Authentication of GBA / list DACL Timeout

Similar Questions

• list dACL on the open with pre authorization ACL mode switches

  Hi on board,

  This topic is perhaps correct in the switching section of the Board of Directors as well, but I'll try it here.

  Suppose I use authentication open on a switch port with a pre authentication ACL. Call the PORT-PRE-AUTH-ACL

  Preauthentication ACL contains the usual stuff like PXE, DHCP, DNS and so forth (Yes, we want to do profiling :))

  Now the customer behind the port is sucessfully authorized, and a DACL is applied to the session. The IP device followed by magic jumps and adds the IP address of the real connected customer in the part of the source of the ACL.

  Now the question: what happens with the content of the PORT-PRE-AUTH-ACL on the switch port?

  • ACL preauthentication is happy for the session?
  • The ACL are concatenated? Pre static permission ACL comes first, and the contents of the DACL comes after that?
  • The ACL are concatenated? The content of the DACL comes first and the pre authorization ACL static comes after that?

  I think the answer to this question is: it depends - right?

  From my point of view, it is highly platform and SW version dependent. Do you agree? I also think that the documentation is very poor in this particular case.

  For example on a 2960-X and 2960-S with IBNS2.0 config style 15.2 code running, the behavior is that the

  content of the DACL is placed above the static port ACL. But the static port ACL remains in place.

  Why I ask this question?

  • This is relevant when placing explicit deny statements somewhere in the port or list dACL
  • Resource AAGR economy on the switch. For example if I have enabled DHCP in the pre-auth-ACL, I must not let DHCP in the DACL if ACLs are concatenated. That's why I less entered ACE--> economy of the AAGR resources on the switch.

  Maybe it's a good idea if we assemble a list of "field experience". I begin with two devices from above:

  Platform	Version	Behavior	Remarks
  Cat no. 2960 X	15.2 (4)	Concat: list dACL then ACL port	IBNS2
  Cat no. 2960S	15.2 (2)	Concat: list dACL then ACL port	IBNS2
  Cat no. 4500 Sup8	3.7.0E	Concat: list dACL then ACL port	Last update 03/2016/31 NicolasDemonty (thank you)
  Cat no. 6800	15.2 (1) SY2	Concat: list dACL then ACL port	Update 08/2016/26 by jcockburn (thank you)

  Someone has Cat6k (ok - it is difficult with IBNS2.0 on this platform), Cat4k, Cat3k?

  Hello

  We have 6500's on IBNS1 and 6880's on IBNS2

  The same thing about the DACL and the PACLs...

  dACL is concat'ed on top of PACL.

  One thing to note, we have a posture or clean-up phase which redirects the client to the portal as well and when we migrated to IBNS2 we found different implementations.

  IBNS1 = list dACL, RACL + PACL

  IBNS2 = list dACL, RACL + PACL

  so if for some reason, you had a refusal not in the DACL the RACL will never matched... suffice to say.

• Problem with authentication of GBA

  I am trying to upgrade our network right now and we are replacing the archaic switches with the new 3750 s. In one of the sites, the new switch did not start upward, so I configured a 2950 as a temporary solution. My problem is with the RADIUS authentication. I use GANYMEDE as the first authentication method, with a local database as a backup. But the RADIUS authentication is not the case. He just jumps straight in front of method 1 for local authentication. RADIUS servers are in place and running as other devices you authenticate properly and this 2950 can ping the servers in question. Thus, the key is entered correctly. Any suggestions?

  And the output of 'debug Ganymede?

  My output looks like this:

  APR 17 11:30:27: TAC +: send worm package AUTHENTIC/START = 192 id = 3801177964

  APR 17 11:30:27: TAC +: using Ganymede server-group "Ganymede +" list by default.

  APR 17 11:30:27: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5

  APR 17 11:30:27: TAC +: handle opened TCP/IP 0x80EC2700 to 10.10.10.24/49

  APR 17 11:30:27: TAC +: 10.10.10.24 (3801177964) AUTHENTIC/START/CONNECTION/ASCII queued

  APR 17 11:30:28: TAC +: (3801177964) AUTHENTIC/START/CONNECTION/ASCII processed

  APR 17 11:30:28: TAC +: worm = 192 id = 3801177964 received AUTHENTIC status = GETPASS

  APR 17 11:30:31: TAC +: sends AUTHENTIC/CONT packet id = 3801177964

  APR 17 11:30:31: TAC +: 10.10.10.24 (3801177964) AUTHENTIC/CONT in queue

  APR 17 11:30:31: TAC +: (3801177964) AUTHENTIC/CONT processed

  APR 17 11:30:31: TAC +: worm = 192 id = 3801177964 received AUTHENTIC status = PASS

  APR 17 11:30:31: TAC +: connection TCP/IP closing 0x80EC2700 to 10.10.10.24/49

  APR 17 11:30:31: TAC +: previously set server group Ganymede 10.10.10.24 +.

  APR 17 11:30:31: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5

  APR 17 11:30:31: TAC +: handle opened TCP/IP 0x80ED50DC to 10.10.10.24/49

  APR 17 11:30:31: TAC +: open 10.10.10.24 index = 1

  APR 17 11:30:31: TAC +: 10.10.10.24 (3808800626) AUTHOR/START waiting in line

  APR 17 11:30:32: TAC +: AUTHOR/START (3808800626) dealt with

  APR 17 11:30:32: TAC +: (3808800626): received the status of response author = PASS_ADD

  APR 17 11:30:32: TAC +: connection TCP/IP closing 0x80ED50DC to 10.10.10.24/49

  APR 17 11:30:32: TAC +: attribute received 'priv-lvl = 15.

  APR 17 11:30:32: TAC +: previously set server group Ganymede 10.10.10.24 +.

  APR 17 11:30:32: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5

  APR 17 11:30:32: TAC +: handle opened TCP/IP 0x80EC2B94 to 10.10.10.24/49

  APR 17 11:30:32: TAC +: open 10.10.10.24 index = 1

  APR 17 11:30:32: TAC +: 10.10.10.24 (422749886) ACCT/REQUEST/START queued

  APR 17 11:30:32: TAC +: ACCT/REQUEST/START (422749886) dealt with

  APR 17 11:30:32: TAC +: (422749886): received the status of response acct = SUCCESS

  APR 17 11:30:32: TAC +: connection TCP/IP closing 0x80EC2B94 to 10.10.10.24/49

  GANYMEDE server + do you use?

• ALLOW ALL using list DACL on IP phone

  Do you usually use the ISE default policy that adds the DACL ANY ALLOW list IP phones, or you remove the DACL?

  I always do the following with my deployments:

  1. always return a DACL, even if it is just "allowed ip any any" there are bugs with IOS which do not remove the ACL of CWA or the default ACL on the port you do not return a DACL. I also like it because I can quickly go and if necessary restrict

  2. I never use anything that is defaulted to the ISE. I create my own authorization policies, profiles, store identity sequences, etc. I know that I didn't something like this, it's by default so I can come back later and use it for reference

  I hope this helps!

  Thank you for evaluating useful messages!

• How to separate requests for authentication to GBA 4.2

  Hello

  I have a 4.2 ACS for AAA. Right now I use this server to authenticate users this connection for all my devices cisco (routers, switches, ASAs, APs) and also to authenticate users for remote access VPN to ASA.

  The problem I have is that VPN users residing on another group in ACS are able to authenticate to log to manage network devices and it is a problem of security. I need the vpn users only being able to authenticate to the vpn and not be able to authenticate to connect to network devices.

  Any ideas? is it possible to separate requests for access radius and vpn connection?

  Hi Fernando,

  Yes it is possible to restrict your users only VPN to VPN - ASA. If you want that they do not have telnet/ssh/http access with other devices in the network, then you can go for NAR (network access restriction).

  The only thing you need to know what we are calling-station-id. I think it's an ip address. You can check this activity and reports > past authentication for VPN users.

  Here are the steps:

  GBA > go to the VPN group > Edit > search for NAR > under Ip based NAR > set the action to "DECLINED" > select the devices (routers/switches) you want to deny access to > put * for the port field and address > click on submit + restart.

  Doing this will of users can connect through vpn and unable to do ssh and telnet.

  I have attached the screenshot of the same thing (I did for 6509 switch)

  HTH

  JK

  Please evaluate the useful messages-

• ISE: in favour of the list DACL IPv6

  Hello

  Does anyone know if/when that ISE will be able to get IPv6 dynamic acl? I failed to find any information on this other than an old post here: https://supportforums.cisco.com/discussion/11795676/ise-support-ipv6-dyn...

  Thank you

  Phill Macey

  It is not supported from the current 1.3 ISE.

  I heard it is planned for a future release, but there is no date announced or committed for the moment.

  If your are in collaboration with a partner or a Cisco account manager, don't forget to officially request if this is important to you. Client application contributes to the training to the business case for prioritizing functions.

