• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1598
  • Last Modified:

Can I use Cisco VPN client for two-factor authentication using certs

I am hoping to use the certificate authenticatoin funtionality on the client but what I need to know is if it can then prompt for a username and password for the domain.
It will be connecting to an ASA 5510

Thanks in advance
0
Tobinh
Asked:
Tobinh
2 Solutions
 
The_KirschiCommented:
Hi,

I don't think you can use both certs and Radius at the same time. But if you want to have two-factor auth you could use a USB token secured with a password to store the cert on it. For example Aladdin eToken or RSA Token. So the user does have to have access to the token and must know the password before the cert is used.

Hth
The Kirschi
0
 
geergonCommented:
Well I never did it, but if you can do a LAB feel free to try...

Are you talking about simple authentication using a user from the domain, or you are talking about an extra security layer?

I mean you can have as The Kirschi said etoken with certificates, but what we are going to use is authorization, and the "user" is going to be authenticated from a parameter of the same certificate using LDAP.

Check this information:
PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml

PIX/ASA 7.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

*************************************************************************
Another thing to use is a certificate instead of preshared key
*************************************************************************
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I  think that you can try a combination of this two examples, you can add a radius server in the CAC card configuration as an extra security layer, and maybe try to use a preshared key with trustpoint... (but maybe this one does not work) but what about if your radius server also act a RSA proxy....

I do not know, just give it a try, try to test everything...



0
 
TobinhAuthor Commented:
its basically that I need to do two-factor authentication hopefully just using the cisco vpn client and an asa 5510 for PCI compliance.
Im hoping I can install a cert per machine and then use xauth to a radius server in the network.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now