cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
0
Helpful
6
Replies

3725 Router - Remote Access via RSA ?

dclee
Level 1
Level 1

We currently have a remote access router (3725) we use for some dialup customers among other things. It is currently setup to query a radius server running on our Microsoft domain controller (using domain credentials). All other remote access (SSL, IPSEC) is configured to use our Secure ID server via RSA and tokens. I would like to change our remote access router to do the same.

1 - Can I reconfig my 3725 to use native RSA or am I stuck with using radius ?

2 - The router is already configured to use radius, is it now just a matter of pointing the radius request to our RSA server (radius is running) via radius-server host command ?

Any help would be appreciated.

Cheers

6 Replies 6

lgijssel
Level 9
Level 9

There is very little difference between the two solutions. Authentication via Tokens is most often handled by either a radius- or a TACACS server. The only difference is the type of credentials used.

With Cisco Secure ACS you can configure the server to use an RSA server for authentication. You should check your radius documentation to learn what your server is capable of.

When you already have an environment running with RSA authentication, it should be a small step to alter the authentication method on a single router.

Regards,

Leo

j.kougoulos
Level 4
Level 4

you are stuck with radius, you may use tha rsa radius server by changing the radius-server host command.

However, if you need to support callback or multilink PPP you should have a radius that supports "Token caching", ACS supports this feature.

another option, and better one I think, is to preserve the current scheme (reusable passwords for dial-up) and force the users to use client vpn (authenticated via Securid) to connect to your network.

This is because you cannot support nexttoken mode via dial-up and also the passcode is transferred in clear text in a dial-up session (via PAP or username in CHAP).

cheers!

Thanks, we already use both SSL and IPSEC appliances for remote access via secure ID. However the dialup is there for a few key users who dont currently have internet b/c of their remote locations.

I would luv to get rid of dialup all together however it isnt possible at this time. So what you are suggesting is allow the dialup connection, limiting the connection to a subnet that has no internal access. From there allow an IPSEC connection in ? Sounds pretty good and very do-able on my end.

Correct!

shaunr.naidoo
Level 1
Level 1

hi!

I'm trying to get callback working with radius.

without callback,everything works fine.

when callback configurations are added, it connects but hangs at verifying username and password.

is it possible to mail me our configs.

setup is similar to yours.

Have you enabled token caching on the radius server?

you have to setup the timeout for token caching so that the router has enought time to dialback the PC and do the authentication

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: