1.5 Factor Authentication?

| No Comments | No TrackBacks

So, with all the recent concern over PCI and similar security requirements, lots of people are considering multi-factor authentication technologies whenever the cost/convenience tradeoff makes sense.  VPN and other remote access technologies are places where this kind of technology makes good sense.  About a year ago I was asked to help implement a two factor authentication scheme for VPN using a Cisco ASA firewall.  There was a sincere desire to avoid having to pay for RSA tokens or smart cards, so we decided to use the technology that the customer had available, certificates.  In theory, one could use a certificate as something you have and then provide a username and password during x-auth as something you know

To implement this, I changes the ISAKMP profile to use RSA-SIG authentication instead of pre-shared keys.  I set up the remote access VPN as normal, including X-AUTH.  When the VPN client connected, we discovered that everything we did actually worked!  Since making something work the first time is not typically my specialty, I knew something must have been wrong.  A bit of thinking and testing later, the other shoe finally dropped!  We connected to the VPN using USER1's certificate, but tried USER2's username and password.  Much to my dismay, it worked. 

While this does technically pass the definition of two factor authentication, at least as far as the auditors are concerned, I wouldn't call it a good long term plan.  TAC to the rescue!  My confidence was shattered when I was informed that this was a new feature according to the design engineers and wouldn't be available until spring-ish 2008.  Fast forward about a year and guess where I am?  In the past few months I happened to notice a command that I thought enabled the X-AUTH username to certificate CN check.  Apparently I was wrong, as it doesn't work.  Well to be exact, the command I am referencing, username-from-certificate, works when paired with another command, pre-fill-username.  Unfortunately, but not surprisingly, the latter command only applies to WebVPN/SSLVPN!

I am planning on opening a TAC case in the morning on this as well as calling my local SE, in the mean time I am going to assume this is another sign of the death of IPSec (the other sign being no 64-bit OS support).

UPDATE: It turns out that this feature was requested and supplied in version 8.0(3) 1.  Unfortunately only for AnyConnect.  There are no plans to support the IPSec client with certificate CN validation.  Ouch, another nail in the coffin for the good old IPSec VPN client.  I guess I better spend some time snuggling up next to the WebVPN/SSL VPN command reference guides!

No TrackBacks

TrackBack URL: http://www.ryanhicks.net/cgi/mt/mt-tb.cgi/3

Leave a comment

About this Entry

This page contains a single entry by Ryan Hicks published on October 23, 2008 10:03 PM.

Cisco 4500 Intermittant High CPU Utilization was the previous entry in this blog.

Cisco 4500 Intermittant High CPU Utilization - Part 2 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.