2 Factor Authentication for Anyconnect VPN using ISE

Similar Messages

• Zuul - Simple two-factor authentication for SSH unless using publickey

  To quote myself:
  I wrote:I have a few machines I want to access using SSH. I use public keys when connecting from a trusted computer. However, I also want to access the machines from other computers using passwords. To eliminate the consequences of brute force password cracking or even stolen passwords, I been looking for a two-factor authentication scheme to use if anything but public keys are used. The method described here lets me log in using publickeys without any further hassle, while I must enter a second, one time password delivered to my mobile phone by email if I use a password.
  Comments are welcome! (Especially on a better way to figure out what authentication method the current SSH session used)
  https://github.com/halhen/techsperiment … aster/zuul

  Finally, this is what I looking. Thanks for giving the link.

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• Two-factor / Multi-factor authentication for Sites login

  Hi All,
  Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
  It will be really helpful if you could share any ideas on this.
  Regards,
  Anoop.

  I haven't seen any before for Sites.
  But I guess if You use OAM for the access, you could create something like the described in:  Integrating the RSA SecurID Authentication Plug-In -
  I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
  Regards,
  Guillermo.

• Two Factor Authentication for UC servers

  Has anyone setup any form of two factor authentication for logging into UC servers (Callmanager/Unity) for administrators using RSA SecurID's or another form of authentication?  We currently use our LDAP account or setup a Application User account but our Security group would like to add another layer of authentication.  Any suggestions?

  Thanks for your help David.  This is not my area of expertise, so if I put in the UC servers IP/URL the proxy server will intercept the request and block it from reaching the UC server?  Our Security group wants two factor enforced so I cannot bypass the second method of authentication.
  Gary

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Two factor authentication for iCloud?

  Hello,
  I have two factor authentication (aka two step verification) setup for my AppleID - when I login to appleid.apple.com it sends a code to my phone.  So that part works great.  However, when I login to www.icloud.com it doesn't send a code to my phone.  Securing iCloud.com with two factor is very important as iCloud contains a lot of your data (email, contacts, etc.).
  I'm wondering if it's not working for me because two factor for iCloud.com hasn't been fully rolled out yet - or maybe it is still in beta?
  This article indicates that Apple was testing two factor for iCloud.com as recently as June, 2014:
  http://appleinsider.com/articles/14/06/30/apple-testing-two-step-verification-fo r-icloudcom
  So my question is, does anyone know when two-factor authentication will be fully rolled out and working for iCloud.com?
  Thanks!

  After reading a few articles on this subject, Apple is still working on enabling two-factor authentication for iCloud.  At best, they are currently "rolling it out", a process that can take several months due to the millions of users, I guess.  At worst, it's still in beta and they are still testing and working on it... which means it could be next year before it's fully deployed.  I haven't found any articles or news with a firm date.  I'm just glad they are working on it as it's very important.  In the meantime, they have implemented email notifications when you login to your iCloud account.  I tested this and only received one notification (for multiple logins over several days from several different computers) so I'm not sure how well the notifications are really working - but I think the notifications are just a workaround until they get two-factor fully deployed for iCloud.
  Does anyone else have more info on this?

• Two factor authentication for login

  Can you tell me when Verizon online will implement 2 factor authentication for logging into web and email?
  Thanks!

  Uh, never.  I doubt its even on their radar.

• Authentication for easy vpn users using windows ad and xauth on pix firewa

  Hii
  We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
  Need the accounting for those vpn users.
  Thanks
  Manish GaurPlease guide me

  Manish,
  Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
  For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
  The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
  Patrick
  Please rate any posts that are helpful.

• 2 factor authentication for third party devices

  Can anyone recommend a 2factor authentication service that will query a OD user database and process authentication for third part devices ie firewall/vpn via RADIUS?

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• 2 factor authentication for wifi

  I want to know if it is possible to enable 2 factor authentication to connect to a intranet wifi. When the employee logs into the company domain, wifi is connected. Here, I want the employee to enter second factor auth to connect to wifi.
  I dont have much information on the customer set up as of now but know that they are using Cisco ISA .
  Any help would be greatly appreciated.

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• Need help with two-factor auth for windows logon using CSS

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

  Hi all,
  I have been trying for a couple of days now to get two-factor auth for windows logon working on my X1C Type 3443.
  I am running Windows 7 (64-bit) with Lenovo System Update 5.06.0007, Lenovo Solution Center 2.6.001.00, ThinkVantage Fingerprint Software 5.9.9.7282, ThinkVantage Client Security Solution 8.30.0031.00. If it's of any importance, my X1C was originally shipped with Windows 8, but I couldn't stand it and reinstalled Windows 7 instead.
  I have uninstalled and reinstalled the above programs in the following order:
  1) Install System Update and reboot
  2) Install Solution Center and reboot
  3) Install CSS and reboot
  4) Install Fingerprint Software and reboot
  Everything seems to be working fine by itself, except that when I try to configure two-factor auth in CSS, the Fingerprint tab (on the left of the GUI) is greyed out and CSS tells me that I have no fingerprints enrolled. The Fingerprint Software, however, is working just fine and shows me as having a fingerprint enrolled there.
  I have spent all morning searching for a solution, but everything I find dates back to 2011, when ThinkPads still came with ThinkVantage Toolbox. I obviously can't download that anymore, so I'm at a loss. Can someone please help? Thanks!
  Candace

• Is it necessary to have the pkg files for Anyconnect VPN on the firewall

  Hello,
  I have an ASA 5505 and we are using Anyconnect client to connect to our VPN not the "Clientless" method.
  Well, I don't have so much space on the flash and I need it for an upgrade of the ASA image.
  So, do I must have the .pkg file for the Anyconnect? I also have a file "csd_3.5.2008-k9.pkg" for Secure Desktop, we are not using that, is it safe to remove that file from the flash?
  Kind Regards,
  Marcus

  Marcus
  If you are not using Secure Desktop then it should certainly be safe to remove its file from flash. I am less clear about the implications of removing the AnyConnect pkg file. I know that the ASA wants to check any incoming connection to see if the incoming request is at least as new as the version running on the ASA. I am not clear whether it needs the file to be in flash to be successful. And it certainly means that if anyone wanted to load the AnyConnect client or upgrade the version of the AnyConnect client that it would not work. I encourage you to look for some other way to free up space in flash.
  HTH
  Rick

• SSO for BYOD's using ISE and Ironport

  A customer would like to allow users access to a BYOD WLAN on a Cisco WLC and grant them content filtering on a Cisco Ironport based on the login they enter into the WLC web authentication form. Is this possible?
  If not, would ISE make this possible?
  Ultimately, they'd liek to NOT have to enter credentials twice - once for wireless auth., once for Ironport auth. - and grant users the appropirate filtering policies. My thought was that ISE might allow this through the use of user certificates and/or automatic supplicant provisioning.

  someone find a solution ?

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html