Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need advice on two-factor authentication for VPN

I have been asked to evaluate options to add a second factor to authentication for our existing VPN infrastructure (two VPN 3000 concentrators in an active/standby pair).

What's the most popular thing for this? Is it RSA SecureID tokens and the AM server? I think I looked into that many years ago, but it was a little too expensive for the place I was working at. Are there cheaper but still popular options, or are they not worth looking at?

If we go with hardware tokens, we'll definitely need a server of some kind, correct? The 3000 concentrator can't handle that internally? That's the impression I get, but want to make sure.

Are smart cards used much for this? I have a little bit of experience (very little) with hardware tokens, but haven't used smart cards for authenticatin.



Re: Need advice on two-factor authentication for VPN

I use RSA SecurID integrated with Steelbelt/Juniper for SSL VPN (F5 Firepass)and remote access vpn on Cisco VPN concentrator and it works great but a bit


There is a very popular 2 factor authentication called wikid server. They come

in both open source and pay version. The pay version is dirt cheap especially for non-profit and education customers, something like $24/user for three years for the whole solution, including support.

This is a software 2 factor-authentication, but it is just as secure as the hardware tokens base RSA securID.

I really like this product because it has

both Radius and TACACS+ built in. The best

thing about this is that they give you an ISO

you install it on a x86 machine and you are

ready to go. Extremely easy to setup and

configure. The product is extremely stable and you can easily setup replication for

redudancies as well.

My 2c

New Member

Re: Need advice on two-factor authentication for VPN

We use RSA Authentication Manager with both hardware tokens, and a few software tokens.

So with the tokens, the two factors are something you have, and something you know. You have the token, you know the PIN. Another factor could be biometric. Or the something you have could be a certificate.

So the ASA is configured to ask AAA servers for authentication - which are the RSA Ace servers with the token database on them. We also use RSA's RADIUS to pass back a class of different profiles, so that we can configure different group profiles and either allow full access, or restrict access to contractors and partners with Access Control Lists.

Hope this helps.

New Member

Re: Need advice on two-factor authentication for VPN

Thanks for the great replies... I think I have just one more question before I report back to management. The usual way to implement two-factor authentication on the 3000 is through a AAA server like Radius, correct? I thought I saw some post somewhere mentioning that you can do it with Radius... is that possible? I'm guessing that most two-factor authentication solutions will come with some implementation of Radius, or with Radius support. Does this all sound accurate?

Thanks again for your help!

New Member

Re: Need advice on two-factor authentication for VPN

I didn't see a way to edit my last post... I meant I saw a post that say you didn't need Radius to do two-factor authentication on the VPN 3000. Is that possible?

Hall of Fame Super Silver

Re: Need advice on two-factor authentication for VPN


Our 3060 concentrators authenticate directly with the RSA server, no need for Radius.




Re: Need advice on two-factor authentication for VPN

It really depends on your requirements. RSA

server does not have the ability to return

radius attributes such as IP addresses and some

other stuffs. Most people do not want to set

up ip pool on the VPNc itself so they use

RSA server with integrated Radius.