Currently we are authenticating user by below 2 methods, please advise that is this sufficient security/ best practice or do you recommend extra security.
1) Corporate User ONLY: Anyconnect User Authenticate against AAA(Radius), then in ACS we have configured dACL in user groups to restrict the user access.
2) Non-Corporate Users ONLY: About 200 Non-Corporate users authenticate to Anyconnect vpn via SecureID, then in ACS we have configured dACL in user groups to restrict their access. in Anyconnect client user just enter its username and then enter RSA SecureID autogenerated keys then they are authorized.
1) Do you think that for Corporate/ Non-Corporate User, this is enough security, if not then please suggest a better solution
2) RSA SecureID key maintenance and its postage to clients is a lenghty procedure, do you recommend if we finish RSA SecureID procedure and instead create Non-Corporate users in AAA and also authenticate them like Corporate users, obviously create a group for them and apply the dACL with restricted subnets for this group. OR please suggest a better solution.
Only you can answer the "is this enough security" question based on your company's individual risk assessment. Generally speaking two-factor authentication is considered a best practice. One thing to consider is that the administrative burden of maintaining separate systems and lists of users for different access levels may negate the additional security obtained thus. For that reason, among others, one very sustainable standard is your AAA server proxying back to your AD / LDAP identity store which is itself configured to require two-factor authentication. All users would use this method and, based on their individual identity and group membership, would be granted to necessary access levels. Using that scheme, revocation or change of any user is always done at the same administrative control point.
As far as the overhead of mailing out SecureID fobs or cards, have you considered using the SecureID smartphone application?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...