2 factor authentication for wifi

Similar Messages

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• Two factor authentication for iCloud?

  Hello,
  I have two factor authentication (aka two step verification) setup for my AppleID - when I login to appleid.apple.com it sends a code to my phone.  So that part works great.  However, when I login to www.icloud.com it doesn't send a code to my phone.  Securing iCloud.com with two factor is very important as iCloud contains a lot of your data (email, contacts, etc.).
  I'm wondering if it's not working for me because two factor for iCloud.com hasn't been fully rolled out yet - or maybe it is still in beta?
  This article indicates that Apple was testing two factor for iCloud.com as recently as June, 2014:
  http://appleinsider.com/articles/14/06/30/apple-testing-two-step-verification-fo r-icloudcom
  So my question is, does anyone know when two-factor authentication will be fully rolled out and working for iCloud.com?
  Thanks!

  After reading a few articles on this subject, Apple is still working on enabling two-factor authentication for iCloud.  At best, they are currently "rolling it out", a process that can take several months due to the millions of users, I guess.  At worst, it's still in beta and they are still testing and working on it... which means it could be next year before it's fully deployed.  I haven't found any articles or news with a firm date.  I'm just glad they are working on it as it's very important.  In the meantime, they have implemented email notifications when you login to your iCloud account.  I tested this and only received one notification (for multiple logins over several days from several different computers) so I'm not sure how well the notifications are really working - but I think the notifications are just a workaround until they get two-factor fully deployed for iCloud.
  Does anyone else have more info on this?

• Two factor authentication for login

  Can you tell me when Verizon online will implement 2 factor authentication for logging into web and email?
  Thanks!

  Uh, never.  I doubt its even on their radar.

• Two-factor / Multi-factor authentication for Sites login

  Hi All,
  Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
  It will be really helpful if you could share any ideas on this.
  Regards,
  Anoop.

  I haven't seen any before for Sites.
  But I guess if You use OAM for the access, you could create something like the described in:  Integrating the RSA SecurID Authentication Plug-In -
  I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
  Regards,
  Guillermo.

• Two Factor Authentication for UC servers

  Has anyone setup any form of two factor authentication for logging into UC servers (Callmanager/Unity) for administrators using RSA SecurID's or another form of authentication?  We currently use our LDAP account or setup a Application User account but our Security group would like to add another layer of authentication.  Any suggestions?

  Thanks for your help David.  This is not my area of expertise, so if I put in the UC servers IP/URL the proxy server will intercept the request and block it from reaching the UC server?  Our Security group wants two factor enforced so I cannot bypass the second method of authentication.
  Gary

• Zuul - Simple two-factor authentication for SSH unless using publickey

  To quote myself:
  I wrote:I have a few machines I want to access using SSH. I use public keys when connecting from a trusted computer. However, I also want to access the machines from other computers using passwords. To eliminate the consequences of brute force password cracking or even stolen passwords, I been looking for a two-factor authentication scheme to use if anything but public keys are used. The method described here lets me log in using publickeys without any further hassle, while I must enter a second, one time password delivered to my mobile phone by email if I use a password.
  Comments are welcome! (Especially on a better way to figure out what authentication method the current SSH session used)
  https://github.com/halhen/techsperiment … aster/zuul

  Finally, this is what I looking. Thanks for giving the link.

• 2 factor authentication for third party devices

  Can anyone recommend a 2factor authentication service that will query a OD user database and process authentication for third part devices ie firewall/vpn via RADIUS?

  Yes it is and you have the following options:
  OTP using external RADIUS server and RSA tokens
  EAP-Chaining using the AnyConnect Agent and Cisco ISE
  MAR (machine access restrictions).  If the machine had not performed authentication the user will not be authorized
  Layer 3 security on the Wireless LAN Controller

• Cisco 2504 Domain Authentication for WIFI Clients

  I got a question.
  I have a 2504 controller, and a bunch of 3600 APs. (which now works, thanks to Scott Fella)
  I want the WIFI users to be able to connect to the WIFI, If their computer is part of the domain. Otherwise, they connect to the guest WIFI.
  How can I go about doing that? I tried searching the forums, but perhaps Im not searching for the right keywords.
  I thought it was LDAP, but I could not find much info on it.
  Thanks....         

  I wouldn't look at LDAP. I would use a radius server and machine authentication. If your a Microsoft shop, then bring up IAS for 2003 or NPS for 2008. These can work as your radius server. To figure out how to configure machine auth, just search Google for NPS wireless machine authentication.
  Here is one link
  http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/
  Sent from Cisco Technical Support iPhone App

• Radius authentication for wifi users

  Hi all,
  I have a aeronet 1250 access point and i have a windows 2003  radius server configured to authenticate users.
  I need to configure the access point for radius authentication .
  Can anyone please help me to configure the access point .
  thanks in advance ,
  Selva

  See here for configuration examples, look for the autonomous examples:
  http://www.cisco.com/en/US/products/ps6087/prod_configuration_examples_list.html
  Thanks
  Chris

• Apple ID - Two Factor Authentication (and why I stopped using it)

