07-05-2016 02:05 AM
In summary, can Clearpass do this…
I’ve been working with a reseller who has a hospital customer with an existing Cisco ASA/VPN/Anyconnect solution which they advised me authenticates/operates as follows.
- This is for 3rd party support companies to use, and gives remote network access.
- Those parties have a special AD account, in a specific group. In addition, the accounts each have a mobile number in a searchable attribute.
- Currently uses FreeRADIUS which backs off into AD, and works thus (which is one-time password type stuff);
- Initial Anyconnect details entered by the user are AD username/password (easy so far).
- FreeRADIUS retrieves the mobile number from the AD account attributes, and sends a text to the mobile (can we do this?) using an SMS gateway. This text contains a randomly generated one-time access code/challenge. In essence, a random 8 digit number.
- At the same time, the Cisco ASA I believe receives a “challenge” in terms of initial RADIUS response, which it presents to the user in the Anyconnect client.
- That challenge expects to have the access code entered in it, which FreeRADIUS validates in order for authentication to complete.
- In essence, this essentially means the specific mobile phones are a bit like and RSA keyfob, and represent something the user must “have”, rather than “know”.
- I’m not worried about the way the Cisco ASA/VPN client is doing this, as it will only be making use of standard RADIUS comms.
- I’m only really focused on whether Clearpass could in concept create some kind of workflow like this, as I’ve never seen any templates for it or anything similar? Clearly there’s two main bits as follows;
- Sending an SMS when a service is hit, and possibly more difficult is...
- Creating an access code or similar on-the-fly at the same time, with a code to send, that’s somehow bound to the session or account?!?!
Any thoughts would be great?!?!