Solved

Can I use Cisco VPN client for two-factor authentication using certs

Posted on 2009-07-14
3
1,555 Views
Last Modified: 2012-08-13
I am hoping to use the certificate authenticatoin funtionality on the client but what I need to know is if it can then prompt for a username and password for the domain.
It will be connecting to an ASA 5510

Thanks in advance
0
Comment
Question by:Tobinh
3 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 125 total points
ID: 24847557
Hi,

I don't think you can use both certs and Radius at the same time. But if you want to have two-factor auth you could use a USB token secured with a password to store the cert on it. For example Aladdin eToken or RSA Token. So the user does have to have access to the token and must know the password before the cert is used.

Hth
The Kirschi
0
 
LVL 7

Assisted Solution

by:geergon
geergon earned 125 total points
ID: 24855528
Well I never did it, but if you can do a LAB feel free to try...

Are you talking about simple authentication using a user from the domain, or you are talking about an extra security layer?

I mean you can have as The Kirschi said etoken with certificates, but what we are going to use is authorization, and the "user" is going to be authenticated from a parameter of the same certificate using LDAP.

Check this information:
PIX/ASA 8.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00809a3fa5.shtml

PIX/ASA 7.x: CAC - SmartCards Authentication for Cisco VPN Client
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809a7692.shtml

*************************************************************************
Another thing to use is a certificate instead of preshared key
*************************************************************************
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

I  think that you can try a combination of this two examples, you can add a radius server in the CAC card configuration as an extra security layer, and maybe try to use a preshared key with trustpoint... (but maybe this one does not work) but what about if your radius server also act a RSA proxy....

I do not know, just give it a try, try to test everything...



0
 

Author Comment

by:Tobinh
ID: 24857447
its basically that I need to do two-factor authentication hopefully just using the cisco vpn client and an asa 5510 for PCI compliance.
Im hoping I can install a cert per machine and then use xauth to a radius server in the network.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question