12-06-2014 10:59 PM - edited 03-11-2019 10:11 PM
Dear
I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password).
Anyone have any idea how to achieve this.
12-07-2014 12:16 AM
Do you really want to migrate to OTP with the old VPN client that's not supported any more? I would recommend to migrate to AnyConnect with OTP. For that, my favorite System is Duosecurity, but there are many more on the market.
12-07-2014 03:44 AM
Hi Karsten
Thanks for the reply.
I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA which is currently integrated with RSA (two factor authentication), now i have a requirement to integrate few selected users (i think these users can be created locally on the OTP system) which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.
12-08-2014 01:00 AM
Dear Karsten
Appreciate if you spare sometime to reply the previous mail.
Anyone else have any experience on this . Please share.
Appreciate if someone from cisco can also respond.
12-08-2014 01:11 AM
I've never integrated OTP to the old IPSec client (and I also don't like RSA ... ;-) ). So I can't help any further with that.
12-08-2014 01:23 AM
Dear Karsten
Ok. To which IPSEC you integrated OTP.
12-08-2014 01:39 AM
Only with AnyConnect. There I used Duosecurity and some time ago also Youbikeys. Both worked fine.
12-08-2014 01:55 AM
Are Duosecurity and Youbikeys the OTP system ?
Can you share me the config you done on the ASA to integrate anyconnect with Duosecurity and Youbikeys
12-08-2014 02:11 AM
Duosecurity.com is an OTP-provider, they operate the OTP-servers. Here are guides how to integrate it with SSL-VPN and the legacy IPsec-Client:
https://www.duosecurity.com/docs/cisco
https://www.duosecurity.com/docs/cisco-ipsec
Youbico had an OTP-server that is not maintained any more. Now they are producing the keys ("token") and use other OTP servers:
https://www.yubico.com/products/services-software/yubiradius/technical-description/
12-08-2014 07:07 AM
Dear Karsten
Thanks for your response.
Anyone else have any experience on this . Please share.
Appreciate if someone from cisco can also respond.
12-09-2014 11:18 AM
Dear Karsten
After the integration of Remote Access VPN client/SSL VPN/Anyconnect with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.
My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol
12-10-2014 12:01 AM
Dear Karsten
Appreciate if you could spare some time to respond on the requested query
12-10-2014 01:57 AM
I don't think that this will be possible. To make it easy for the user I prefer the way that the user only sees his username and the two password-fields. For the OTP, at least LDAP and RADIUS or the native RSA-protocol can be used. Have not seen HTTP on the list of supported protocols. Perhaps there are some integration-documents from your OTP-vendor how to connect from the ASA?
12-10-2014 03:28 AM
Dear Karsten
Thanks for the reply.
U mentioned two password filed. why two password fields are required. Can i only integrate with OTP without LDP, Radius etc
Please see below the AAA server types supported. I have mentioned all types below.
In that list Following HTTP forms is also supported. Any idea what this HTTP form is , if my OTP support HTTP protocol then can i use HTTP forms protocol to integrate with my OTP
SSO Support for Clientless SSL VPN with HTTP Forms
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.html#wp1084774
The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database.
This section contains the following topics:
12-10-2014 03:37 AM
That's only for clientless, not for client-based VPNs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide