On Double Authentication

Wednesday, November 03, 2010

Global Knowledge


Article by Doug McKillip

Many of the students that attend the Cisco MARS classes I teach must comply with an increasing number of regulations for security practices. 

Not least among these is the set of requirements known as the Payment Card Industry Digital Security Standard (PCI DSS)

One such requirement in the newer version of this standard is referenced below, namely that a user be required to enter two sets of login credentials at a login page. 

This article will cover the new double authentication option for VPN tunnel traffic introduced in ASA OS 8.2.

For the ASA, the second set of authentication credentials is specified under the Advanced menu for an ASDM VPN Connection Profile as shown below:


As can be seen above, there are a LOT of information options displayed.  The first field is mandatory and either requires a pre-defined server group or one to be created using the Manage button. 

For the ASA, the choices are RADIUS, TACACS+, NT Domain, SDI (now RSA SecurID®), Kerberos, LDAP, and HTTP Form.  The last one of these is actually an XMLHTTPRequest and will be covered in a separate blog article.

As is typical for more basic AAA implementations, the option for using the LOCAL database in case there is failure contacting the Server Group is still present.  Below that is the option to use only one username, the primary one. 

Even though the choice is given to use a Secondary Server for the attributes, the documentation for this feature states that if an authorization server is configured for this connection profile the secondary server will be ignored.

In the middle window pane an interface-specific Secondary Server Group can be specified. 

With this implementation, an organization could segregate the double authentication requirement to only certain subnets or corporate branches. 

Below this we see two checkboxes and three radio buttons all having to do with implementing digital certificates. 

Note that the first radio button is selected by default and the fields shown are what typically correspond to the user and group fields in the certificate.

While the radio button immediately below this gives the option to use the entire DN (or Distinguished Name) as the username (a long multi-field phrase), the button below gives the option of using a script. 

If the Add button is selected, the following window pops up:


There are essentially two options shown here:

  • choose a value for the username from the drop-down menu (some of the values are shown here) and apply appropriate filters, if desired
  • use a custom script in the LUA script programming language.

Cross-posted from Global Knbowledge

Free White Papers From Global Knowledge:

Top 10 Skills in Demand in 2010 

Top 10 Security Concerns for Cloud Computing

10 Essential Security Polices

How Vulnerable Are Your Cisco IOS Routers


Possibly Related Articles:
PCI DSS Authentication Network Access Control VPN
Post Rating I Like this!
PCI Guru Unfortunately, double authentication is NOT two-factor authentication, it is multi-factor authentication. Two factor authenntication, by definition, is something a user knows such as a password and something a user has such as a token, biometric or similar. It is not two accounts.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.