Solved

Can I use Cisco VPN client for two-factor authentication using certs

Posted on 2009-07-14
3
1,553 Views
Last Modified: 2012-08-13
I am hoping to use the certificate authenticatoin funtionality on the client but what I need to know is if it can then prompt for a username and password for the domain.
It will be connecting to an ASA 5510

Thanks in advance
0
Comment
Question by:Tobinh
3 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 125 total points
ID: 24847557
Hi,

I don't think you can use both certs and Radius at the same time. But if you want to have two-factor auth you could use a USB token secured with a password to store the cert on it. For example Aladdin eToken or RSA Token. So the user does have to have access to the token and must know the password before the cert is used.

Hth
The Kirschi
0
 
LVL 7

Assisted Solution

by:geergon
geergon earned 125 total points
ID: 24855528
Well I never did it, but if you can do a LAB feel free to try...

Are you talking about simple authentication using a user from the domain, or you are talking about an extra security layer?

I mean you can have as The Kirschi said etoken with certificates, but what we are going to use is authorization, and the "user" is going to be authenticated from a parameter of the same certificate using LDAP.

Check this information:
PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml

PIX/ASA 7.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

*************************************************************************
Another thing to use is a certificate instead of preshared key
*************************************************************************
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I  think that you can try a combination of this two examples, you can add a radius server in the CAC card configuration as an extra security layer, and maybe try to use a preshared key with trustpoint... (but maybe this one does not work) but what about if your radius server also act a RSA proxy....

I do not know, just give it a try, try to test everything...



0
 

Author Comment

by:Tobinh
ID: 24857447
its basically that I need to do two-factor authentication hopefully just using the cisco vpn client and an asa 5510 for PCI compliance.
Im hoping I can install a cert per machine and then use xauth to a radius server in the network.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VTP / VLANs and Sub-Interfaces 4 39
CCNA lab 6 37
Failover VPN Question Sonicwall 5 34
Cisco 3750E not able to SSH after removing from port channel 2 9
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question