[c-nsp] Router 2 factor authentication

John Kougoulos koug at intracom.gr
Thu Aug 26 09:02:32 EDT 2010



> we are using Cisco ACS with RSA ACE integration for these devices.
> You will get a standard prompt like:
>
> TACACS+ Username: myuser
> Password: <token-pin>+<token-one-time-password>
>
> The login is fast, and from what I hear the ACS+ACE setup is stable
> enough to not being punished by your server operations team for
> choosing this solution. :-)
>

In a configuration (ACS+ACE) I had done several years ago, the prompt was 
the standard SecurID:

Username:
Enter PASSCODE:

Standard authentication was working ok, in some cisco documentation it was 
recommended to increase the tacacs timeout to 30 or 60 seconds as far as I 
can remember because the ACE server may delay it's response. What you 
should also test is if the setup supports Next Tokencode modes etc.

The problem, IMHO, with SecurID for management access of network devices, 
is that you have to wait 1 minute to logon to another device. So it's ok 
for provisioning tasks, but when you have a problem and you need to login 
instantly to 4-5 devices, it's rather unpleasant to wait 1 minute between 
logons.

Regards,
John


More information about the cisco-nsp mailing list