Currently we are authenticating user by below 2 methods, please advise that is this sufficient security/ best practice or do you recommend extra security.
1) Corporate User ONLY: Anyconnect User Authenticate against AAA(Radius), then in ACS we have configured dACL in user groups to restrict the user access.
2) Non-Corporate Users ONLY: About 200 Non-Corporate users authenticate to Anyconnect vpn via SecureID, then in ACS we have configured dACL in user groups to restrict their access. in Anyconnect client user just enter its username and then enter RSA SecureID autogenerated keys then they are authorized.
1) Do you think that for Corporate/ Non-Corporate User, this is enough security, if not then please suggest a better solution
2) RSA SecureID key maintenance and its postage to clients is a lenghty procedure, do you recommend if we finish RSA SecureID procedure and instead create Non-Corporate users in AAA and also authenticate them like Corporate users, obviously create a group for them and apply the dACL with restricted subnets for this group. OR please suggest a better solution.
Only you can answer the "is this enough security" question based on your company's individual risk assessment. Generally speaking two-factor authentication is considered a best practice. One thing to consider is that the administrative burden of maintaining separate systems and lists of users for different access levels may negate the additional security obtained thus. For that reason, among others, one very sustainable standard is your AAA server proxying back to your AD / LDAP identity store which is itself configured to require two-factor authentication. All users would use this method and, based on their individual identity and group membership, would be granted to necessary access levels. Using that scheme, revocation or change of any user is always done at the same administrative control point.
As far as the overhead of mailing out SecureID fobs or cards, have you considered using the SecureID smartphone application?
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...
About this Document
Cisco Secure Endpoint (formerly AMP for Endpoints) is a comprehensive Endpoint Security solution designed to function both as a stand-alone tool, and as a part of the architecture of natively integrated Cisco and 3rd par...
To verify the status of RADIUS server from NAD, use the command show aaa server
4507#sh aaa servers
RADIUS: id 3, priority 1, host 10.10.14.20, auth-port 1812, acct-port 1813
State: current UP, duration 10862s, previ...