Jatin Katyal Tue, 01/12/2010 - 15:59
User Badges:
  • Cisco Employee,

Hi Stephanie:

Could you please elaborate on this? what exactly you mean by two-factor authentication? which product are we actually using (Firewall, Wireless) and what kind of protocols (radius/tacacs/ldap)? You can implement the two factor authentication through ACS server using RSASecureID.

The two factor authentication I am aware of is;

PIN : Something you know
TOKEN: Something you have

Contributing to two-factor authentication.

Example; In the password filed we provide PIN+TOKEN.

PIN: 1234
TOKEN: 5678

PASSCODE: 12345678

The above example in regards to VPN authentication.

Here is one of the doc that talks about the Cisco VPN solution and two factor authentication.

http://www.rsa.com/rsasecured/guides/solutions/CSCO_VPN_PB_0706.pdf

HTH

Regards,
Jatin


Plz rate helpful posts-

slcornish Wed, 01/13/2010 - 06:39
User Badges:

Jatin,

Currently we're using TACACS+ for authentication.  We


Here's a description of the requirement for 2 factor authentication:


Id - NET0431

Vulnerability

Discussion

AAA network security services provide the primary framework through which a network administrator can set up access control on

network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a

user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users

may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be

incapacitated with only a few commands.

Default Finding

Details

AAA server does not redirect/call to a two-factor authentication server.

NET Authentication Access

Procedure: The implementation varies and a thorough review is necessary. Have the SA review and discuss their

implementation. A typical AAA process includes the network system redirecting user access requests either directly to an

ACE/Server or to a CiscoSecure ACS (TACACS+) server which redirects the 'authentication' request to the ACE/Server for

strong authentication via user tokens (keyfobs). During the review have the SA point out the calls from the TACACS+ or Radius

servers to the authentication server performing the two-factor requirement


From my understanding ACS can meet this requirement, I just need some ideas or case studies to see how it how implemented.


Stephanie

Actions

This Discussion