Security

I'm using CPPM as a RADIUS Authentication source for managment of our Cisco ASA firewalls.

I have a sevice which makes a RADIUS call to a one-time-password provider (SafeNet) and couples the response with AD-group membership to determine authentication/authorization.

For the routed firewall, this works perfectly.

The other firewall is transparent, and Cisco doesn't support their GUI (java application) login with OTP in transparent mode - the GUI authenticates 28 times just to get started!

I'm thinking it would be really neat if CPPM could remember that I'd just been authenticated from my IP address to the firewall just seconds ago and simply re-authorize me rather than re-submit the RADIUS call to the OTP provider for each of the 28 requests. Something like caching for 60 seconds a particular host IP/ NAS IP authentication result.

Anyone have a better idea? Or think this one is possible?

veryone tell that I think CPPM is really cool and I want it to do everything!!?!

It's not you...it's your firewall:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

We are preparing to review our firewall choices - my Palo Alto sales team left me seriously underwhelmed while we were making the selection which got me the ASAs I'm using now.

I'll have to try again.

Menawhile I either need to work around the Cisco limitations or redesign the payment flow-

Joy.