What caveats can I expect when implementing 2 factor authentication, for RAS users dialing in when using RSA and ACS? Users are authenticated via Active Directory from ACS, so password expirey for them is required.
I'm having trouble finding documenation on how to do this. Any examples, or personal experience?
Re: RSA 2 Factor Authentication for dial-up using ACS
I have successfully configured Dial Access users to authenticate using 2 factor RSA token card through ACS. Your question is quite broad so I will offer a few observations and if you have further questions you may ask somewhat more focused questions.
- you want the router to authenticate the ppp session for the dialer lines and then to pass the authentication request to AAA/ACS.
- from IOS you can not send an authentication request directly to RSA 2 factor authentication. So on the router it is confiugred as aaa for tacacs or for radius.
- the ppp authentication on the dialer lines needs to specify pap and not chap (for me it was not intuitive that we needed the less secure ppp authentication so that we could be more secure in our authentication. But that is what it needs to be.)
- in AAA we decided to do authentication and accounting but not authorization.
- the aaa authentication ppp default is fairly obvious and catches most users who use the common MS Windows dialer which will prompt for userID and password before dialing. But if users have configured to use the post terminal window the PC dials and connects to the router before the prompt is issued. So you need to catch those users in the default login authentication (or you need to have a policy that the function of post terminal window is not supported)).
- caveat: we found that things like RSA new token mode do not work when doing normal MS Windows dial.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...