Need advice on two-factor authentication for VPN

Unanswered Question
Jan 13th, 2009
User Badges:

I have been asked to evaluate options to add a second factor to authentication for our existing VPN infrastructure (two VPN 3000 concentrators in an active/standby pair).

What's the most popular thing for this? Is it RSA SecureID tokens and the AM server? I think I looked into that many years ago, but it was a little too expensive for the place I was working at. Are there cheaper but still popular options, or are they not worth looking at?

If we go with hardware tokens, we'll definitely need a server of some kind, correct? The 3000 concentrator can't handle that internally? That's the impression I get, but want to make sure.

Are smart cards used much for this? I have a little bit of experience (very little) with hardware tokens, but haven't used smart cards for authenticatin.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
cisco24x7 Tue, 01/13/2009 - 17:29
User Badges:
  • Silver, 250 points or more

I use RSA SecurID integrated with Steelbelt/Juniper for SSL VPN (F5 Firepass)and remote access vpn on Cisco VPN concentrator and it works great but a bit


There is a very popular 2 factor authentication called wikid server. They come

in both open source and pay version. The pay version is dirt cheap especially for non-profit and education customers, something like $24/user for three years for the whole solution, including support.

This is a software 2 factor-authentication, but it is just as secure as the hardware tokens base RSA securID.

I really like this product because it has

both Radius and TACACS+ built in. The best

thing about this is that they give you an ISO

you install it on a x86 machine and you are

ready to go. Extremely easy to setup and

configure. The product is extremely stable and you can easily setup replication for

redudancies as well.

My 2c

cscbrannent Tue, 01/13/2009 - 18:54
User Badges:

We use RSA Authentication Manager with both hardware tokens, and a few software tokens.

So with the tokens, the two factors are something you have, and something you know. You have the token, you know the PIN. Another factor could be biometric. Or the something you have could be a certificate.

So the ASA is configured to ask AAA servers for authentication - which are the RSA Ace servers with the token database on them. We also use RSA's RADIUS to pass back a class of different profiles, so that we can configure different group profiles and either allow full access, or restrict access to contractors and partners with Access Control Lists.

Hope this helps.

spfister336 Wed, 01/14/2009 - 09:04
User Badges:

Thanks for the great replies... I think I have just one more question before I report back to management. The usual way to implement two-factor authentication on the 3000 is through a AAA server like Radius, correct? I thought I saw some post somewhere mentioning that you can do it with Radius... is that possible? I'm guessing that most two-factor authentication solutions will come with some implementation of Radius, or with Radius support. Does this all sound accurate?

Thanks again for your help!

spfister336 Wed, 01/14/2009 - 12:43
User Badges:

I didn't see a way to edit my last post... I meant I saw a post that say you didn't need Radius to do two-factor authentication on the VPN 3000. Is that possible?

Richard Burts Thu, 01/15/2009 - 09:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Our 3060 concentrators authenticate directly with the RSA server, no need for Radius.



cisco24x7 Thu, 01/15/2009 - 12:39
User Badges:
  • Silver, 250 points or more

It really depends on your requirements. RSA

server does not have the ability to return

radius attributes such as IP addresses and some

other stuffs. Most people do not want to set

up ip pool on the VPNc itself so they use

RSA server with integrated Radius.


This Discussion