https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577036#M5718 <P>Hi guys, is it possible to set up 2 factor authentication using a tacacs+ server in the pix firewall? only want to use a tacacs+ server using aaa on the pix.</P><P></P><P></P><P></P> Fri, 21 Feb 2020 18:16:01 GMT nathan 2020-02-21T18:16:01Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577036#M5718 <P>Hi guys, is it possible to set up 2 factor authentication using a tacacs+ server in the pix firewall? only want to use a tacacs+ server using aaa on the pix.</P><P></P><P></P><P></P> Fri, 21 Feb 2020 18:16:01 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577036#M5718 nathan 2020-02-21T18:16:01Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577037#M5720 <HTML><HEAD></HEAD><BODY><P>It is dependant on your TACACS server having the 2 factor support. The PIX sends athentication request to the aaa server for serial|telnet|ssh|http|enable that I know of. If you are authenticating vpn clients via TACACS I am not sure off the top of my head. </P><P>cheers</P></BODY></HTML> Fri, 02 Jun 2006 19:42:08 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577037#M5720 brian.r.johns 2006-06-02T19:42:08Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577038#M5721 <HTML><HEAD></HEAD><BODY><P>We are running accross the same thing here, my question is what tacacs+ or tacacs server supports two factor authentication?</P></BODY></HTML> Fri, 02 Jun 2006 20:06:41 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577038#M5721 vayusa1234 2006-06-02T20:06:41Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577039#M5723 <HTML><HEAD></HEAD><BODY><P>according to this article: "The Power Behind RSA SecurID® Two-factor User Authentication: RSA ACE/Server"</P><P></P><P>page 4of11 it seems that tacacs+ supports server sessions.</P><P></P><P><A class="jive-link-custom" href="http://www.opsec.com/solutions/partners/downloads/rsa_securid_whitepaper.pdf" target="_blank">http://www.opsec.com/solutions/partners/downloads/rsa_securid_whitepaper.pdf</A></P><P></P><P>"Most leading remote access server, firewall,</P><P>VPN and router products have built-in RSA ACE/Agents for compatibility with RSA SecurID two-factor authentication. In addition, both TACACS+ and RADIUS authentication support RSA ACE/Server sessions."</P><P></P><P></P><P>anyways, in general, what is the best way to set up 2 factor authentication on a pix ?</P><P></P><P></P><P></P></BODY></HTML> Fri, 02 Jun 2006 22:30:19 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577039#M5723 nathan 2006-06-02T22:30:19Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577040#M5724 <HTML><HEAD></HEAD><BODY><P>Hi .. the best two factor authentication that I have come across is always RSA secureID. Basically you configure the AAA options in your PIX as radius client while the RSA ACE is the radius server. </P><P></P><P>This is a quick example that I have set up in the past using an ASA. </P><P></P><P>I hope it helps .. please rate it if it does !!!</P><P></P><P>aaa-server RADIUS_SERVERS protocol radius</P><P>aaa-server RADIUS_SERVERS host RSA_SERVER</P><P> timeout 5</P><P> key ********</P><P></P><P>tunnel-group GT_VPN_RSA type ipsec-ra</P><P>tunnel-group GT_VPN_RSA general-attributes</P><P> address-pool VPN_rsa_pool</P><P> authentication-server-group RADIUS_SERVERS</P><P>tunnel-group GT_VPN_RSA ipsec-attributes</P><P> pre-shared-key *</P><P></P><P>For configurating on a PIX running 6.XX you can check the command reference under aaa-server and vpngroup commands</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_book09186a008017284e.html</A></P><P></P><P>I hope it helps ... please rate it if it does !!!</P><P></P><P></P><P></P><P></P><P></P><P></P></BODY></HTML> Sat, 03 Jun 2006 09:49:24 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577040#M5724 Fernando_Meza 2006-06-03T09:49:24Z https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577041#M5725 <HTML><HEAD></HEAD><BODY><P>well, I dont want to radius at all if possible.</P><P></P><P>So if you dont have a radius server, what are my options?</P><P></P><P></P><P></P></BODY></HTML> Sat, 03 Jun 2006 15:53:47 GMT https://community.cisco.com/t5/network-access-control/setting-up-2-factor-authentication-to-a-pix/m-p/577041#M5725 nathan 2006-06-03T15:53:47Z