11-25-2007 08:02 AM - edited 02-21-2020 10:19 AM
We are in the process of implementing two factor VPN authentication using WIKID but we are having issues, specifically with our ACS. I use the ACS with the Cisco Remote Agent to provide VPN authentication based on AD. The problem is that I would need the ACS to proxy to my WIKID server to authenticate the PIN. I can setup my VPNSM to radius directly to the WIKID server but then I lose all the grouping and IP parameters I apply to users. On top of that, I would have to go to two places to setup/deactivate a new/terminated employee.
So basically, is there a way for me to use my ACS for Authorization (via Cisco Remote Agent) and forward the username and PIN to the WIKID server for authentication?
11-26-2007 01:48 PM
If you're looking for two-factor authentication,
I strongly recommend RSA SecurID. That's the
best two factor authentication, imho.
Something you have & something you know = two-factor authentication
11-28-2007 09:37 AM
If you can setup your VPN to authenticate using RADIUS to the WIKID server, then you should be able to configure ACS to use RADIUS as an external user database (I believe you'd set it up as a RADIUS Token Server). ACS won't be able to directly see AD, but that is ok because the WIKID should take care of that.
As long as the WIKID RADIUS supports Cisco AV Pairs as a reply attribute, you can configure it to return the appropriate ACS group mapping. See http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/qg.html#wp940932
By setting it up as a RADIUS Token Server, you no longer need the Cisco Remote Agent. If you are running ACS 4.x, you may want to also look at configuring a Network Access Profile if you need to configure more flexibility in your external database searching.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide