[c-nsp] Router 2 factor authentication
John Kougoulos
koug at intracom.gr
Thu Aug 26 09:02:32 EDT 2010
> we are using Cisco ACS with RSA ACE integration for these devices.
> You will get a standard prompt like:
>
> TACACS+ Username: myuser
> Password: <token-pin>+<token-one-time-password>
>
> The login is fast, and from what I hear the ACS+ACE setup is stable
> enough to not being punished by your server operations team for
> choosing this solution. :-)
>
In a configuration (ACS+ACE) I had done several years ago, the prompt was
the standard SecurID:
Username:
Enter PASSCODE:
Standard authentication was working ok, in some cisco documentation it was
recommended to increase the tacacs timeout to 30 or 60 seconds as far as I
can remember because the ACE server may delay it's response. What you
should also test is if the setup supports Next Tokencode modes etc.
The problem, IMHO, with SecurID for management access of network devices,
is that you have to wait 1 minute to logon to another device. So it's ok
for provisioning tasks, but when you have a problem and you need to login
instantly to 4-5 devices, it's rather unpleasant to wait 1 minute between
logons.
Regards,
John
More information about the cisco-nsp
mailing list