I have a question specific to VIA and dual factor authentication.
I have an issue with iPads and Droid tablets when using Cisco FW/VPN and RSA for dual factor authentication.
First factor is a simple user ID and password.
Second factor authentication is delivered from the RSA in the form of a question to the device.
Using a Windows or Mac laptop the RSA question clear. When using an iPad or Droid the question is scrambled and not readable. After a call with RSA we understand the issue is with RSA solution and something to do with flash and how they deliver the question. In any case, iPads and Droids are prevented from using VPN access because users can't answer the the question.
Previously we tested VIA and it worked well for single factor authentication, user ID and password. Thinking outside of the box can the VIA app and the Aruba controller provide 2 factor authentication? Perhaps a requirement for a user ID and password as first factor and a unique certificate on the tablet as a second factor ?
Any suggestions are appreciated ..
You have a couple of options. You can use two-factor solutions (ie. Tokens) as a source of authentication for VIA. The user would submit the username/tokencode for example rather than username/password. You can also implement the solution using IKEv1; Phase 0 authentication can be in the form of a certificate (user only...on tablets that is not a probelm) and then XUTH can be called to require an additional username/password combination to complete the connection.
Yes, I have set this up in the past. The setup is covered in the VIA App Note on the VRD Site. Refer to Chapter 5; specifically the section titled Configuring VPN Server for IKEv1-Certs; page 23 in the version I have.
One thing to note, there is reference to an IKE Policy that doesn't exist (or didn't in the last two installs I did). I had to add it and it worked fine. The command to create the policy is:
crypto isakmp policy 30 version v1 encryption AES256 authentication rsa-sig hash sha group 2
We are trying to avoid tokens. Can you point me in the direction for adiditonal reading material for the IKEv1 solution with XUTH ? Have you done a config like this before?
Thank you for the quick reply!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.