Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: VPN certificates and XAUTH
From: Alejandro Ezequiel Fernández Preda <quequiel () ciudad com ar>
Date: Tue, 5 Aug 2008 00:56:39 -0300

Does anybody know if a certificate used for group authentication can be
stored on a flash drive so that you require to plug the drive for the
certificate to be available? It would be like a cheap 2 factor auth without
the need of tokens.

Thanks,

Alejandro 

-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Secure
Scorp
Sent: Lunes, 04 de Agosto de 2008 02:26 a.m.
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] VPN certificates and XAUTH

I didn't really get your question. Do you wanna perform Certificate
authentication at group level or at xauth level ?

Level 1 authentication is used for peer (device) authentication
(groupname/pass). We can definitely use certificates for this type of
authentication. I have seen such things work. However , you would still need
to manually insert the xauth/pass ! Also, even if its possible to use
certificate for Xauth (which I doubt), I think it would add complications
and would not be scalable !

Having said that , I'm sure you can use Token based Xauth (like RSA) with
VPN client.

http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_PIX_702_AuthMa
n61.pdf
http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan61.
pdf

Hope this helps. If not, please can you elaborate the question a bit.

Thanks,
Aditya Govind Mukadam




On Thu, Jul 17, 2008 at 6:53 PM, Petr Vyhnal <vyhnal () cns eu> wrote:
Hi all,

I have one quick question. I usually configure PIXes for VPN client in 
two level authentication mode. Level 1 is vpngroup/password and level 
2 is XAUTH using RADIUS server. Is there possibility (with PIX or ASA) 
to use per-user generated certificates instead vpngroup/pass auth with 
XAUTH/RADIUS second level auth as well?

rudiik

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]