03-17-2010 08:16 AM
Well -pretty much any multi-factor authentication tool that is radius based will work just fine. I am sure you will get lots of replies but I have done implementations that involved sucessful integrations of the following into the SA box:
RSA (various tokens)
Quest Defender (various tokens)
Cryptocard (various tokens)
SecureAuth by Multifactor (certificate based)
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador
Juniper Elite Reseller
J-Partner Service Specialist - Implementation
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
03-17-2010 08:42 AM
we are trying that aswell right now. i successfully added active directory and RSA/ACE authentication servers but i have some problems by connecting to the radius. but thats more a radius problem of my windows IAS (internetauthenticationserver), which isnt able to bring port 1812 for radius up. has anyone experience with that?
03-17-2010 01:05 PM
We deployed 2 factor auth to our VPN environment by using AD username/password as the primary and User Certificates as the secondary. All mapping is done by username, but the Realm does confirm that the certificate is legitimate (can check certain parts of the cert) before allowing them in. This may not be an option for you, but we ended up developing a free solution to the certificates. A developer of ours used openSSL for Windows and built a .NET website around it to allow users to request / generate their own certificates. I don't know the specifics as to how he got it to work but I didn't get the impression it was especially difficult. The IVE is configured to trust client certs from (and only from) the CA that openSSL is using and the website allows users to self-generate certs to use for it.
There are other solutions that work just as well but they will all cost.
03-22-2010 09:07 AM
we used to use RSA but have moved to VASCO (they have over 75million users using VASCO tokens compared to 25million to RSA) VASCO does everything that RSA does for 1/4th the cost
MAG 4610 (7.4) Lab
03-22-2010 05:58 PM
We've been using the Entrust Identityguard tokens with good success.
We got them for virtually nothing. Here in Canada, the Fed Govt (PWGSC) has a govt wide contract for all Entrust products. So we got the Entrust IdentityGuard software for free, user CALs for free, updates and support for free...so all we've had to buy is the tokens @ 5$ each.
Only thing I prefer about the RSA type tokens is no button. On the Entrust tokens there is a button to generate the code, and even with a decently sized drift window, we still have users who press the button soooo many times the tokens become out of sync. RSA type tokens have no buttons....