Aruba Apps

Reply
Guest Blogger
Posts: 150
Registered: ‎12-04-2012

VIA dual factor authentication ?

[ Edited ]

 

I have a question specific to VIA and dual factor authentication. 

 

I have an issue with iPads and Droid tablets when using Cisco FW/VPN and RSA for dual factor authentication. 

 

First factor is a simple user ID and password. 

 

Second factor authentication is delivered from the RSA in the form of a question to the device.

 

Using a Windows or Mac laptop the RSA question clear. When using an iPad or Droid the question is scrambled and not readable. After a call with RSA we understand the issue is with RSA solution and something to do with flash and how they deliver the question. In any case, iPads and Droids are prevented from using VPN access because users can't answer the the question. 

 

Previously we tested VIA and it worked well for single factor authentication, user ID and password. Thinking outside of the box can the VIA app and the Aruba controller provide 2 factor authentication? Perhaps a requirement for a user ID and password as first factor and a unique certificate on the tablet as a second factor ? 

 

Any suggestions are appreciated ..

 

Thanks

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: VIA dual factor authentication ?

[ Edited ]

You have a couple of options.   You can use two-factor solutions (ie. Tokens) as a source of authentication for VIA.   The user would submit the username/tokencode for example rather than username/password.   You can also implement the solution using IKEv1; Phase 0 authentication can be in the form of a certificate (user only...on tablets that is not a probelm) and then XUTH can be called to require an additional username/password combination to complete the connection.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Guest Blogger
Posts: 150
Registered: ‎12-04-2012

Re: VIA dual factor authentication ?

We are trying to avoid tokens. Can you point me in the direction for adiditonal reading material for the IKEv1 solution with XUTH ? Have you done a config like this before? 

 

Thank you for the quick reply! 

 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: VIA dual factor authentication ?

Yes, I have set this up in the past.    The setup is covered in the VIA App Note on the VRD Site.   Refer to Chapter 5; specifically the section titled Configuring VPN Server for IKEv1-Certs; page 23 in the version I have.

 

One thing to note, there is reference to an IKE Policy that doesn't exist (or didn't in the last two installs I did).  I had to add it and it worked fine. The command to create the policy is:

crypto isakmp policy 30
 version v1
 encryption AES256
 authentication rsa-sig
 hash sha
 group 2

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: