Security Basics mailing list archives
Re: Multifactor authentication for Cisco ASA 5500 Series webvpn
From: Nick Owen <nickowen () mindspring com>
Date: Tue, 30 Sep 2008 11:32:52 -0400
sapran wrote:
Hi list. I would appreciate any response, and especially successful stories, on how to implement low cost two-factor authentication for ASA-based web-VPN. It would be great to use AD domain user name and password as a first factor. Thanks in advance, sapran
radius is your friend here. a very simple authentication standard supported by most everyone. http://www.wikidsystems.com/documentation/howtos/how-to-cisco-vpn-concentrator-for-two-factor-authentication-from-wikid/ not exactly an ASA but should be the same process. There is no need to use the AD passphrase as the first factor, as the PIN is the "what you know" (in fact, one could argue that it is better to not use the password outside the LAN). If what you want is to validate that the user is in AD, then use the MS radius server IAS and set up this way: vpn --> IAS --> 2factor server. All using radius. If you are using an SSL-VPN, you should also consider doing mutual https authentication: http://www.wikidsystems.com/learn-more/technology/mutual_authentication/ hth, nick -- Nick Owen WiKID Systems, Inc. 404-962-8983 (desk) http://www.wikidsystems.com Two-factor authentication, without the hassle factor.
Current thread:
- Multifactor authentication for Cisco ASA 5500 Series webvpn sapran (Sep 30)
- Re: Multifactor authentication for Cisco ASA 5500 Series webvpn Nick Owen (Sep 30)