• PIX V6.2 of lists of access and authentication

  We have a PIX 501 internal v6.2 on an intranet and you want to allow some subnets and other IP of specific hosts through high security (inside) to low-security side (outside) without authentication or authorization.

  However, at the same time, we want to authenticate some other users the same path and apply an access of our v2.6 CiscoSecure ACS list.

  We use http authentication.

  How do I combine these two different requirements on the inside interface

  e.g. allowed tcp 10.10.10.2 255.255.255.0 any eq 1022 and

  (if it is authenticated) permit tcp host 10.120.10.1 any eq 8051

  We have a similar setup working on a router using the firewall feature set proxy authentication, the access list has static entries and changes dynamically when users are authenticated with their conditions of access.

  Do not use an ACL on the inside interface to achieve this. Rather, set you ACLs to include authentication for all traffic from this host out.

  Allow Access-list auth_user host ip 10.120.10.1 one

  This means that the user cannot run ALL the traffic out until he receives the authentication. The host can do this by opening a web browser for what anyone outside and giving the appropriate credentials firewall. Or FTP for what anyone outside... Or telnet to what anyone on the outside.

  When the ACS service validates the credentials of the users, pass back the ACL for this user to define exactly what you want and what you want to deny. If you only allow outbound TCP/8501, then all other traffic is implicitly denied. The ACL by user like any other access-list. This will not require an ACL to be bound inside the interface.

  -Shannon

• Authenticating users with router 2800

  Hello Experts,

  Press RETURN to get started.

  * 11 May 15:04:18.063: AAA/BIND (00000010): link i / f
  * 15:04:18.063 may 11: AAA/AUTHENTIC/LOGIN (00000010): list of selection method '123'

  User access audit

  Username: john
  Password:

  ACS-router > en
  Password:
  * 15:04:41.935 may 11: AAA: analyze name = tty0 BID type =-1 ATS = - 1
  * 15:04:41.935 may 11: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
  * 15:04:41.935 may 11: AAA/MEMORY: create_user (0x469AA7F4) user = ruser 'john' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = ASCII = service ENABLE priv = 15 initial_task_id = '0', vrf = (id = 0)
  * 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): port = "tty0" list = "action = LOGIN service = ENABLE
  * 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): enable console - by default to activate the password (if any)
  * 15:04:41.935 may 11: AAA/AUTHENTIC/START (4129385217): method = ENABLE
  * 11 May 15:04:41.935: AAA/AUTHENTIC (4129385217): status = GETPASS
  ACS-router #.
  * 15:04:49.099 may 11: AAA/AUTHENTIC/CONT (4129385217): continue_login (user = '(undef)')
  * 11 May 15:04:49.099: AAA/AUTHENTIC (4129385217): status = GETPASS
  * 15:04:49.099 may 11: AAA/AUTHENTIC/CONT (4129385217): method = ENABLE
  * 11 May 15:04:49.107: AAA/AUTHENTIC (4129385217): status = PASS
  * 15:04:49.107 may 11: AAA/MEMORY: free_user (0x469AA7F4) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15 vrf = (id = 0)

  The output is the router console 2800, I m trying to authenticate a user to the ACS server john, but I m not sure it performs the authentication or not by the output above, when I specify a different password to the AEC and the router it does'nt accept the ACS password it takes rather the local password configured for john.

  run for router 2800 SH:

  ACS-router #sh running-config
  Building configuration...

  Current configuration: 1141 bytes
  !
  version 12.4
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  ACS-router host name
  !
  boot-start-marker
  start the flash c2800nm-ipvoicek9 - mz.151 - 1.T.bin system
  boot-end-marker
  !
  forest-meter operation of syslog messages
  enable secret 5 $1$ $6MYC v0SoHopUNgCSXx08iEfcU0
  !
  AAA new-model
  !
  !
  AAA authentication login 123 group Ganymede + local
  !
  !
  AAA - the id of the joint session
  !
  dot11 syslog
  IP source-route
  !
  !
  IP cef
  !
  !
  no ip domain search
  !
  Authenticated MultiLink bundle-name Panel
  !
  !
  !
  !
  !
  !
  Username password 0 cisco12345 Jean
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  !
  !
  !
  interface FastEthernet0/0
  no ip address
  automatic duplex
  automatic speed
  !
  interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  IP 192.168.10.1 255.255.255.0
  !
  interface FastEthernet0/1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  IP forward-Protocol ND
  no ip address of the http server
  no ip http secure server
  !
  !
  !
  !
  !
  !
  !
  RADIUS-server host 192.168.10.3 port 49 timeout 2 keys cisco12345
  !
  control plan
  !
  !
  Line con 0
  authentication of connection 123
  line to 0
  line vty 0 4
  authentication of connection 123

  BUT

  When the same configuration I have with the 2960 switch it works very well for the user, it accepts different password for the ACS and the local when I disconnect the ACS from the local network.

