cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3243
Views
0
Helpful
1
Replies

Anyconnect SSL VPN best practices

raza555
Level 3
Level 3

Hi,

Currently we are authenticating user by below 2 methods, please advise that is this sufficient security/ best practice or do you recommend extra security.

1) Corporate User ONLY: Anyconnect User Authenticate against AAA(Radius), then in ACS we have configured dACL in user groups to restrict the user access.

2) Non-Corporate Users ONLY: About 200 Non-Corporate users authenticate to Anyconnect vpn via SecureID, then in ACS we have configured dACL in user groups to restrict their access. in Anyconnect client user just enter its username and then enter RSA SecureID autogenerated keys then they are authorized.

Question:

1) Do you think that for Corporate/ Non-Corporate User, this is enough security, if not then please suggest a better solution

2)  RSA SecureID key maintenance and its postage to clients is a lenghty procedure, do you recommend if we finish RSA SecureID procedure and instead create Non-Corporate users in AAA and also authenticate them like Corporate users, obviously create a group for them and apply the dACL with restricted subnets for this group. OR please suggest a better solution.

Thanks

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Only you can answer the "is this enough security" question based on your company's individual risk assessment. Generally speaking two-factor authentication is considered a best practice. One thing to consider is that the administrative burden of maintaining separate systems and lists of users for different access levels may negate the additional security obtained thus. For that reason, among others, one very sustainable standard is your AAA server proxying back to your AD / LDAP identity store which is itself configured to require two-factor authentication. All users would use this method and, based on their individual identity and group membership, would be granted to necessary access levels. Using that scheme, revocation or change of any user is always done at the same administrative control point.

As far as the overhead of mailing out SecureID fobs or cards, have you considered using the SecureID smartphone application?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: