Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
4
Replies

Concentrator 3020 Client Auth with RSA & Active Directory

lee.reade
Level 4
Level 4

‎05-19-2004 03:35 AM

Hello,

Can anyone advise if it is possible to configure the 3030 VPN device to enable both RSA Hardware token authentication and also Active Directory domain authentication.

This will allow for secure RSA authentication and will also allow access to internal resources on the LAN.

TIA,

Rgds,

LR

Labels:
0 Helpful
4 Replies 4

sstudsdahl
Level 4
Level 4

‎05-19-2004 08:22 AM

You can configure multiple authentication types on the VPN 3020 concentrator and either use the RSA tokens or the active directory accounts for the VPN authentication. These authenctication methods only apply to authenticating the VPN session. In order to access the resources within the active directory, you will need to authenticate a second time.

0 Helpful

lee.reade
Level 4
Level 4
In response to sstudsdahl

‎05-19-2004 12:41 PM

Thanks for that,

However is it possible to have the user authenticate to the RSA and the Active Directory domain before the VPN session is completed, so that they do not have to authenticate a second time to the network when accessing internal resources??

Thanks for your input.

LR

0 Helpful

sstudsdahl
Level 4
Level 4
In response to lee.reade

‎05-19-2004 01:38 PM

I do not believe it is possible to have a single sign-on setup when using the Cisco VPN client. You can have the client start before the Windows login, but you still need to enter the windows login credentials to gain access to Active Directory. They may be a third party client that can allow you to do this, but I am unaware of such a client.

The other thing to keep in mind is that when using the RSA tokens, you can only use the tokencode once. If you are using the RSA token to authenticate into the VPN Concetrator, that token becomes unusable again.

The only other alternative that I can think of would be to use certificates to authenticate your VPN connection. Then the users would only be prompted for their Active Directory login.

0 Helpful

ehirsel
Level 6
Level 6

‎05-20-2004 04:55 AM

What you might want to look at is if the RSA system can connect to the ms ad either directly or via LDAP. I believe that the newer versions of RSA (ver 5.0 and higher) can also connect to LDAP stores to do username and password authen, as well as using its db for the token authen. This way the vpn is only configured to connect to the rsa, and rsa will issue the commands to tell the client to use whatever authen is required besides token. There should be no extra setup on the vpn 3000 to do that.

As another alternative, if you already have cisco acs, you can config acs to contact rsa for token-authen and to ms ad for user/password, and then config the vpn 3000 to just contact acs. ACS will handle the rest.

I hope this helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents