cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
0
Helpful
6
Replies

VPN Auth Design recommendation needed

fmirecki
Level 1
Level 1

Hello All,

I am currently in need of an Auth scheme that protects our internal assets from prying eyes. Currently we have Remote access VPN clients (VPN Client 3.X) connecting to a 2621 wih 3DES tunnels with Pre-shared key. We have preconfigured the client that we are shipping out however, we want to ensure that any of our clients don't send the setup.exe to another PC and install the client there as well, then inform them of their password to obtain access.

This VPN is to be used by up to 20 users, so we don't want to spend alot over this issue. What can I do to ensure that it is the rep. Should I be installing MS IAS and CA? or RSA SecurID? Any ideas would be greatly appreciated.

Thank you,

Frank

6 Replies 6

cjacinto
Cisco Employee
Cisco Employee

If you want to just authenticate the user, you could implement xauth and authenticate the users via Radius, which could backend to an One Time Password server such SecureID. This would make it a bit harder to share their passwords. If you want to go even further so it would even be harder to connect with their group name/password. You could implement the use of certificates (using the OU as their group name), thus they need to enroll their machines to your cert server before they could connect to your router.

Of course you need to enroll your router to the same CA too.

If I use certificates, a certificate has to be enrolled for their PC, is this correct? That certificate is not transferable? Is the backend to a OTP server cost effective for only 20 users? Can give me an sample config and some recommendations for a OTP server to use?

Would it be possible to use Microsoft CA for the certificates? Is there a config for the using Microsoft CA with the router and client?

Taking into consideration that we are dealing with 20 users, which is most cost effective and simple to work with for this situation?

Thank you for taking the time to respond, your help is greatly appreciated.

Frank Mirecki

The certificate is a machine cert and is not transferable from one machine to another, not unless you are using a smart card. For the backend to OTP, don't know the cost really but it might be more than using certs, since you have to buy the 3rd party OTP software and tokens, whereas a MS CA is free with Windows 2K.

Sample config of router and client using certs is on:

http://www.cisco.com/warp/customer/471/unityclient-ios.html

The implemention using MS CA is quite straight forward to do, and cost effective in my opinion.

If you want to do Radius Xauth (which may or may not backend to an OTP server), then the sample config is on:

http://www.cisco.com/warp/customer/707/ios_usr_rad.html

Just to adding to this, the certs are exportable and thus could be moved from one machine to another. I stand corrected on my previous statement. Just bear in mind that the cert is your groupname/password, ie your pre-shared key. If you would want to further authenticate users connecting you could implement xauth in conjunction with certs. A bit complicated but it all depends on your security policy. Simple implementation against more security and more complex implementation.

Besides Authentication, what can I do to ensure that only the Laptop's we authorized only have access to our VPN. Ensuring that users cannot load a VPN on a unauthorized PC. If certificates are transferrable then they defeat the purpose and are the same as using a group key in terms of Hose connectivity, we require some kind of service that does the equivalent of checking the MAC address to ensure that is one that is listed to enable access.

Any ideas? If User Authentication is the only solution then we are pretty much looking at a OTP solution.

Thank you,

Frank Mirecki

mike.scaggs
Level 1
Level 1

The two factor auth is a good way that I use. The radius piece is fairly easy and the token server is not bad either. The UNIX version of SAFEWORD turns out to be even easier than the Windows stuff. The issue of course is cost.

This will keep your users from passing there install disk around and force them to have a token on their keychain. Other than that you could always run off those pesky users!!hehe

Scaggs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: