Does anyone have any recommendatons for tokens/biometrics/smart card authentication for the VPN 3000? Currently we're using ACS 3.1 for authentication on our 3030s, and are looking at tokens, etc. Thanks.
An option that I've had unofficially recommended to me in these sort of sitations is to try and maintain separation betsween the VPN component and the authentication component. What happens is that the token-based authentication server is located behind the VPN concentrator, and token-based authentication occurds AFTER the VPN has been established (usually by means of group files etc)
The advantage of this approach is that there is no dependency between your VPN RAS solution, and your token solution. If you want to replace one, you can do so without affecting the other.
Personally, I have seen safeword tokens used both in conjunction with the VPN concentrator itself, and also installed on a web site that can only be reached through a VPN RAS tunnel. They seem to work okay, although I'm reserving judgement on security to do with the tokens themselves.
We use RSA Securid for this and it works well. The comms between our 3015 and the ACE server uses RSA's SDI interface, meaning full encryption. On the ACE server you also need to give the user access to the VPN, i.e the VPn gets defined as a client and users need to be added to the client in order to authenticate via them. Setup is very easy.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...