Two factor authenticaton configured on a Router

Unanswered Question
Mar 18th, 2009
User Badges:

I have a customer whom falls under PCI Compliance scrutiny. I was in conversation yesterday with the auditor, and he indicated that I did not have Two Factor authentication set up exactly as it is defined.

What I have configured is that when an admin attempts to authenticate to our router, the router is configured to talk to our TACACS box which in turn queries our Active Directory for authentication. Once authenticated via TACACS, the authenticating admin is prompted for the enable secret password.

The auditor explained to me that this was two examples of "something you know" and realistically would not pass for Two factor authentication.

How can i configure my router(s) for Two factor authentication?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
greg.washburn Wed, 03/18/2009 - 10:37
User Badges:

Using something like securID tokens in addition to the password would take care of that. So the user would enter their username, password and securID token reading instead.

you know the password

you have the token

2 factor vs 1 factor 2 times.

You might also be able to pass the audit by allowing login from only restricted IP addresses. The machines owning those ip addresses require thumb prints for access (something you are).

While I'm sure there are a lot of options / combos - in actual deployments I've only seen the something you have (RSA securID token for example) and something you know (password) 2 factor login to routers/switches.

Kevin Melton Wed, 03/18/2009 - 11:01
User Badges:

I appreciate your answer.

Can you comment furthur on the part where you indicated "The machines owning those ip addresses require thumb prints for access (something you are).

I am not understanding what the thumb print is here. Where does a router store a thumb print?

greg.washburn Wed, 03/18/2009 - 11:21
User Badges:

Thumb print in this example would be the second factor.

3 factors to choose from:

1.) Something you know (eg. passwords)

2.) Something you have (eg. a token that produces sync'd keys with a server)

3.) Something you are (eg. thumb print)

As long as logging into the router/switch/server/etc requires a combination of 2 of the above 3 you are passing the audit requirement of 2 factor authentication.

In the example of limiting login to a group of known devices (which can only be accessed via thumb print) and requiring a password on the accessed device you would be utilizing 2 factor authentication.

While this or the token example would pass the audit that does not mean other creative examples would not be better in your particular situation. It may not be feasable for you to limit remote access to the router/switch. Additionally, if the router/switch is not in a secured facility it would not be enough to only look at remote access. One would also need to consider console/physical access to the device and whether it still requires 2 factor authentication.


This Discussion