Solved

Can I use Cisco VPN client for two-factor authentication using certs

Posted on 2009-07-14
3
1,547 Views
Last Modified: 2012-08-13
I am hoping to use the certificate authenticatoin funtionality on the client but what I need to know is if it can then prompt for a username and password for the domain.
It will be connecting to an ASA 5510

Thanks in advance
0
Comment
Question by:Tobinh
3 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 125 total points
Comment Utility
Hi,

I don't think you can use both certs and Radius at the same time. But if you want to have two-factor auth you could use a USB token secured with a password to store the cert on it. For example Aladdin eToken or RSA Token. So the user does have to have access to the token and must know the password before the cert is used.

Hth
The Kirschi
0
 
LVL 7

Assisted Solution

by:geergon
geergon earned 125 total points
Comment Utility
Well I never did it, but if you can do a LAB feel free to try...

Are you talking about simple authentication using a user from the domain, or you are talking about an extra security layer?

I mean you can have as The Kirschi said etoken with certificates, but what we are going to use is authorization, and the "user" is going to be authenticated from a parameter of the same certificate using LDAP.

Check this information:
PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml

PIX/ASA 7.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

*************************************************************************
Another thing to use is a certificate instead of preshared key
*************************************************************************
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I  think that you can try a combination of this two examples, you can add a radius server in the CAC card configuration as an extra security layer, and maybe try to use a preshared key with trustpoint... (but maybe this one does not work) but what about if your radius server also act a RSA proxy....

I do not know, just give it a try, try to test everything...



0
 

Author Comment

by:Tobinh
Comment Utility
its basically that I need to do two-factor authentication hopefully just using the cisco vpn client and an asa 5510 for PCI compliance.
Im hoping I can install a cert per machine and then use xauth to a radius server in the network.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now