Re: second authentication with asa's and radius

Discussion in 'Cisco' started by jrguent@gmail.com, Mar 4, 2009.

  1. Guest

    On Mar 4, 10:57 am, b3nder <> wrote:
    > not sure if anyone else is doing anything to address this but seeing if
    > i can get some idea's...
    >
    > currently --
    > we have a cisco asa 5520 set up with radius authentication, this gives
    > us the two point authentication we need.. however, since 1 part of the
    > authentication, the group-name and password, never changes and is hard
    > coded into the computer, it really only gives us 1 good authentication
    > mechanism. (such as if the laptop was stolen, they would only need the
    > username and password of the user to get in).
    >
    > One way we could do a second user authentication is with RSA tokens,
    > however this would be a costly solution as we have hundreds of user's
    > that use VPN Clients... is there any other way to set up an
    > authentication question with the radius servers or any other sort of
    > second authentication mechanism to use?
    >
    > Thanks for any help or idea's
    > Shawn


    Hello Shawn,

    Assuming the user account database to access the network via VPN is
    independent of the user database for the applications,
    the applications being accessed from VPN have independent
    authentication mechanism thereby providing potentially two levels of
    user authentication to access resources. Try it and see, how much
    access a user successfully connected to VPN without authenticating to
    applications has... Perhaps downloadable ACLs, designing your VPN
    groups and overall network design for user groups to have access to
    only certain networks may reduce risk in that sensitive system access
    is granted to a subset of your total user population. Principle of
    least privilege.

    RSA tokens fobs are similar to your bank ATM card in that there are
    two factors required to authenticate successfully (something you have
    the ATM Card and something you know the pin code). This is more
    secure than passwords which can be obtained from systems and tend to
    be static (not change over many days).

    Regards
    , Mar 4, 2009
    #1
    1. Advertising

  2. Guest

    On Mar 4, 3:45 pm, b3nder <> wrote:
    > Thanks for the follow up.. Our user's authenticate against our radius
    > server that serves our applications as well.. so if they can steal a
    > laptop and figure out the user's ID and Password, they would be able to
    > have free reign... We are trying to get a 2nd (or technically a 3rd)
    > point of authentication, such as a challenge/response type question or
    > similar that might change every couple months to ensure that no one is
    > getting in that shouldn't be...
    >
    > shawn
    >
    > wrote:
    > > On Mar 4, 10:57 am, b3nder <> wrote:
    > >> not sure if anyone else is doing anything to address this but seeing if
    > >> i can get some idea's...

    >
    > >> currently --
    > >> we have a cisco asa 5520 set up with radius authentication, this gives
    > >> us the two point authentication we need.. however, since 1 part of the
    > >> authentication, the group-name and password, never changes and is hard
    > >> coded into the computer, it really only gives us 1 good authentication
    > >> mechanism. (such as if the laptop was stolen, they would only need the
    > >> username and password of the user to get in).

    >
    > >> One way we could do a second user authentication is with RSA tokens,
    > >> however this would be a costly solution as we have hundreds of user's
    > >> that use VPN Clients... is there any other way to set up an
    > >> authentication question with the radius servers or any other sort of
    > >> second authentication mechanism to use?

    >
    > >> Thanks for any help or idea's
    > >> Shawn

    >
    > > Hello Shawn,

    >
    > > Assuming the user account database to access the network via VPN is
    > > independent of the user database for the applications,
    > >  the applications being accessed from VPN have independent
    > > authentication mechanism thereby providing potentially two levels of
    > > user authentication to access resources. Try it and see, how much
    > > access a user successfully connected to VPN without authenticating to
    > > applications has...  Perhaps downloadable ACLs, designing your VPN
    > > groups and overall network design for user groups to have access to
    > > only certain networks may reduce risk in that sensitive system access
    > > is granted to a subset of your total user population.  Principle of
    > > least privilege.

    >
    > > RSA tokens fobs are similar to your bank ATM card in that there are
    > > two factors required to authenticate successfully (something you have
    > > the ATM Card and something you know the pin code).  This is more
    > > secure than passwords which can be obtained from systems and tend to
    > > be static (not change over many days).

