1. Home
  2. Cisco Systems
  3. second authentication with asa's and radius

second authentication with asa's and radius

not sure if anyone else is doing anything to address this but seeing if i can get some idea's...

currently -- we have a cisco asa 5520 set up with radius authentication, this gives us the two point authentication we need.. however, since 1 part of the authentication, the group-name and password, never changes and is hard coded into the computer, it really only gives us 1 good authentication mechanism. (such as if the laptop was stolen, they would only need the username and password of the user to get in).

One way we could do a second user authentication is with RSA tokens, however this would be a costly solution as we have hundreds of user's that use VPN Clients... is there any other way to set up an authentication question with the radius servers or any other sort of second authentication mechanism to use?

Thanks for any help or idea's Shawn

Reply to
b3nder
Loading thread data ...

Hello Shawn,

Assuming the user account database to access the network via VPN is independent of the user database for the applications, the applications being accessed from VPN have independent authentication mechanism thereby providing potentially two levels of user authentication to access resources. Try it and see, how much access a user successfully connected to VPN without authenticating to applications has... Perhaps downloadable ACLs, designing your VPN groups and overall network design for user groups to have access to only certain networks may reduce risk in that sensitive system access is granted to a subset of your total user population. Principle of least privilege.

RSA tokens fobs are similar to your bank ATM card in that there are two factors required to authenticate successfully (something you have the ATM Card and something you know the pin code). This is more secure than passwords which can be obtained from systems and tend to be static (not change over many days).

Regards

Reply to
jrguent

Thanks for the follow up.. Our user's authenticate against our radius server that serves our applications as well.. so if they can steal a laptop and figure out the user's ID and Password, they would be able to have free reign... We are trying to get a 2nd (or technically a 3rd) point of authentication, such as a challenge/response type question or similar that might change every couple months to ensure that no one is getting in that shouldn't be...

shawn

snipped-for-privacy@gmail.com wrote:

Reply to
b3nder

Hello,

There are vendors claiming the ability to delete data remotely on stolen laptops. Google "laptop theft protection" Otherwise ASA can apply AAA for network access, looking in the 8.0 config guide. I have used aaa authentication match command to prevent "unwanted guests" Wireless LAN access from our guest only WLAN. The users must authenticate via webpage generated by ASA prior to obtaining network access, web page is nothing more than username and password prompt. I have it pointed to a local ASA authentication database.

Regards

Reply to
jrguent

You are actually want a 3rd factor for authentication. The setup you have is actually very secure because you need three things, a stolen laptop, a valid username AND the password associated with the user. Institute a process whereby if a users laptop is stolen or lost, force the user to change their password. Now if a user is dumb enough to write their username and password on a post-it note that is with the laptop, it doesn't do any good. Also the data on the laptop is easier to get than what is on your network. Most people who steal a laptop are not going to try to access your network via a VPN, and the odds that they also have the user's login id and password are very slim. Why, because if they login via the VPN is makes it very easy to track down the laptop via its IP address which can then tracked to an ISP and a subscriber, a very stupid thing to do. RSA tokens aren't that much more secure in this case, because they are often kept with the laptop. You would then also need to institute a policy to invalidate the token if it is lost or stolen.

You would be better off using your time and money to encrypt the contents of the laptop if you are worried about data being compromised. There are many vendors in this space, and PointSec has a very good solution that allows you to access the laptop if the user forgets their password.

Reply to
Thrill5

That is a very good point about the three point authentication (laptop, username, and password). We have always thought of our set up as secure but the auditors ( I think they are bored :-) ) were wanting a point of authentication other then user name and password and seeing as how the group name and password never change, they didn't see that as a secure point (which it is just as secure as the RSA tokens that we do give out). I will bring this point up to them and see if we can make them happy.

I will have to do some more investigation into the AAA authentication and see if I can find something in there to give us that extra step.

Thanks for all the suggestions. shawn

Reply to
b3nder

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.