Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1023
Views
0
Helpful
5
Replies

Setting up 2 factor authentication to a PIX?

nathan
Level 1
Level 1

‎06-02-2006 09:12 AM - edited ‎02-21-2020 10:16 AM

Hi guys, is it possible to set up 2 factor authentication using a tacacs+ server in the pix firewall? only want to use a tacacs+ server using aaa on the pix.

Labels:
0 Helpful
5 Replies 5

brian.r.johns
Level 1
Level 1

‎06-02-2006 12:42 PM

It is dependant on your TACACS server having the 2 factor support. The PIX sends athentication request to the aaa server for serial|telnet|ssh|http|enable that I know of. If you are authenticating vpn clients via TACACS I am not sure off the top of my head.

cheers

0 Helpful

vayusa1234
Level 1
Level 1
In response to brian.r.johns

‎06-02-2006 01:06 PM

We are running accross the same thing here, my question is what tacacs+ or tacacs server supports two factor authentication?

0 Helpful

nathan
Level 1
Level 1
In response to vayusa1234

‎06-02-2006 03:30 PM

according to this article: "The Power Behind RSA SecurID® Two-factor User Authentication: RSA ACE/Server"

page 4of11 it seems that tacacs+ supports server sessions.

http://www.opsec.com/solutions/partners/downloads/rsa_securid_whitepaper.pdf

"Most leading remote access server, firewall,

VPN and router products have built-in RSA ACE/Agents for compatibility with RSA SecurID two-factor authentication. In addition, both TACACS+ and RADIUS authentication support RSA ACE/Server sessions."

anyways, in general, what is the best way to set up 2 factor authentication on a pix ?

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to nathan

‎06-03-2006 02:49 AM

Hi .. the best two factor authentication that I have come across is always RSA secureID. Basically you configure the AAA options in your PIX as radius client while the RSA ACE is the radius server.

This is a quick example that I have set up in the past using an ASA.

I hope it helps .. please rate it if it does !!!

aaa-server RADIUS_SERVERS protocol radius

aaa-server RADIUS_SERVERS host RSA_SERVER

timeout 5

key ********

tunnel-group GT_VPN_RSA type ipsec-ra

tunnel-group GT_VPN_RSA general-attributes

address-pool VPN_rsa_pool

authentication-server-group RADIUS_SERVERS

tunnel-group GT_VPN_RSA ipsec-attributes

pre-shared-key *

For configurating on a PIX running 6.XX you can check the command reference under aaa-server and vpngroup commands

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html

I hope it helps ... please rate it if it does !!!

0 Helpful

nathan
Level 1
Level 1
In response to Fernando_Meza

‎06-03-2006 08:53 AM

well, I dont want to radius at all if possible.

So if you dont have a radius server, what are my options?

0 Helpful
Customers Also Viewed These Support Documents