ā06-02-2006 09:12 AM - edited ā02-21-2020 10:16 AM
Hi guys, is it possible to set up 2 factor authentication using a tacacs+ server in the pix firewall? only want to use a tacacs+ server using aaa on the pix.
ā06-02-2006 12:42 PM
It is dependant on your TACACS server having the 2 factor support. The PIX sends athentication request to the aaa server for serial|telnet|ssh|http|enable that I know of. If you are authenticating vpn clients via TACACS I am not sure off the top of my head.
cheers
ā06-02-2006 01:06 PM
We are running accross the same thing here, my question is what tacacs+ or tacacs server supports two factor authentication?
ā06-02-2006 03:30 PM
according to this article: "The Power Behind RSA SecurIDĀ® Two-factor User Authentication: RSA ACE/Server"
page 4of11 it seems that tacacs+ supports server sessions.
http://www.opsec.com/solutions/partners/downloads/rsa_securid_whitepaper.pdf
"Most leading remote access server, firewall,
VPN and router products have built-in RSA ACE/Agents for compatibility with RSA SecurID two-factor authentication. In addition, both TACACS+ and RADIUS authentication support RSA ACE/Server sessions."
anyways, in general, what is the best way to set up 2 factor authentication on a pix ?
ā06-03-2006 02:49 AM
Hi .. the best two factor authentication that I have come across is always RSA secureID. Basically you configure the AAA options in your PIX as radius client while the RSA ACE is the radius server.
This is a quick example that I have set up in the past using an ASA.
I hope it helps .. please rate it if it does !!!
aaa-server RADIUS_SERVERS protocol radius
aaa-server RADIUS_SERVERS host RSA_SERVER
timeout 5
key ********
tunnel-group GT_VPN_RSA type ipsec-ra
tunnel-group GT_VPN_RSA general-attributes
address-pool VPN_rsa_pool
authentication-server-group RADIUS_SERVERS
tunnel-group GT_VPN_RSA ipsec-attributes
pre-shared-key *
For configurating on a PIX running 6.XX you can check the command reference under aaa-server and vpngroup commands
I hope it helps ... please rate it if it does !!!
ā06-03-2006 08:53 AM
well, I dont want to radius at all if possible.
So if you dont have a radius server, what are my options?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: