01-12-2010 01:22 PM - edited 03-10-2019 04:53 PM
All,
Does anyone have any ides on how to do 2 factor authentication in Cisco Secure ACS 4.2?
Stephanie
01-12-2010 03:59 PM
Hi Stephanie:
Could you please elaborate on this? what exactly you mean by two-factor authentication? which product are we actually using (Firewall, Wireless) and what kind of protocols (radius/tacacs/ldap)? You can implement the two factor authentication through ACS server using RSASecureID.
The two factor authentication I am aware of is;
PIN : Something you know
TOKEN: Something you have
Contributing to two-factor authentication.
Example; In the password filed we provide PIN+TOKEN.
PIN: 1234
TOKEN: 5678
PASSCODE: 12345678
The above example in regards to VPN authentication.
Here is one of the doc that talks about the Cisco VPN solution and two factor authentication.
http://www.rsa.com/rsasecured/guides/solutions/CSCO_VPN_PB_0706.pdf
HTH
Regards,
Jatin
Plz rate helpful posts-
01-13-2010 06:39 AM
Jatin,
Currently we're using TACACS+ for authentication. We
Here's a description of the requirement for 2 factor authentication:
Id - NET0431
Vulnerability
Discussion
AAA network security services provide the primary framework through which a network administrator can set up access control on
network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a
user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users
may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be
incapacitated with only a few commands.
Default Finding
Details
AAA server does not redirect/call to a two-factor authentication server.
NET Authentication Access
Procedure: The implementation varies and a thorough review is necessary. Have the SA review and discuss their
implementation. A typical AAA process includes the network system redirecting user access requests either directly to an
ACE/Server or to a CiscoSecure ACS (TACACS+) server which redirects the 'authentication' request to the ACE/Server for
strong authentication via user tokens (keyfobs). During the review have the SA point out the calls from the TACACS+ or Radius
servers to the authentication server performing the two-factor requirement
From my understanding ACS can meet this requirement, I just need some ideas or case studies to see how it how implemented.
Stephanie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide