Re: Two factor authentication on Cisco equipment

cboland · ‎08-15-2005

Is it possible to do two factor authentication on a Cisco router for VPN access? I want to use a Cisco 1841 for VPN access, and want to use some additional authentication over username/password. Can this be done?

jsteffensen · ‎08-15-2005

If you mean Remote Access VPN - Yes it is.

First of all, the VPN client uses an authentication based on Group-Name and Password (or certificate).

In addition to this (and you normally want to do this) you could enable extended authentication -xauth - on the router to authenticate the user on the machine.

With xauth you could use internal users on the router, or users on a external radius server.

RSA - is perfect for this: Create the users / Import the user to the ACE-Server (RADIUS) and link the tokens to the users.

Safenet tokens can be used with AD , and the Microsoft IAS (Radius) server.

Hope this helps

Jarle Steffensen

jsteffensen · ‎08-16-2005

Correction of prodct name:

Please read "SAFEWORD" instead of "Safenet".

Sorry for the missmatch.

Jarle Steffensen

gbloise · ‎08-18-2005

Or you could also use Authentication Proxy over DMVPN tunnels if you use this technology.

majidkk · ‎09-20-2005

I am trying for similer config, but it doesn't work. If authentication is set to none, it works, if set to RADIUS or Internal, it stops working. I am using VPN client version 4.6.03 and 3020. Log messages from Concentrator when RADIUS is defined for authentication:

21690 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46909

Rcv'd Key Length attr class, but class is not cfg'd

21691 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46910

Phase 1 failure against global IKE proposal # 10:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 5

Cfg'd: Oakley Group 2

21694 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46911

Phase 1 failure against global IKE proposal # 11:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 5

Cfg'd: Oakley Group 2

21697 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46912

Phase 1 failure against global IKE proposal # 12:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 5

Cfg'd: Oakley Group 2

21700 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46913

Phase 1 failure against global IKE proposal # 13:

Mismatched attr types for class DH Group:

Rcv'd: Oakley Group 5

Cfg'd: Oakley Group 2

21703 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46914

Phase 1 failure against global IKE proposal # 14:

Rcv'd Key Length attr class, but class is not cfg'd

21705 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46915

Phase 1 failure against global IKE proposal # 15:

Rcv'd Key Length attr class, but class is not cfg'd

21707 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46916

Phase 1 failure against global IKE proposal # 16:

Rcv'd Key Length attr class, but class is not cfg'd

21709 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46917

Phase 1 failure against global IKE proposal # 17:

Rcv'd Key Length attr class, but class is not cfg'd

21711 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46918

Proposal # 1, Transform # 12, Type ISAKMP, Id IKE

Parsing received transform:

Phase 1 failure against global IKE proposal # 1:

Mismatched attr types for class Key Length:

Rcv'd: 128 Bits

Cfg'd: 256 Bits

Log messaged from VPN client:

21 11:36:42.734 09/20/05 Sev=Warning/3 IKE/0xA3000068