Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2779
Views
0
Helpful
5
Replies

Virtual Token Authentication

Hamood Rehman
Level 1
Level 1

‎05-21-2012 07:27 AM

Hello,

I am looking for general information about virtual token authentication. My company has been directed to use TFA and virtual token auth is one of the options I'm looking at. If anyone can share their experience with installing, configuring, costs, and operation of Virtual Tokens, that will be great.

Thanks.                  

Labels:
0 Helpful
5 Replies 5

hobbe
Level 7
Level 7

‎05-21-2012 07:45 AM

Hi

I am not sure on what you mean with "Virtual Tokens"

A virtual token can be many different things.

The biggest problem with "virtual tokens" in phones or computers is that they are basically all possible to make a copy of and use by an agressor.

Ask yourself

if it is in your computer, can you make a VM machine that can use it ?

If it is in your PDA/Smartphone/Phone can you make a copy of the memory and extract the token information ?

If it is sent as an SMS can it be tampered with or diverted/copied ?

The answer to all of these questions are all upp to you to decide if it is "safe enough".

In my mind they are all not en par with real tokens. you either have them or you do not.

I just wanted to give you a heads up that not everything is as safe as they appear.

Good luck

HTH

0 Helpful

Hamood Rehman
Level 1
Level 1
In response to hobbe

‎05-21-2012 12:49 PM

Thanks Hobbe,

We have six ASA firewalls, and two VPN concentrators, about thirty L2L tunnels and a couple hundred SSL VPN users. We need to have either RSA tokens, certs or virtual tokens. In our case doesn't seem like rogue VMs, stolen PDA's etc will be an issue. Do you know how to configure virtual tokens (or of a config guide) on ASA, internal servers and clients?

Thanks.

0 Helpful

hobbe
Level 7
Level 7
In response to Hamood Rehman

‎05-21-2012 02:29 PM

Hi

First of all I would stay clear of the RSA tokens.

In my personal opinion they are flawed from the start. They had a famous breakin where this flaw later was used to attack another company.

part of the flaw? RSA have the seeds of the tokens! Do a search on the net and you will find more.

There are several other companies that will give you more bang for the buck so to say where you can set the seeds yourself.

Now to your question regarding config guides.

The tokens is installed differently depending on what make or model they are.

When it comes to the firewalls and to use tokens AAA is the name of the game its all done via the radius/tacaccs+ server.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c18ff.shtml

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_aaa.html

Certificates are quite nice, however the downside is that the certificates needs to be checked towards revocation lists and they do have a finite lifetime. when it comes to certificates they have the same flaw as softtokens ie you can make a copy of them.

good luck

HTH

0 Helpful

Hamood Rehman
Level 1
Level 1
In response to hobbe

‎05-22-2012 05:55 AM

Thanks Hobbe,

I have used Tacacs,Radius before and using those for Username/pwd authentication does not meet FFIEC/FDIC TFA auhentication requirements, that's the reason I need to have either certs or tokens.

Thanks for the links.

0 Helpful

hobbe
Level 7
Level 7
In response to Hamood Rehman

‎05-22-2012 07:52 AM

Hi

The firewall talks to a RADIUS or TACACS+ server that knows the secrets and tells the firewall how to behave.

a very basic example and since it is very simplified somewhat wrong but it is to make whoever reads this understand the basic concept.

The vpn klient (fx) opens a connection to the firewall,

The firewall asks for information from the client if none is provided from the beginning.

the client sends authentication data such as username password group attributes and so on.

the firewall opens a connection to the Radius server and tells the Radius server that the firewall has a request from

Username MR-X

Password MR-Xpassword

The Radius server looks at the information and checks its records if the information is correct, or if it does not know itself it will ask whoever knows it such as an ldap request to the microsoft domain server or another Radius server.

If the information checks out ok the account also states that there is a token and it must be used.

so the Radius server now tells the ASA "hey thats all well and ok, but does he know the secret ? "

The ASA now turns around and asks the vpnclient for the secret who in turn asks the user for the secret.

The user supplies the secret to the vpn client and the vpn client tells the asa who in turn tells the radius server.

the Radius server now either decides that the secret is wrong or that the secret is right and lets the asa know if the user should be let in or not. if the user is right then the asa will propagate the right access.lists and give out a ip address and let the client come in.

Bottom line

the ASA does not know the answer to the two factor authentication question, it only relays that and other information to the Radius/Tacacs+ server that knows that information.

its a littlebit different with certificates.

so if you are thinking of useing RSA tokens somewhere there is a RSA Radius server that knows the token information and who the asa will send information to.

so the name of the game is AAA without it tokens does not work.

good luck

HTH

0 Helpful
Customers Also Viewed These Support Documents