[vpn] Cisco 3002 Hardware client and single use passcodes

Stephen Hope shope at energis-eis.co.uk
Tue Oct 2 05:16:20 EDT 2001


Patrick,

We are noth a user and a reseller for the Cisco and RSA stuff you mention.

our internal RAS has both ISDN dial in (Shiva LANrover) and VPN (3005). All
of it uses TACACS+ and SecureID (and we also use server agents for some of
the high security systems in house).

As far as i know the 3000 is just set to use TACACS+, all the SecureID
specific stuff is set up in the TACACS server. 

We have Cisco ACS server, with TACACS+ protocol set up as authentication. As
i understand it, TACACS just sends prompts back to the TACACS+ device, for
it to give to the user, and that prompt is for the card magic number.

The ACS then passes authentication off to ACE server for SecureID. The ACE
server is running on the same Win NT server as ACS.

NB - new installs for others are going in on Win2k.

If you want resilience then you need 2 ACS boxes, and 2 licenses.

ACE server only needs a backup, so you dont need 2 full licenses.

I suggest you test it (if you have enough of the bits of course) before you
commit fully.

Cisco used to run an evaluation scheme, with a time limited license for ACS
- i think this is still possible.

RSA used to do evaluation kits for SecureID, with just 2 cards for testing -
maybe try that way if you can?

regards

Stephen

Stephen Hope C. Eng, Network Consultant, shope at energis-eis.co.uk,
Energis UK, WWW: http://www.energis.com
Carrington Business Park, Carrington, Manchester , UK. M31 4ZU
Tel: +44 (0)161 776 4194 Mob: +44 (0)7767 256 180 Fax: +44 (0)161 776
4189


> -----Original Message-----
> From: Patrick.Bryan at abbott.com [mailto:Patrick.Bryan at abbott.com]
> Sent: 02 October 2001 02:30
> To: Yang Lee
> Cc: vpn at securityfocus.com
> Subject: Re: [vpn] Cisco 3002 Hardware client and single use passcodes
> 
> 
> 
> Yang, what I don't comprehend, is how even using Radius, to 
> allow the C3002 to
> make use of one time passcodes. As for Cryptocard, my 
> experience has been very
> good.. Anyhow, please expand on the one time passcode issue 
> further, if you
> would..
> 
> Pat
> 
> 
> 
>                                                               
>                                                      
>                     Yang Lee                                  
>                                                      
>                     <ylee at net50.c        To:     
> Patrick.Bryan at abbott.com                                          
>                     om>                  cc:     
> vpn at securityfocus.com                                             
>                                          Subject:     Re: 
> [vpn] Cisco 3002 Hardware client and single use          
>                     10/01/2001           passcodes            
>                                                      
>                     08:16 PM                                  
>                                                      
>                                                               
>                                                      
>                                                               
>                                                      
> 
> 
> 
> 
> 1. TACACS+ vs. RADIUS
> pro: TACACS+ encrypts both data and password while RADIUS only does
> password.
> con: RADIUS is considered a more open protocol than TACACS+. 
> For example,
> Microsoft is supporting RADIUS in win2k.
> 
> 2. securID vs. cryptocard
> securID is my preference because of its strong encryption. 
> Software itself
> was robust and full of features (also bugs). Don't know too much of
> cryptocard. Any one mind to comment?
> 
> Depend on your environment, if you are an ISP with paid 
> customer, you will
> be better off using RADIUS+ (and cryptocard or securID). 
> Because a lot of
> billing system support RADIUS better. Otherwise, you may feel 
> better using
> TACACS+ (and securID) because of its strong security.
> 
> Hope this help.
> 
> 
> 
> ############################################
> #Yang Lee                                  #
> #Sr. Internet Security Engineer, Net2phone #
> #Tel. 973-412-3556                         #
> #Email. ylee at net2phone.com                 #
> #                                          #
> #                                          #
> #Disclaimer:                               #
> #My opinion here does not represent my     #
> #employer's in any way                     #
> #                                          #
> ############################################
> 
> On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote:
> 
> >
> > How about like this?
> >
> > C3002 --> RADIUS --> Cryptocard
> >
> > ?
> >
> >
> >
> >
> 
> >                     Yang Lee
> 
> >                     <ylee at net50.c        To:     
> Patrick.Bryan at abbott.com
> 
> >                     om>                  cc:     
> vpn at securityfocus.com
> 
> >                                          Subject:     Re: 
> [vpn] Cisco 3002
> Hardware client and single use
> >                     10/01/2001           passcodes
> 
> >                     03:21 PM
> 
> >
> 
> >
> 
> >
> >
> >
> >
> > You can set it up this way:
> >
> > Cisco 3002 --> TACACS+ --> SecurID Ace Server
> >
> > ############################################
> > #Yang Lee                                  #
> > #Sr. Internet Security Engineer, Net2phone #
> > #Tel. 973-412-3556                         #
> > #Email. ylee at net2phone.com                 #
> > #                                          #
> > #                                          #
> > #Disclaimer:                               #
> > #My opinion here does not represent my     #
> > #employer's in any way                     #
> > #                                          #
> > ############################################
> >
> > On Mon, 1 Oct 2001 Patrick.Bryan at abbott.com wrote:
> >
> > > Greetings, I am taking a look at Cisco's 3002 hardware 
> client, and am
> > > wondering if it is possible to use SecurID or Cryptocard 
> tokens with this
> > box?
> > > It appears to me that it is not possible. If anyone has 
> done this, your
> > input
> > > would be greatly appreciated...
> > >
> > >
> > > Patrick A. Bryan
> > > Sr. Systems Analyst
> > > Abbott Laboratories
> > > Worldwide Network Security Group
> > >
> > >
> > >
> > > VPN is sponsored by SecurityFocus.com
> > >
> >
> >
> >
> >
> >
> >
> 
> 
> 
> 
> 
> 
> 
> VPN is sponsored by SecurityFocus.com
> 

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list