Security

Reply
MVP
Posts: 701
Registered: ‎12-01-2010

Persistent Authentication for RADIUS??

I'm using CPPM as a RADIUS Authentication source for managment of our Cisco ASA firewalls.

 

I have a sevice which makes a RADIUS call to a one-time-password provider (SafeNet) and couples the response with AD-group membership to determine authentication/authorization.

 

For the routed firewall, this works perfectly.

The other firewall is transparent, and Cisco doesn't support their GUI (java application) login with OTP in transparent mode - the GUI authenticates 28 times just to get started!

 

I'm thinking it would be really neat if CPPM could remember that I'd just been authenticated from my IP address to the firewall just seconds ago and simply re-authorize me rather than re-submit the RADIUS call to the OTP provider for each of the 28 requests. Something like caching for 60 seconds a particular host IP/ NAS IP authentication result.

 

Anyone have a better idea? Or think this one is possible?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 701
Registered: ‎12-01-2010

Re: Persistent Authentication for RADIUS??

veryone tell that I think CPPM is really cool and I want it to do everything!!?!

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 19,953
Registered: ‎03-29-2007

Re: Persistent Authentication for RADIUS??

It's not you...it's your firewall:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 701
Registered: ‎12-01-2010

Re: Persistent Authentication for RADIUS??

We are preparing to review our firewall choices - my Palo Alto sales team left me seriously underwhelmed while we were making the selection which got me the ASAs I'm using now.

 

I'll have to try again.

 

Menawhile I either need to work around the Cisco limitations or redesign the payment flow-

Joy.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
Showing results for 
Search instead for 
Did you mean: