I would like some feedback on whether this would work.
Call agents at home with cisco 871 router. Agents workstation uses vpn client to auth to 871 router that passes credentials back to a concentrator that in turn confirms id/pass with RSA server.
Also, the 871 routers are preset with preshared keys to establish a tunnel between the 871 and concnetrator only. To get the agent on line they use vpn client to auth to the 871 as described above. The idea is to have only one vpn tunnel between agent and corporate. After agent auth local to 871 then they can get access to corporate. There is a voip phone used so all voip and data are only connected after 2-factor auth through local vpn client.
IP phones cannot display authentication proxy prompt. Therefore it cannot be authenticated using auth-proxy. One solution to this is to use CBAC. If the IP phone is talking to an MGCP call manager, then open the SKINNY protocol (UDP 2000) and TFTP in the inbound ACL. IP inspection will dynamically open holes for RTP streams when a phone call is made. By opening only UDP 2000, access control is not diluted much and IP phone works without doing auth-proxy. Same for a SIP phone open UDP 5060.
Important Authentication Proxy Diagnostics Commands
show ip auth-proxy cache-displays the existing sessions.
show ip auth-proxy config-displays the current configuration.
clear ip auth-proxy cache [*/]-clears auth-proxy sessions.
debug ip auth-proxy [options]-enables auth-proxy debugs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...