I am looking for general information about virtual token authentication. My company has been directed to use TFA and virtual token auth is one of the options I'm looking at. If anyone can share their experience with installing, configuring, costs, and operation of Virtual Tokens, that will be great.
We have six ASA firewalls, and two VPN concentrators, about thirty L2L tunnels and a couple hundred SSL VPN users. We need to have either RSA tokens, certs or virtual tokens. In our case doesn't seem like rogue VMs, stolen PDA's etc will be an issue. Do you know how to configure virtual tokens (or of a config guide) on ASA, internal servers and clients?
Certificates are quite nice, however the downside is that the certificates needs to be checked towards revocation lists and they do have a finite lifetime. when it comes to certificates they have the same flaw as softtokens ie you can make a copy of them.
The firewall talks to a RADIUS or TACACS+ server that knows the secrets and tells the firewall how to behave.
a very basic example and since it is very simplified somewhat wrong but it is to make whoever reads this understand the basic concept.
The vpn klient (fx) opens a connection to the firewall,
The firewall asks for information from the client if none is provided from the beginning.
the client sends authentication data such as username password group attributes and so on.
the firewall opens a connection to the Radius server and tells the Radius server that the firewall has a request from
The Radius server looks at the information and checks its records if the information is correct, or if it does not know itself it will ask whoever knows it such as an ldap request to the microsoft domain server or another Radius server.
If the information checks out ok the account also states that there is a token and it must be used.
so the Radius server now tells the ASA "hey thats all well and ok, but does he know the secret ? "
The ASA now turns around and asks the vpnclient for the secret who in turn asks the user for the secret.
The user supplies the secret to the vpn client and the vpn client tells the asa who in turn tells the radius server.
the Radius server now either decides that the secret is wrong or that the secret is right and lets the asa know if the user should be let in or not. if the user is right then the asa will propagate the right access.lists and give out a ip address and let the client come in.
the ASA does not know the answer to the two factor authentication question, it only relays that and other information to the Radius/Tacacs+ server that knows that information.
its a littlebit different with certificates.
so if you are thinking of useing RSA tokens somewhere there is a RSA Radius server that knows the token information and who the asa will send information to.
so the name of the game is AAA without it tokens does not work.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...