Re: [fw-wiz] VPN certificates and XAUTH - Firewalls

This is a discussion on Re: [fw-wiz] VPN certificates and XAUTH - Firewalls ; I didn't really get your question. Do you wanna perform Certificate authentication at group level or at xauth level ? Level 1 authentication is used for peer (device) authentication (groupname/pass). We can definitely use certificates for this type of authentication. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: [fw-wiz] VPN certificates and XAUTH

  1. Re: [fw-wiz] VPN certificates and XAUTH

    I didn't really get your question. Do you wanna perform Certificate
    authentication at group level or at xauth level ?

    Level 1 authentication is used for peer (device) authentication
    (groupname/pass). We can definitely use certificates for this type of
    authentication. I have seen such things work. However , you would
    still need to manually insert the xauth/pass ! Also, even if its
    possible to use certificate for Xauth (which I doubt), I think it
    would add complications and would not be scalable !

    Having said that , I'm sure you can use Token based Xauth (like RSA)
    with VPN client.

    http://rsasecurity.agora.com/rsasecu..._AuthMan61.pdf
    http://rsasecurity.agora.com/rsasecu..._AuthMan61.pdf

    Hope this helps. If not, please can you elaborate the question a bit.

    Thanks,
    Aditya Govind Mukadam




    On Thu, Jul 17, 2008 at 6:53 PM, Petr Vyhnal wrote:
    > Hi all,
    >
    > I have one quick question. I usually configure PIXes for VPN client in
    > two level authentication mode. Level 1 is vpngroup/password and level 2
    > is XAUTH using RADIUS server. Is there possibility (with PIX or ASA) to
    > use per-user generated certificates instead vpngroup/pass auth with
    > XAUTH/RADIUS second level auth as well?
    >
    > rudiik
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


  2. Re: [fw-wiz] VPN certificates and XAUTH

    Does anybody know if a certificate used for group authentication can be
    stored on a flash drive so that you require to plug the drive for the
    certificate to be available? It would be like a cheap 2 factor auth without
    the need of tokens.

    Thanks,

    Alejandro

    -----Original Message-----
    From: firewall-wizards-bounces@listserv.icsalabs.com
    [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Secure
    Scorp
    Sent: Lunes, 04 de Agosto de 2008 02:26 a.m.
    To: Firewall Wizards Security Mailing List
    Subject: Re: [fw-wiz] VPN certificates and XAUTH

    I didn't really get your question. Do you wanna perform Certificate
    authentication at group level or at xauth level ?

    Level 1 authentication is used for peer (device) authentication
    (groupname/pass). We can definitely use certificates for this type of
    authentication. I have seen such things work. However , you would still need
    to manually insert the xauth/pass ! Also, even if its possible to use
    certificate for Xauth (which I doubt), I think it would add complications
    and would not be scalable !

    Having said that , I'm sure you can use Token based Xauth (like RSA) with
    VPN client.

    http://rsasecurity.agora.com/rsasecu...PIX_702_AuthMa
    n61.pdf
    http://rsasecurity.agora.com/rsasecu..._ASA_AuthMan61.
    pdf

    Hope this helps. If not, please can you elaborate the question a bit.

    Thanks,
    Aditya Govind Mukadam




    On Thu, Jul 17, 2008 at 6:53 PM, Petr Vyhnal wrote:
    > Hi all,
    >
    > I have one quick question. I usually configure PIXes for VPN client in
    > two level authentication mode. Level 1 is vpngroup/password and level
    > 2 is XAUTH using RADIUS server. Is there possibility (with PIX or ASA)
    > to use per-user generated certificates instead vpngroup/pass auth with
    > XAUTH/RADIUS second level auth as well?
    >
    > rudiik
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@listserv.icsalabs.com
    > https://listserv.icsalabs.com/mailma...rewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@listserv.icsalabs.com
    https://listserv.icsalabs.com/mailma...rewall-wizards


+ Reply to Thread