[c-nsp] ACS and ASA VPN user authentication

Brett Looney brett at looney.id.au
Wed Aug 29 20:33:51 EDT 2007


John Kougoulos wrote:
> I've done this in vpn concentrators with radius:
>
> Locking Users into a VPN 3000 Concentrator Group Using a
> RADIUS Server
>
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186
a00800946a2.shtml
>
> It applies to VPN concentrators using Radius, but I guess
> that it will probably work for ASA also. I think it will
> also be easy to migrate to RADIUS.

Thanks, I'll check it out. Given that there is supposed to be feature parity
between ASA v7.x and VPN3000 this might work.

mcgrath wrote:
> Sounds like you have a significant security issue here.

Absolutely.

> IF you have a PKI you can issue machine certificates and
> check them during the XAUTH phase.   So even if the user
> manages to transfer a .pcf to a unauthorized device the
> machine cert will be invalid and the XAUTH will fail.    
> You could use the concentrator's client update feature
> to push a new pcf with the certificate features enabled
> and email all authorized users machine certs in PEM
> format along with instructions on how to import the
> certs into the client cert store.

Hmmm. Worth thinking about. Thanks for the suggestion.

B.



More information about the cisco-nsp mailing list