I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?
Can you please share with your setup? I'm looking for a same solution to deploy two factor authentication to used
used AD authentication along with RSA token.
To use any two-factor auth server with AD, you can use NPS, the MS radius plugin. This page will give you an overview, but you will want to see the MS documentation for specific details: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps.
Essentially, NPS will do the authorization in AD based on the connection request policy and then to the authentication to the two-factor authentication server. Using radius also allow you to add 2FA to a bunch of other services, such as PAM for ssh if you would need that.
We used to use Active Directory and RSA and recently moved away from hardware tokens (cost/maintenance).
There are a few solutions out there which integrate with AD for first factor and then have an app for second factor on a smartphone. We settled on LoginTC:
We have a lot of customers using WiKID with Ciscos. You can get an eval download here: http://www.wikidsystems.com/downloads. We also have some registration-free white papers here: http://www.wikidsystems.com/learn-more/two-factor-authentication-white-papers, including one on evaluation two-factor authentication options. Consider the source, of course ;-).
The Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know.
On the other hand we have Double Authentication, in this case username/password plus Certificate Authentication. I'm assuming that the one you will like to accomplish is this one, since you're looking for 3rd party certificate authentication.
There are third party vendors which we can use for two-factor authentication.
Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network
I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password) only.
I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA , now i have a requirement to integrate users which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.
Appreciate your response on this.
We can configure the ASA to allow SDI authentication (OTP) in either of the following modes: * Native SDI refers to the native ability in the secure gateway to communicate directly with the SDI server for handling SDI authentication. *RADIUS SDI refers to the process of the secure gateway performing SDI authentication using a RADIUS SDI proxy, which communicates with the SDI server.
Thanks for the prompt response.
I have the OTP system which support HTTP protocol and I want to integrate cisco VPN client with my OTP system.
Can you please let me know what configuration is required on ASA
I really in urgency.
After the integration of Remote Access VPN client with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.
My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol