Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two factor authenticaton configured on a Router

I have a customer whom falls under PCI Compliance scrutiny. I was in conversation yesterday with the auditor, and he indicated that I did not have Two Factor authentication set up exactly as it is defined.

What I have configured is that when an admin attempts to authenticate to our router, the router is configured to talk to our TACACS box which in turn queries our Active Directory for authentication. Once authenticated via TACACS, the authenticating admin is prompted for the enable secret password.

The auditor explained to me that this was two examples of "something you know" and realistically would not pass for Two factor authentication.

How can i configure my router(s) for Two factor authentication?

Thanks

Kevin

4 REPLIES
New Member

Re: Two factor authenticaton configured on a Router

Using something like securID tokens in addition to the password would take care of that. So the user would enter their username, password and securID token reading instead.

you know the password

you have the token

2 factor vs 1 factor 2 times.

You might also be able to pass the audit by allowing login from only restricted IP addresses. The machines owning those ip addresses require thumb prints for access (something you are).

While I'm sure there are a lot of options / combos - in actual deployments I've only seen the something you have (RSA securID token for example) and something you know (password) 2 factor login to routers/switches.

New Member

Re: Two factor authenticaton configured on a Router

I appreciate your answer.

Can you comment furthur on the part where you indicated "The machines owning those ip addresses require thumb prints for access (something you are).

I am not understanding what the thumb print is here. Where does a router store a thumb print?

New Member

Re: Two factor authenticaton configured on a Router

Thumb print in this example would be the second factor.

3 factors to choose from:

1.) Something you know (eg. passwords)

2.) Something you have (eg. a token that produces sync'd keys with a server)

3.) Something you are (eg. thumb print)

As long as logging into the router/switch/server/etc requires a combination of 2 of the above 3 you are passing the audit requirement of 2 factor authentication.

In the example of limiting login to a group of known devices (which can only be accessed via thumb print) and requiring a password on the accessed device you would be utilizing 2 factor authentication.

While this or the token example would pass the audit that does not mean other creative examples would not be better in your particular situation. It may not be feasable for you to limit remote access to the router/switch. Additionally, if the router/switch is not in a secured facility it would not be enough to only look at remote access. One would also need to consider console/physical access to the device and whether it still requires 2 factor authentication.

Re: Two factor authenticaton configured on a Router

Just some background information on two factor authentication:

Two Factor authentication

http://en.wikipedia.org/wiki/Two-factor_authentication

3726
Views
19
Helpful
4
Replies
CreatePlease login to create content