08-15-2005 08:23 AM - edited 02-21-2020 10:13 AM
Is it possible to do two factor authentication on a Cisco router for VPN access? I want to use a Cisco 1841 for VPN access, and want to use some additional authentication over username/password. Can this be done?
08-15-2005 10:41 AM
If you mean Remote Access VPN - Yes it is.
First of all, the VPN client uses an authentication based on Group-Name and Password (or certificate).
In addition to this (and you normally want to do this) you could enable extended authentication -xauth - on the router to authenticate the user on the machine.
With xauth you could use internal users on the router, or users on a external radius server.
RSA - is perfect for this: Create the users / Import the user to the ACE-Server (RADIUS) and link the tokens to the users.
Safenet tokens can be used with AD , and the Microsoft IAS (Radius) server.
Hope this helps
Jarle Steffensen
08-16-2005 12:31 AM
Correction of prodct name:
Please read "SAFEWORD" instead of "Safenet".
Sorry for the missmatch.
Jarle Steffensen
08-18-2005 02:24 PM
Or you could also use Authentication Proxy over DMVPN tunnels if you use this technology.
09-20-2005 05:22 AM
I am trying for similer config, but it doesn't work. If authentication is set to none, it works, if set to RADIUS or Internal, it stops working. I am using VPN client version 4.6.03 and 3020. Log messages from Concentrator when RADIUS is defined for authentication:
21690 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46909
Rcv'd Key Length attr class, but class is not cfg'd
21691 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46910
Phase 1 failure against global IKE proposal # 10:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 5
Cfg'd: Oakley Group 2
21694 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46911
Phase 1 failure against global IKE proposal # 11:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 5
Cfg'd: Oakley Group 2
21697 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46912
Phase 1 failure against global IKE proposal # 12:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 5
Cfg'd: Oakley Group 2
21700 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46913
Phase 1 failure against global IKE proposal # 13:
Mismatched attr types for class DH Group:
Rcv'd: Oakley Group 5
Cfg'd: Oakley Group 2
21703 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46914
Phase 1 failure against global IKE proposal # 14:
Rcv'd Key Length attr class, but class is not cfg'd
21705 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46915
Phase 1 failure against global IKE proposal # 15:
Rcv'd Key Length attr class, but class is not cfg'd
21707 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46916
Phase 1 failure against global IKE proposal # 16:
Rcv'd Key Length attr class, but class is not cfg'd
21709 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46917
Phase 1 failure against global IKE proposal # 17:
Rcv'd Key Length attr class, but class is not cfg'd
21711 09/20/2005 11:47:23.440 SEV=8 IKEDBG/79 RPT=46918
Proposal # 1, Transform # 12, Type ISAKMP, Id IKE
Parsing received transform:
Phase 1 failure against global IKE proposal # 1:
Mismatched attr types for class Key Length:
Rcv'd: 128 Bits
Cfg'd: 256 Bits
Log messaged from VPN client:
21 11:36:42.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
22 11:36:42.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
23 11:36:42.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
24 11:36:47.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
25 11:36:47.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
26 11:36:47.734 09/20/05 Sev=Warning/3 IKE/0xA3000068
Received un-encrypted ISAKMP packet, but our SA is crypto active
No clue from log messaged, what is wrong? Hope some one could help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide