RSA 2 Factor Authentication for dial-up using ACS

Unanswered Question
Aug 24th, 2007

What caveats can I expect when implementing 2 factor authentication, for RAS users dialing in when using RSA and ACS? Users are authenticated via Active Directory from ACS, so password expirey for them is required.

I'm having trouble finding documenation on how to do this. Any examples, or personal experience?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 08/24/2007 - 13:41

Paul

I have successfully configured Dial Access users to authenticate using 2 factor RSA token card through ACS. Your question is quite broad so I will offer a few observations and if you have further questions you may ask somewhat more focused questions.

- you want the router to authenticate the ppp session for the dialer lines and then to pass the authentication request to AAA/ACS.

- from IOS you can not send an authentication request directly to RSA 2 factor authentication. So on the router it is confiugred as aaa for tacacs or for radius.

- the ppp authentication on the dialer lines needs to specify pap and not chap (for me it was not intuitive that we needed the less secure ppp authentication so that we could be more secure in our authentication. But that is what it needs to be.)

- in AAA we decided to do authentication and accounting but not authorization.

- the aaa authentication ppp default is fairly obvious and catches most users who use the common MS Windows dialer which will prompt for userID and password before dialing. But if users have configured to use the post terminal window the PC dials and connects to the router before the prompt is issued. So you need to catch those users in the default login authentication (or you need to have a policy that the function of post terminal window is not supported)).

- caveat: we found that things like RSA new token mode do not work when doing normal MS Windows dial.

If you have other questions feel free to ask.

HTH

Rick

dorisgroveau Mon, 08/27/2007 - 07:25

In implementing 2 factor authentication using RSA and ACS we found that RSA does not support notification of password expiration.

Actions

This Discussion