Authentication (RBA) settings of your Identity as a Service account define the location history and travel velocity conditions. See Manage risk-based authentication settings for more information.
16. Set the risk score for application conditions to set the risk percentage a user receives if they fail to meet the condition, as follows:
● Click the dot next to the condition setting and slide the risk scale to the risk percentage
-or-
● Click the 0% and enter the risk points and then click OK.
The default setting is 0%. The Risk percentage determines the authentication requirements as set by the Authentication Decision. When a user attempts to authenticate to an application, the final risk percentage is the sum of all failed conditions.
17. Set the Authentication Decision risk level for Medium Risk and High Risk as follows:
a. Click the risk threshold percentage to the right of Medium Risk or High Risk. The Risk Threshold dialog box appears.
b. Enter the risk percentage.
c. Click OK.
18. Select the Authentication Flows for Low Risk, Medium Risk, and High Risk from the drop-down lists. The Authentication Flows flowchart updates based on your selections.
19. Click Submit to create the resource rule.
Step 9: Test the integration using one of these methods:
Test
using the Cisco VPN Client
1. Launch the Cisco VPN Client and click New to create a new VPN connection entry.
The Create New VPN Connection Entry window appears.
2. In the Connection Entry field enter a name for the connection entry (for example, Sales Remote).
3. Enter the IP or hostname of the ASA in the Host field.
4. Under the Authentication tab, ensure Group Authentication is selected.
5. Enter the IPSec Connection Profile information that was created previously. The password is the Pre-shared Key.
6. Click Save.
7. Click Connect on the newly created Connection Entry. You are prompted to authenticate.
8. Enter the username and password of an Identity as a Service user. The password depends on the first-factor authentication that you have configured for Identity as a Service.
9. Click OK. You are prompted for your second-factor challenge.
1. Open a web browser and navigate to the Web SSL login page.
The Login page appears.
2. Enter the username and password of an Identity as a Service user. The password depends on the first-factor authentication method defined.
Note: Logging in as an Active Directory user causes a 2nd Password field to appear on the login screen. The field accepts any value, but one must be entered to log in.
3. Enter the response for the second factor authentication.
You should then be authenticated to the Web SSL.
Test using the Entrust Identity app for push authentication
1. Log in with the correct first-factor username/password on your RADIUS client.
2. Open the Entrust Identity app on a mobile device.
3. Unlock (log in) using the identity you want to use to respond to the request.
4. Tap Actions.
5. Review the transaction summary details.
6. Tap Confirm.