Re: Multifactor authentication for Cisco ASA 5500 Series webvpn

[Nick Owen <nickowen () mindspring com>]

sapran wrote:
> Hi list.
>
> I would appreciate any response, and especially successful stories, on
> how to implement low cost two-factor authentication for ASA-based
> web-VPN.
>
> It would be great to use AD domain user name and password as a first factor.
>
> Thanks in advance,
>
> sapran

radius is your friend here.  a very simple authentication standard
supported by most everyone.

http://www.wikidsystems.com/documentation/howtos/how-to-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid/

not exactly an ASA but should be the same process.  There is no need to
use the AD passphrase as the first factor, as the PIN is the "what you
know" (in fact, one could argue that it is better to not use the
password outside the LAN).  If what you want is to validate that the
user is in AD, then use the MS radius server IAS and set up this way:
vpn --> IAS --> 2factor server.  All using radius.

If you are using an SSL-VPN, you should also consider doing mutual https
authentication:
http://www.wikidsystems.com/learn-more/technology/mutual_authentication/

hth,

nick

-- 
Nick Owen
WiKID Systems, Inc.
404-962-8983 (desk)
http://www.wikidsystems.com
Two-factor authentication, without the hassle factor.