home Agents & RSA Auth

bownessbrad · ‎12-15-2007

I would like some feedback on whether this would work.

Call agents at home with cisco 871 router. Agents workstation uses vpn client to auth to 871 router that passes credentials back to a concentrator that in turn confirms id/pass with RSA server.

Also, the 871 routers are preset with preshared keys to establish a tunnel between the 871 and concnetrator only. To get the agent on line they use vpn client to auth to the 871 as described above. The idea is to have only one vpn tunnel between agent and corporate. After agent auth local to 871 then they can get access to corporate. There is a voip phone used so all voip and data are only connected after 2-factor auth through local vpn client.

wrkstation-->VOIP phone-->871-->Concentrator--->RSA

MAke sense or see problems?

smahbub · ‎12-21-2007

IP phones cannot display authentication proxy prompt. Therefore it cannot be authenticated using auth-proxy. One solution to this is to use CBAC. If the IP phone is talking to an MGCP call manager, then open the SKINNY protocol (UDP 2000) and TFTP in the inbound ACL. IP inspection will dynamically open holes for RTP streams when a phone call is made. By opening only UDP 2000, access control is not diluted much and IP phone works without doing auth-proxy. Same for a SIP phone open UDP 5060.

Important Authentication Proxy Diagnostics Commands

show ip auth-proxy cache-displays the existing sessions.

show ip auth-proxy config-displays the current configuration.

clear ip auth-proxy cache [*/]-clears auth-proxy sessions.

debug ip auth-proxy [options]-enables auth-proxy debugs.