  The Apple devices I use every day consist of the following:
  2009 MacBook Pro 17" (home)
  iPhone 6 (home)
  2012 MacBook Pro Retina (work)
  My home devices are all logged in using my Apple ID as usual, and my work laptop uses a Apple ID specific to work, but with my personal Apple ID logged in for iMessage and FaceTime (pretty standard, I presume, for people with full-time work laptops they can bring home, etc.). Now, since I have multiple devices which are constantly syncing everything back and forth, whether it be something as simple as my contacts or as delicate and near and dear to my heart as my photo collection, I felt that maybe I should use two factor authentication for my home Apple ID, just to be on the safe side. I recognize that the two factor authentication only protects iMessage and FaceTime currently, but I implemented it with hopes that someday they will incorporate everything about iCloud and other services synced between Apple devices that you would assume should be covered by a two factor authentication update/overhaul.
  I liked this idea very much, as I use two factor for almost everything I can, but things started to fall apart one day when I had to switch to a temporary work laptop and decided to log in to iMessage with a new app specific password, as you would need to on a new device (unless you wrote down the original iMessage password, which is a terrible thing to do). When I went to create my new iMessage password for work laptop B, I decided to revoke work laptop A's iMessage password while it went in for repairs. This wasn't so bad until something seemed funny about my phone, as it was asking for me to log into iMessage again. Now, I had created a separate password for work laptop A's iMessage when I first logged in a while back, as well as a separate password for the temporary work laptop B so it didn't interfere with my other generated passwords. Apparently this didn't matter.
  I continued and created a new app password for my phone, but when I got home, wouldn't you know it, I had to log into iMessage on my home laptop again as well. I had to create a new password for that, which seemed to work for a while, but then I was prompted to enter my iMessage password on my phone again once I revoked my home laptop's iMessage password. Not following? No, me either. It seemed to me that creating separate app specific passwords for me to use across my devices didn't stay as separate as I thought they should, but instead they somehow seemed to be dependent on one another. Since I had a frustrating time trying to activate iMessage again on my iPhone and laptops on multiple occasions while this was happening, I decided to disable two factor authentication altogether.
  I suppose I should ask a question here, so here goes: has anyone else encountered this horrific two factor authentication/app specific password management issue for their own account? Have you been able to resolve it, and if so, any helpful suggestions? Thanks!

  I had also thought that initially, but after turning it on, I went to sign into iMessage with my Apple ID and regular Apple ID password, but it prompted me to create an app specific password to sign in since I had two factor authentication on, as it wouldn't let me use my regular Apple ID password to log in (which I could use to log in for everything else but iMessage and FaceTime). It was nice since I was prompted to provide a code sent to an Apple device of my choosing when signing into the Apple ID management site or iCloud.com, but forcing me to create app specific passwords for iMessage and FaceTime is kind of ridiculous and frustrating. Maybe there's a way to have two factor authentication without the need for app specific passwords? Or if not, then perhaps that would be a great option to present users when turning that feature on.

• Two factor auth for CRES portal

  This is a wishlist of mine which I hope would get into the plans for future enhancements to CRES service. Some form(s) of two factor authentication for access to CRES service would be very useful. I'm thinking of a low overhead approach for both internal (within the org) and external users such as out-of-band SMS OTP or a software token app on the device generating OTP (as opposed to hardware based form factors).
  Thanks,
  John
  Sent from Cisco Technical Support iPad App

  This, and improving the registration experience for mobile users, are both on the CRES roadmap. For two-factor auth, although I can't commit to anything, I'd agree that some sort of out-of-band communication of a one time password, by SMS or an alternate email address for example, would be the preferred approach.

• Two Factor Authentication How to Preserve Cookies?

  So, I am starting to set up Two Factor Authentication for various logins that I have. As a normal practice, whenever I close any browser I delete all cookies, and when shutting down my computer I do a Norton scan for cookies and delete them. The problem is that this deletes my two factor authentication cookies which I need. I tried setting up an exception, but the cookies get deleted anyway. How do I set this up to work, ie protect specific cookies from deletion?
  In Internet Explorer this is extremely easy to do. All you do is put a checkmark next to "Preserve Favorites Website Data".....Done. The equivalent in Firefox you would think is "Site Preferences", but that does not work the same as in IE and the cookies are deleted.

  Let all cookies expire when Firefox is closed to make them session cookies.
  *Firefox/Tools > Options > Privacy > "Use custom settings for history" > Cookies: Keep until: "I close Firefox"
  Create a cookie 'allow' exception for cookies that you would like to keep.
  *Firefox/Tools > Options > Privacy > "Use custom settings for history" > Cookies: Exceptions
  Note that clearing "Site Preferences" clears all exceptions for cookies, images, pop-up windows, software installation, passwords, and other website specific data.
  Clearing cookies will remove all specified (selected) cookies including cookies with an allow exception that you would like to keep.
  See also:
  *http://kb.mozillazine.org/browser.sessionstore.privacy_level

• Two Factor Authentication not enabled

  I'm trying to enable Two Factor Authentication for my AppleID. However, I can't see the Two Step Verification section in the Password and Security page on the My Apple ID site. What should I do?

  This is not available in all countries - see the bottom of this page to find if this restriction affects you:
  Frequently asked questions about two-step verification for Apple ID - Apple Support

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias