2-Factor Strong Authentication

mpipkin · ‎11-25-2007

We are in the process of implementing two factor VPN authentication using WIKID but we are having issues, specifically with our ACS. I use the ACS with the Cisco Remote Agent to provide VPN authentication based on AD. The problem is that I would need the ACS to proxy to my WIKID server to authenticate the PIN. I can setup my VPNSM to radius directly to the WIKID server but then I lose all the grouping and IP parameters I apply to users. On top of that, I would have to go to two places to setup/deactivate a new/terminated employee.

So basically, is there a way for me to use my ACS for Authorization (via Cisco Remote Agent) and forward the username and PIN to the WIKID server for authentication?

kevin.jones1 · ‎11-26-2007

If you're looking for two-factor authentication,

I strongly recommend RSA SecurID. That's the

best two factor authentication, imho.

Something you have & something you know = two-factor authentication

Michael Odom · ‎11-28-2007

If you can setup your VPN to authenticate using RADIUS to the WIKID server, then you should be able to configure ACS to use RADIUS as an external user database (I believe you'd set it up as a RADIUS Token Server). ACS won't be able to directly see AD, but that is ok because the WIKID should take care of that.

As long as the WIKID RADIUS supports Cisco AV Pairs as a reply attribute, you can configure it to return the appropriate ACS group mapping. See http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940932

By setting it up as a RADIUS Token Server, you no longer need the Cisco Remote Agent. If you are running ACS 4.x, you may want to also look at configuring a Network Access Profile if you need to configure more flexibility in your external database searching.