Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3000 token/biometric recommendations

Does anyone have any recommendatons for tokens/biometrics/smart card authentication for the VPN 3000? Currently we're using ACS 3.1 for authentication on our 3030s, and are looking at tokens, etc. Thanks.

New Member

Re: VPN 3000 token/biometric recommendations

An option that I've had unofficially recommended to me in these sort of sitations is to try and maintain separation betsween the VPN component and the authentication component. What happens is that the token-based authentication server is located behind the VPN concentrator, and token-based authentication occurds AFTER the VPN has been established (usually by means of group files etc)

The advantage of this approach is that there is no dependency between your VPN RAS solution, and your token solution. If you want to replace one, you can do so without affecting the other.

Personally, I have seen safeword tokens used both in conjunction with the VPN concentrator itself, and also installed on a web site that can only be reached through a VPN RAS tunnel. They seem to work okay, although I'm reserving judgement on security to do with the tokens themselves.

New Member

Re: VPN 3000 token/biometric recommendations

We use RSA Securid for this and it works well. The comms between our 3015 and the ACE server uses RSA's SDI interface, meaning full encryption. On the ACE server you also need to give the user access to the VPN, i.e the VPn gets defined as a client and users need to be added to the client in order to authenticate via them. Setup is very easy.

Unfortunately RSA is rather expensive.