06-02-2006 09:12 AM - edited 02-21-2020 10:16 AM
Hi guys, is it possible to set up 2 factor authentication using a tacacs+ server in the pix firewall? only want to use a tacacs+ server using aaa on the pix.
06-02-2006 12:42 PM
It is dependant on your TACACS server having the 2 factor support. The PIX sends athentication request to the aaa server for serial|telnet|ssh|http|enable that I know of. If you are authenticating vpn clients via TACACS I am not sure off the top of my head.
cheers
06-02-2006 01:06 PM
We are running accross the same thing here, my question is what tacacs+ or tacacs server supports two factor authentication?
06-02-2006 03:30 PM
according to this article: "The Power Behind RSA SecurID® Two-factor User Authentication: RSA ACE/Server"
page 4of11 it seems that tacacs+ supports server sessions.
http://www.opsec.com/solutions/partners/downloads/rsa_securid_whitepaper.pdf
"Most leading remote access server, firewall,
VPN and router products have built-in RSA ACE/Agents for compatibility with RSA SecurID two-factor authentication. In addition, both TACACS+ and RADIUS authentication support RSA ACE/Server sessions."
anyways, in general, what is the best way to set up 2 factor authentication on a pix ?
06-03-2006 02:49 AM
Hi .. the best two factor authentication that I have come across is always RSA secureID. Basically you configure the AAA options in your PIX as radius client while the RSA ACE is the radius server.
This is a quick example that I have set up in the past using an ASA.
I hope it helps .. please rate it if it does !!!
aaa-server RADIUS_SERVERS protocol radius
aaa-server RADIUS_SERVERS host RSA_SERVER
timeout 5
key ********
tunnel-group GT_VPN_RSA type ipsec-ra
tunnel-group GT_VPN_RSA general-attributes
address-pool VPN_rsa_pool
authentication-server-group RADIUS_SERVERS
tunnel-group GT_VPN_RSA ipsec-attributes
pre-shared-key *
For configurating on a PIX running 6.XX you can check the command reference under aaa-server and vpngroup commands
I hope it helps ... please rate it if it does !!!
06-03-2006 08:53 AM
well, I dont want to radius at all if possible.
So if you dont have a radius server, what are my options?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide