teleformix
asked on
Cisco clientless vpn - two factor user authentication
As part of PCI compliance we are required to have a two-factor authentication in place for all remote access. We would like to use the clientless vpn option if at all possible. The problem is I haven't found any good documentation or examples to work from.
We have a Cisco ASA 5510 running the last (or near latest) software. I was hoping to use a certificate as the "something you have" part. We are currently authenticae users against our Active Directory domain. Can we use the CA built into the firewall or the CA on the domain controller? We don't want to spend money on a token based solution. I'm all for other suggestions as long as they are free.
Thanks for your time.
We have a Cisco ASA 5510 running the last (or near latest) software. I was hoping to use a certificate as the "something you have" part. We are currently authenticae users against our Active Directory domain. Can we use the CA built into the firewall or the CA on the domain controller? We don't want to spend money on a token based solution. I'm all for other suggestions as long as they are free.
Thanks for your time.
ASKER
Unless I'm missing something, I don't see how this assigns or forces a user to have the certificate. How does this meet the two-factor authentication requirement. (something you have and something you know)
Shouldn't I have to issue a certificate or key to each user.
Previously we used SSH and I had to generate keys and assign them to each user.
Shouldn't I have to issue a certificate or key to each user.
Previously we used SSH and I had to generate keys and assign them to each user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll look at the versions.. I bet we are pre 8.2, I know we are 8.x but maybe not 8.2. I will take a look and let you know. I appreciate the help!
ASKER
You were right. Found this on the release notes. I'm not sure how I missed this.
" Double authentication: This feature enables the validation of two separate sets of credentials at login. For example, one-time password (OTP) can be used as the primary authentication and an Active Directory domain credential can be used for the secondary authentication method."
" Double authentication: This feature enables the validation of two separate sets of credentials at login. For example, one-time password (OTP) can be used as the primary authentication and an Active Directory domain credential can be used for the secondary authentication method."
It is possible if you create self certification on your ASA!
Please refer this guides:
http://kekarlsen.nssoftware.net/?p=52
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml
BEst regards,
IStvan