Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: second authentication with asa's and radius

Reply
Thread Tools

Re: second authentication with asa's and radius

 
 
jrguent@gmail.com
Guest
Posts: n/a
 
      03-04-2009
On Mar 4, 10:57*am, b3nder <(E-Mail Removed)> wrote:
> not sure if anyone else is doing anything to address this but seeing if
> i can get some idea's...
>
> currently --
> we have a cisco asa 5520 set up with radius authentication, this gives
> us the two point authentication we need.. however, since 1 part of the
> authentication, the group-name and password, never changes and is hard
> coded into the computer, it really only gives us 1 good authentication
> mechanism. (such as if the laptop was stolen, they would only need the
> username and password of the user to get in).
>
> One way we could do a second user authentication is with RSA tokens,
> however this would be a costly solution as we have hundreds of user's
> that use VPN Clients... is there any other way to set up an
> authentication question with the radius servers or any other sort of
> second authentication mechanism to use?
>
> Thanks for any help or idea's
> Shawn


Hello Shawn,

Assuming the user account database to access the network via VPN is
independent of the user database for the applications,
the applications being accessed from VPN have independent
authentication mechanism thereby providing potentially two levels of
user authentication to access resources. Try it and see, how much
access a user successfully connected to VPN without authenticating to
applications has... Perhaps downloadable ACLs, designing your VPN
groups and overall network design for user groups to have access to
only certain networks may reduce risk in that sensitive system access
is granted to a subset of your total user population. Principle of
least privilege.

RSA tokens fobs are similar to your bank ATM card in that there are
two factors required to authenticate successfully (something you have
the ATM Card and something you know the pin code). This is more
secure than passwords which can be obtained from systems and tend to
be static (not change over many days).

Regards
 
Reply With Quote
 
 
 
 
jrguent@gmail.com
Guest
Posts: n/a
 
      03-04-2009
On Mar 4, 3:45*pm, b3nder <(E-Mail Removed)> wrote:
> Thanks for the follow up.. Our user's authenticate against our radius
> server that serves our applications as well.. so if they can steal a
> laptop and figure out the user's ID and Password, they would be able to
> have free reign... We are trying to get a 2nd (or technically a 3rd)
> point of authentication, such as a challenge/response type question or
> similar that might change every couple months to ensure that no one is
> getting in that shouldn't be...
>
> shawn
>
> (E-Mail Removed) wrote:
> > On Mar 4, 10:57 am, b3nder <(E-Mail Removed)> wrote:
> >> not sure if anyone else is doing anything to address this but seeing if
> >> i can get some idea's...

>
> >> currently --
> >> we have a cisco asa 5520 set up with radius authentication, this gives
> >> us the two point authentication we need.. however, since 1 part of the
> >> authentication, the group-name and password, never changes and is hard
> >> coded into the computer, it really only gives us 1 good authentication
> >> mechanism. (such as if the laptop was stolen, they would only need the
> >> username and password of the user to get in).

>
> >> One way we could do a second user authentication is with RSA tokens,
> >> however this would be a costly solution as we have hundreds of user's
> >> that use VPN Clients... is there any other way to set up an
> >> authentication question with the radius servers or any other sort of
> >> second authentication mechanism to use?

>
> >> Thanks for any help or idea's
> >> Shawn

>
> > Hello Shawn,

>
> > Assuming the user account database to access the network via VPN is
> > independent of the user database for the applications,
> > *the applications being accessed from VPN have independent
> > authentication mechanism thereby providing potentially two levels of
> > user authentication to access resources. Try it and see, how much
> > access a user successfully connected to VPN without authenticating to
> > applications has... *Perhaps downloadable ACLs, designing your VPN
> > groups and overall network design for user groups to have access to
> > only certain networks may reduce risk in that sensitive system access
> > is granted to a subset of your total user population. *Principle of
> > least privilege.

>
> > RSA tokens fobs are similar to your bank ATM card in that there are
> > two factors required to authenticate successfully (something you have
> > the ATM Card and something you know the pin code). *This is more
> > secure than passwords which can be obtained from systems and tend to
> > be static (not change over many days).

>
> > Regards


Hello,

There are vendors claiming the ability to delete data remotely on
stolen laptops. Google "laptop theft protection" Otherwise ASA can
apply AAA for network access, looking in the 8.0 config guide. I have
used aaa authentication match command to prevent "unwanted guests"
Wireless LAN access from our guest only WLAN. The users must
authenticate via webpage generated by ASA prior to obtaining network
access, web page is nothing more than username and password prompt. I
have it pointed to a local ASA authentication database.

Regards
 
Reply With Quote
 
 
 
 
Thrill5
Guest
Posts: n/a
 
      03-04-2009
You are actually want a 3rd factor for authentication. The setup you have
is actually very secure because you need three things, a stolen laptop, a
valid username AND the password associated with the user. Institute a
process whereby if a users laptop is stolen or lost, force the user to
change their password. Now if a user is dumb enough to write their username
and password on a post-it note that is with the laptop, it doesn't do any
good. Also the data on the laptop is easier to get than what is on your
network. Most people who steal a laptop are not going to try to access your
network via a VPN, and the odds that they also have the user's login id and
password are very slim. Why, because if they login via the VPN is makes it
very easy to track down the laptop via its IP address which can then tracked
to an ISP and a subscriber, a very stupid thing to do. RSA tokens aren't
that much more secure in this case, because they are often kept with the
laptop. You would then also need to institute a policy to invalidate the
token if it is lost or stolen.

You would be better off using your time and money to encrypt the contents of
the laptop if you are worried about data being compromised. There are many
vendors in this space, and PointSec has a very good solution that allows you
to access the laptop if the user forgets their password.

"b3nder" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> Thanks for the follow up.. Our user's authenticate against our radius
> server that serves our applications as well.. so if they can steal a
> laptop and figure out the user's ID and Password, they would be able to
> have free reign... We are trying to get a 2nd (or technically a 3rd) point
> of authentication, such as a challenge/response type question or similar
> that might change every couple months to ensure that no one is getting in
> that shouldn't be...
>
> shawn
>
> http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
>> On Mar 4, 10:57 am, b3nder <(E-Mail Removed)> wrote:
>>> not sure if anyone else is doing anything to address this but seeing if
>>> i can get some idea's...
>>>
>>> currently --
>>> we have a cisco asa 5520 set up with radius authentication, this gives
>>> us the two point authentication we need.. however, since 1 part of the
>>> authentication, the group-name and password, never changes and is hard
>>> coded into the computer, it really only gives us 1 good authentication
>>> mechanism. (such as if the laptop was stolen, they would only need the
>>> username and password of the user to get in).
>>>
>>> One way we could do a second user authentication is with RSA tokens,
>>> however this would be a costly solution as we have hundreds of user's
>>> that use VPN Clients... is there any other way to set up an
>>> authentication question with the radius servers or any other sort of
>>> second authentication mechanism to use?
>>>
>>> Thanks for any help or idea's
>>> Shawn

>>
>> Hello Shawn,
>>
>> Assuming the user account database to access the network via VPN is
>> independent of the user database for the applications,
>> the applications being accessed from VPN have independent
>> authentication mechanism thereby providing potentially two levels of
>> user authentication to access resources. Try it and see, how much
>> access a user successfully connected to VPN without authenticating to
>> applications has... Perhaps downloadable ACLs, designing your VPN
>> groups and overall network design for user groups to have access to
>> only certain networks may reduce risk in that sensitive system access
>> is granted to a subset of your total user population. Principle of
>> least privilege.
>>
>> RSA tokens fobs are similar to your bank ATM card in that there are
>> two factors required to authenticate successfully (something you have
>> the ATM Card and something you know the pin code). This is more
>> secure than passwords which can be obtained from systems and tend to
>> be static (not change over many days).
>>
>> Regards



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Windows Passwords - VPN with a PIX, Cisco VPN Client and RADIUS Authentication DCS Cisco 2 03-26-2009 08:45 PM
dot1x, radius and telnet authentication g18c@hotmail.com Cisco 2 11-01-2006 05:33 AM
RADIUS Server that Forces User *and* Computer Authentication? Jeff Wireless Networking 4 01-05-2005 07:30 PM
problem with 2 VPN-Client groups and Radius authentication on Cisco PIX 515E Spoettel Otmar Cisco 0 05-12-2004 12:54 PM
Cisco radius attributes with Funk Steel-Belted Radius Server David Cisco 0 11-06-2003 09:54 PM



Advertisments