Can I use Cisco VPN client for two-factor authentication using certs

I am hoping to use the certificate authenticatoin funtionality on the client but what I need to know is if it can then prompt for a username and password for the domain.
It will be connecting to an ASA 5510

Thanks in advance
TobinhAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The_KirschiCommented:
Hi,

I don't think you can use both certs and Radius at the same time. But if you want to have two-factor auth you could use a USB token secured with a password to store the cert on it. For example Aladdin eToken or RSA Token. So the user does have to have access to the token and must know the password before the cert is used.

Hth
The Kirschi
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
geergonCommented:
Well I never did it, but if you can do a LAB feel free to try...

Are you talking about simple authentication using a user from the domain, or you are talking about an extra security layer?

I mean you can have as The Kirschi said etoken with certificates, but what we are going to use is authorization, and the "user" is going to be authenticated from a parameter of the same certificate using LDAP.

Check this information:
PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml

PIX/ASA 7.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

*************************************************************************
Another thing to use is a certificate instead of preshared key
*************************************************************************
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I  think that you can try a combination of this two examples, you can add a radius server in the CAC card configuration as an extra security layer, and maybe try to use a preshared key with trustpoint... (but maybe this one does not work) but what about if your radius server also act a RSA proxy....

I do not know, just give it a try, try to test everything...



0
TobinhAuthor Commented:
its basically that I need to do two-factor authentication hopefully just using the cisco vpn client and an asa 5510 for PCI compliance.
Im hoping I can install a cert per machine and then use xauth to a radius server in the network.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.