Re: Cisco 2 factor authentication

[Ryan Gelobter]

We use Phonefactor (now azure authenticator) with anyconnect vpn. It sits
in front of LDAP/AD and integrates with it. It an be a PITA but it works.

On Wed, Jun 22, 2016 at 3:27 AM, Ray Ludendorff 
wrote:

> Has anyone setup two factor VPN using a Cisco ASA VPN solution?
> What sort of soft client based dual factor authentication options were
> used for the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure
> authenticator, RSA, etc.)
> I am trying to find what infrastructure is needed to come up with the
> solution.
>
> Please contact me of list
>
> Regards
> Ray Ludendorff
>
>
>
>

Re: Cisco 2 factor authentication

[Tom Smyth]

The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)
On 26 Jun 2016 3:48 a.m., "Jimmy Hess"  wrote:

> On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
>  wrote:
> > Any radius based auth works well I've used a solution by secure envoy I
> the past which seems to work well they also have soft token apps, hard
> tokens plus SMS based.
>
> However, a cautionary note there is that RADIUS protocol itself uses
> only weak cryptography and is not  secure on the wire.
>
> That is, in the absence of AES Keywrap proprietary extension  Or when
> the method of credential used is not authentication using a
> Client-side Certificate (PKI)  as  in  *EAP.
>
> Specifically:  if RADIUS is used for the Authentication stage of AAA
> with a code sent by SMS or OATH token [User types Normal password +
> One Time Password],  then when traffic between RADIUS server and  VPN
> device is captured:   The user credentials may be exposed  with the
> extremely weak crypto protection  RADIUS   or NTLM provides for the
> user password.
>
> If a user re-uses their same password somewhere else on a device not
> requiring 2FA,  then capturing RADIUS traffic could be an effective
> privilege escalation  By copying victim's password from a sniffed
> RADIUS exchange.
>
> --
> -JH
>

Re: Cisco 2 factor authentication

[Alan Buxey]

As per other statements of such seen elsewhere online, do you have examples or 
code which will allow the recovery of passwords in a radius exchange? Yes,  the 
shared secret mechanism is widely stated as 'weak' but actively attacked?  

alan

Re: Cisco 2 factor authentication

[Jimmy Hess]

On Wed, Jun 22, 2016 at 9:38 PM, Chris Lawrence
 wrote:
> Any radius based auth works well I've used a solution by secure envoy I the 
> past which seems to work well they also have soft token apps, hard tokens 
> plus SMS based.

However, a cautionary note there is that RADIUS protocol itself uses
only weak cryptography and is not  secure on the wire.

That is, in the absence of AES Keywrap proprietary extension  Or when
the method of credential used is not authentication using a
Client-side Certificate (PKI)  as  in  *EAP.

Specifically:  if RADIUS is used for the Authentication stage of AAA
with a code sent by SMS or OATH token [User types Normal password +
One Time Password],  then when traffic between RADIUS server and  VPN
device is captured:   The user credentials may be exposed  with the
extremely weak crypto protection  RADIUS   or NTLM provides for the
user password.

If a user re-uses their same password somewhere else on a device not
requiring 2FA,  then capturing RADIUS traffic could be an effective
privilege escalation  By copying victim's password from a sniffed
RADIUS exchange.

--
-JH

Re: Cisco 2 factor authentication

[Peter Loron]

We are in the process of rolling out Okta, including using a second factor for 
AnyConnect VPN. Works well.

-Pete

On 6/22/16, 01:27, "NANOG on behalf of Ray Ludendorff"  wrote:

Has anyone setup two factor VPN using a Cisco ASA VPN solution?
What sort of soft client based dual factor authentication options were used for 
the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure authenticator, 
RSA, etc.)
I am trying to find what infrastructure is needed to come up with the solution.

Please contact me of list

Regards
Ray Ludendorff

Re: Cisco 2 factor authentication

[Chris Lawrence]

Any radius based auth works well I've used a solution by secure envoy I the 
past which seems to work well they also have soft token apps, hard tokens plus 
SMS based.

Sent from my iPhone

> On 23 Jun 2016, at 01:51, Ray Ludendorff  wrote:
>
> Has anyone setup two factor VPN using a Cisco ASA VPN solution?
> What sort of soft client based dual factor authentication options were used 
> for the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure 
> authenticator, RSA, etc.)
> I am trying to find what infrastructure is needed to come up with the 
> solution.
>
> Please contact me of list
>
> Regards
> Ray Ludendorff
>
>
>



DISCLAIMER: The information contained in this communication from 
clawre...@dovefire.co.uk is confidential and may be legally privileged. It is 
intended solely for use by the recipient and others authorised to receive it. 
If you are not the intended recipient you are hereby notified that any 
disclosure, copying, distribution or taking action in reliance of the contents 
of this information is strictly prohibited and may be unlawful.

WARNING: Although the company has taken reasonable precautions to insure no 
viruses are present in this email, the company cannot accept responsibility for 
any loss or damage arising from the use of this email or attachments.

Registered in England and Wales No 09745479 as Dovefire Technology Solutions 
Limited
Registered Address Clifton Mill, Pickup Street, Accrington, Lancashire, BB5 0EY

Please consider the environment before printing this e-mail.

www.dovefire.co.uk 

Cisco 2 factor authentication

[Ray Ludendorff]

Has anyone setup two factor VPN using a Cisco ASA VPN solution?
What sort of soft client based dual factor authentication options were used for 
the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure authenticator, 
RSA, etc.)
I am trying to find what infrastructure is needed to come up with the solution.

Please contact me of list

Regards
Ray Ludendorff