Re: [c-nsp] Router 2 factor authentication
Hi Dominik Your solution sounds like what I'm looking for. Are you using RADIUS or TACACS as your AAA? With regard to the cli that you will see from the router, do you just enter username and passwd+PIN In answer to Ben's question, this is also for compliance reasons as well Regards Mark - Original Message From: Dominik Bay d@rrbone-bb.net To: cisco-nsp@puck.nether.net Sent: Thu, August 26, 2010 6:28:22 AM Subject: Re: [c-nsp] Router 2 factor authentication On Thu, 26 Aug 2010 10:42:28 +1000 Ben Steele b...@bensteele.org wrote: Out of curiosity can you tell me what led you to wanting 2FA for these devices, and how the traditional acl/tacacs method failed your requirements? We are using RSA SecurID on P and PE Routers to secure the core network and fullfil customer demands. 2FA on CE Routers is depending on the customer-needs, those who asked for it on the PE and P are usually having it on their CEs too. On OOB Devices it's a 2-step auth with encryption and callback. Regards, Dominik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
Hi Mark, On Thu, 26 Aug 2010 01:45:17 -0700 (PDT) Mark Tech techcon...@yahoo.com wrote: Hi Dominik Your solution sounds like what I'm looking for. Are you using RADIUS or TACACS as your AAA? With regard to the cli that you will see from the router, do you just enter username and passwd+PIN we are using Cisco ACS with RSA ACE integration for these devices. You will get a standard prompt like: TACACS+ Username: myuser Password: token-pin+token-one-time-password The login is fast, and from what I hear the ACS+ACE setup is stable enough to not being punished by your server operations team for choosing this solution. :-) Kind regards, Dominik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
we are using Cisco ACS with RSA ACE integration for these devices. You will get a standard prompt like: TACACS+ Username: myuser Password: token-pin+token-one-time-password The login is fast, and from what I hear the ACS+ACE setup is stable enough to not being punished by your server operations team for choosing this solution. :-) In a configuration (ACS+ACE) I had done several years ago, the prompt was the standard SecurID: Username: Enter PASSCODE: Standard authentication was working ok, in some cisco documentation it was recommended to increase the tacacs timeout to 30 or 60 seconds as far as I can remember because the ACE server may delay it's response. What you should also test is if the setup supports Next Tokencode modes etc. The problem, IMHO, with SecurID for management access of network devices, is that you have to wait 1 minute to logon to another device. So it's ok for provisioning tasks, but when you have a problem and you need to login instantly to 4-5 devices, it's rather unpleasant to wait 1 minute between logons. Regards, John ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
The problem, IMHO, with SecurID for management access of network devices, is that you have to wait 1 minute to logon to another device. So it's ok for provisioning tasks, but when you have a problem and you need to login instantly to 4-5 devices, it's rather unpleasant to wait 1 minute between logons. Don't know if SecurID have something similar, but I've done some ACS integration with a Vasco back-end, using OTP-style tokens that generate a new passcode good for one login only with each press of the button. Much more useful in a network ops environment. Regards, Tim. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Router 2 factor authentication
Hi I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
How about users appending the token digits to the password? Of course this would mean your storing plain text passwords on the tacacs server somewhere.. On 25 August 2010 21:06, Mark Tech techcon...@yahoo.com wrote: Hi I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? I haven't used it for a while but doesn't Cisco ACS support token based authentication using an RSA SecurID server as it's authentication method? Chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
On Wed, Aug 25, 2010 at 01:06:24PM -0700, Mark Tech wrote: I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? RSA ACE server: http://www.rsa.com/node.aspx?id=1156 I've read that is does RADIUS by itself. If that ain't enough for your needs, a Cisco ACS might act as a mediator: http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- d...@ircnet -- PGP: 0xA85C8AA0 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
Hello Mark: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Mark Tech Sent: Wednesday, August 25, 2010 1:06 PM To: cisco-nsp@puck.nether.net Subject: [c-nsp] Router 2 factor authentication Hi I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? Regards Mark We use the SecurID 7.0 servers from RSA and those boxes have the opensource ACS client as part of the installation. Or, you can also use their internal Radius server as well. Or, if you have already invested in ACS you can have the ACS authenticate against tokens directly. Regards, Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
Out of curiosity can you tell me what led you to wanting 2FA for these devices, and how the traditional acl/tacacs method failed your requirements? Of course anyone who has implemented it is free to chime in, just generally interested in peoples security concerns around this and how you feel it mitigates whatever risks you were associating with it, also curious if it affected the way you handle OOB access aswell. Ben On Thu, Aug 26, 2010 at 6:06 AM, Mark Tech techcon...@yahoo.com wrote: Hi I am looking for a 2FA solution in order to connect to Cisco devices. I would like to use either Radius or TACACS as the AAA part, however I'd like to know whether/how I could interconnect this to a 2nd auth such as a token based RSA securID platform I'd appreciate any input if this is possible at all? Regards Mark ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
Hello Ben: -Original Message- From: cisco-nsp-boun...@puck.nether.net [mailto:cisco-nsp- boun...@puck.nether.net] On Behalf Of Ben Steele Sent: Wednesday, August 25, 2010 5:42 PM To: Mark Tech Cc: cisco-nsp@puck.nether.net Subject: Re: [c-nsp] Router 2 factor authentication Out of curiosity can you tell me what led you to wanting 2FA for these devices, and how the traditional acl/tacacs method failed your requirements? Of course anyone who has implemented it is free to chime in, just generally interested in peoples security concerns around this and how you feel it mitigates whatever risks you were associating with it, also curious if it affected the way you handle OOB access aswell. Ben In our case it's for compliance reasons. There are requirements within scope for many models that require two-factor authentication. For OOB, we use 2-factor to an OOB network that doesn't have any outside connectivity beyond our border firewalls. Granted, we are only in a few locations and do all of our OOB using IP addressed devices. If I had a dial-in AUX device at some remote location I would ask for mitigating circumstances for that device. Regards, Mike -- Michael K. Smith - CISSP, GSEC, GISP Chief Technical Officer - Adhost Internet LLC mksm...@adhost.com w: +1 (206) 404-9500 f: +1 (206) 404-9050 PGP: B49A DDF5 8611 27F3 08B9 84BB E61E 38C0 (Key ID: 0x9A96777D) ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Router 2 factor authentication
On Thu, 26 Aug 2010 10:42:28 +1000 Ben Steele b...@bensteele.org wrote: Out of curiosity can you tell me what led you to wanting 2FA for these devices, and how the traditional acl/tacacs method failed your requirements? We are using RSA SecurID on P and PE Routers to secure the core network and fullfil customer demands. 2FA on CE Routers is depending on the customer-needs, those who asked for it on the PE and P are usually having it on their CEs too. On OOB Devices it's a 2-step auth with encryption and callback. Regards, Dominik ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