    >
    > > Regards


    Hello,

    There are vendors claiming the ability to delete data remotely on
    stolen laptops. Google "laptop theft protection" Otherwise ASA can
    apply AAA for network access, looking in the 8.0 config guide. I have
    used aaa authentication match command to prevent "unwanted guests"
    Wireless LAN access from our guest only WLAN. The users must
    authenticate via webpage generated by ASA prior to obtaining network
    access, web page is nothing more than username and password prompt. I
    have it pointed to a local ASA authentication database.

    Regards
    , Mar 4, 2009
    #2
    1. Advertising

  3. Thrill5 Guest

    You are actually want a 3rd factor for authentication. The setup you have
    is actually very secure because you need three things, a stolen laptop, a
    valid username AND the password associated with the user. Institute a
    process whereby if a users laptop is stolen or lost, force the user to
    change their password. Now if a user is dumb enough to write their username
    and password on a post-it note that is with the laptop, it doesn't do any
    good. Also the data on the laptop is easier to get than what is on your
    network. Most people who steal a laptop are not going to try to access your
    network via a VPN, and the odds that they also have the user's login id and
    password are very slim. Why, because if they login via the VPN is makes it
    very easy to track down the laptop via its IP address which can then tracked
    to an ISP and a subscriber, a very stupid thing to do. RSA tokens aren't
    that much more secure in this case, because they are often kept with the
    laptop. You would then also need to institute a policy to invalidate the
    token if it is lost or stolen.

    You would be better off using your time and money to encrypt the contents of
    the laptop if you are worried about data being compromised. There are many
    vendors in this space, and PointSec has a very good solution that allows you
    to access the laptop if the user forgets their password.

    "b3nder" <> wrote in message
    news:...
    > Thanks for the follow up.. Our user's authenticate against our radius
    > server that serves our applications as well.. so if they can steal a
    > laptop and figure out the user's ID and Password, they would be able to
    > have free reign... We are trying to get a 2nd (or technically a 3rd) point
    > of authentication, such as a challenge/response type question or similar
    > that might change every couple months to ensure that no one is getting in
    > that shouldn't be...
    >
    > shawn
    >
    > wrote:
    >> On Mar 4, 10:57 am, b3nder <> wrote:
    >>> not sure if anyone else is doing anything to address this but seeing if
    >>> i can get some idea's...
    >>>
    >>> currently --
    >>> we have a cisco asa 5520 set up with radius authentication, this gives
    >>> us the two point authentication we need.. however, since 1 part of the
    >>> authentication, the group-name and password, never changes and is hard
    >>> coded into the computer, it really only gives us 1 good authentication
    >>> mechanism. (such as if the laptop was stolen, they would only need the
    >>> username and password of the user to get in).
    >>>
    >>> One way we could do a second user authentication is with RSA tokens,
    >>> however this would be a costly solution as we have hundreds of user's
    >>> that use VPN Clients... is there any other way to set up an
    >>> authentication question with the radius servers or any other sort of
    >>> second authentication mechanism to use?
    >>>
    >>> Thanks for any help or idea's
    >>> Shawn

    >>
    >> Hello Shawn,
    >>
    >> Assuming the user account database to access the network via VPN is
    >> independent of the user database for the applications,
    >> the applications being accessed from VPN have independent
    >> authentication mechanism thereby providing potentially two levels of
    >> user authentication to access resources. Try it and see, how much
    >> access a user successfully connected to VPN without authenticating to
    >> applications has... Perhaps downloadable ACLs, designing your VPN
    >> groups and overall network design for user groups to have access to
    >> only certain networks may reduce risk in that sensitive system access
    >> is granted to a subset of your total user population. Principle of
    >> least privilege.
    >>
    >> RSA tokens fobs are similar to your bank ATM card in that there are
    >> two factors required to authenticate successfully (something you have
    >> the ATM Card and something you know the pin code). This is more
    >> secure than passwords which can be obtained from systems and tend to
    >> be static (not change over many days).
    >>
    >> Regards
    Thrill5, Mar 4, 2009
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff
    Replies:
    4
    Views:
    4,385
  2. David
    Replies:
    0
    Views:
    2,654
    David
    Nov 6, 2003
  3. Spoettel Otmar
    Replies:
    0
    Views:
    555
    Spoettel Otmar
    May 12, 2004
  4. DCS
    Replies:
    2
    Views:
    5,072
    eshan_amiran
    Mar 26, 2009
  5. Replies:
    2
    Views:
    2,912
    Thrill5
    Nov 1, 2006
Loading...

Share This Page