Re: [fw-wiz] VPN certificates and XAUTH



Does anybody know if a certificate used for group authentication can be
stored on a flash drive so that you require to plug the drive for the
certificate to be available? It would be like a cheap 2 factor auth without
the need of tokens.

Thanks,

Alejandro

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Secure
Scorp
Sent: Lunes, 04 de Agosto de 2008 02:26 a.m.
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] VPN certificates and XAUTH

I didn't really get your question. Do you wanna perform Certificate
authentication at group level or at xauth level ?

Level 1 authentication is used for peer (device) authentication
(groupname/pass). We can definitely use certificates for this type of
authentication. I have seen such things work. However , you would still need
to manually insert the xauth/pass ! Also, even if its possible to use
certificate for Xauth (which I doubt), I think it would add complications
and would not be scalable !

Having said that , I'm sure you can use Token based Xauth (like RSA) with
VPN client.

http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_PIX_702_AuthMa
n61.pdf
http://rsasecurity.agora.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan61.
pdf

Hope this helps. If not, please can you elaborate the question a bit.

Thanks,
Aditya Govind Mukadam




On Thu, Jul 17, 2008 at 6:53 PM, Petr Vyhnal <vyhnal@xxxxxx> wrote:
Hi all,

I have one quick question. I usually configure PIXes for VPN client in
two level authentication mode. Level 1 is vpngroup/password and level
2 is XAUTH using RADIUS server. Is there possibility (with PIX or ASA)
to use per-user generated certificates instead vpngroup/pass auth with
XAUTH/RADIUS second level auth as well?

rudiik

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: PEAP-TLS vs EAP-TLS
    ... It covers the deployment of PEAP with digital certificates (what you are ... PEAP-TLS as MS docs pretty much all were about PEAP-MSCAHPV2 or generally ... Of course user certificate authentication used in PEAP-TLS ...
    (microsoft.public.windows.server.security)
  • Re: Need help configuring Wireless Connection profile
    ... Just go there and do a search for 'WPA2'. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: PEAP-TLS vs EAP-TLS
    ... and PEAP is that PEAP is a two-step process where 1) the RADIUS server is ... authenticated to the client via the RADIUS server's certificate, ... encrypted TLS channel is set up for 2) client authentication (either using ... But I wonder how much more secure PEAP-TLS is than EAP-TLS, ...
    (microsoft.public.windows.server.security)
  • Re: Need help configuring Wireless Connection profile
    ... Just go there and do a search for 'WPA2'. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)