Re: VPN 3000 token/biometric recommendations

Ben.Levin · ‎07-28-2003

Does anyone have any recommendatons for tokens/biometrics/smart card authentication for the VPN 3000? Currently we're using ACS 3.1 for authentication on our 3030s, and are looking at tokens, etc. Thanks.

gmiiller · ‎07-29-2003

An option that I've had unofficially recommended to me in these sort of sitations is to try and maintain separation betsween the VPN component and the authentication component. What happens is that the token-based authentication server is located behind the VPN concentrator, and token-based authentication occurds AFTER the VPN has been established (usually by means of group files etc)

The advantage of this approach is that there is no dependency between your VPN RAS solution, and your token solution. If you want to replace one, you can do so without affecting the other.

Personally, I have seen safeword tokens used both in conjunction with the VPN concentrator itself, and also installed on a web site that can only be reached through a VPN RAS tunnel. They seem to work okay, although I'm reserving judgement on security to do with the tokens themselves.

prossouw · ‎07-31-2003

We use RSA Securid for this and it works well. The comms between our 3015 and the ACE server uses RSA's SDI interface, meaning full encryption. On the ACE server you also need to give the user access to the VPN, i.e the VPn gets defined as a client and users need to be added to the client in order to authenticate via them. Setup is very easy.

Unfortunately RSA is rather expensive.