  Can someone tellwhat I m missing here. ???

  Thank you

  The followiing:

  * 11 May 15:44:33.678: HIGHER (00000013) 0 / / READ: errno 254

  Suggests a secret do not match between the 2800 and GANYMEDE server +.

• Authentication, findMailStoreUsers for Domino

  Hello

  Completely new on the API of Administration im...

  I listed all my BlackBerry users successfully, now I want a list of my Domino users to create a new user (one day...).

  I tried this:

  try {
       dominoUrl = new URL("https://" + strBASURL + "/baaws/emaildomino/ws?wsdl");
  } catch (MalformedURLException e) {
       return false;
  }
  _myDominoWSService = new BAAServiceEmailDomino(dominoUrl);
  

  and

  Authenticator dominoAuthenticator=null;
          List a = _myUtilWSStub.findAuthenticators("en_US");
          for(Authenticator itr:a) {
              if(itr.getName().equalsIgnoreCase("Domino mailbox")) {
                  dominoAuthenticator = itr;
              }
          }
          myEncodeUsername = _myUtilWSStub.encodeUsername("admin", null, dominoAuthenticator.getAuthenticatorType(), dominoAuthenticator.getId(), "0");
  
          BindingProvider bp2 = (BindingProvider)_myDominoWSService.getEmailDomino();
          bp2.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, myEncodeUsername);
          bp2.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, password);
  

  I played a bit with the user name and password.

  When I call

  FindMailStoreUsersResult myResult = _myDominoWSService.getEmailDomino().findMailStoreUsers(criteria, sortByEnum, sortAscending, locale, null, pageSize);
  

  I get the following error:

  org.apache.cxf.interceptor.Fault: Could not send Message.
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:64)
      at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
      at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
      at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
      at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:178)
      at $Proxy42.findMailStoreUsers(Unknown Source)
  aused by: java.net.HttpRetryException: cannot retry due to server authentication, in streaming mode
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at java.net.HttpURLConnection.getResponseCode(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1937)
      at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1865)
      at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
      at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
      at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      ... 8 more
  

  Maybe my test is totally * beep *, maybe im missing something.

  Can someone help me?

  Thank you

  Hello

  The first thing you run BES version 5.0.3? If so, I strongly suggest to stop the development of BAA and rather spend BWS.

  If you need to stay with BAA then you can check the user name and password used. Are this user name and password allow to connect you via the console DOWN? It's a LOW user account or you actually have a user account of Domino named 'administrator '?

• Authentication & roaming

  I use autonomous 1142Ns running 12.4 (no WLC, no external Radius Server). They authenticate clients personal connection with WPA2 Mode. Just enter a password, and you are connected.

  I need to configure the access points for Fast, Secure roaming, but authentication requirements seem to conflict or at least change my current setup.

  For example, by reading these requirements.

  http://www.Cisco.com/en/us/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap12-wdsroam-RM.html

  I need at least one configured as a WDS access point and other access points configured to participate in the WDS. To configure an access point for WDS, the AP must be configured as a Local authenticator. To configure a gateway as an authenticator Local, a list of user names and passwords, or MAC addresses must be provided.

  This seems to mean that password authentication only is no longer possible, this user name must also be provided, or, I must collect all of the possible MAC address and the list of people.

  I'm new to wireless configs, but I assumed that a laptop computer that has already been authenticated with WPA2 Personal Mode could be passed along to another access point, but I don't see any description of this possibility.

  Please clear my on what peut/can't do regarding homelessness and my configuration current w/o the changing needs of authentication.

  Hello

  Through the post of wat I understand is... you want to configure the safe and fast roaming. But this is not supported with WPA - PSK. Authentication WPA - PSK works with AP in other words local authentication. To quickly configure and secure roaming we need authentication for 802. 1 x such as leap and Eap-fast so that WDS may hunt the user name and password. If we use WPA2 AES CCMP, I guess the FSR happens coz of CCMP but its true no use if we don't use 802. 1 X...

  FSR aims mainly e reduce overload the server for each unique transaction pointing to the customer... So, if we use WDS with 802. 1 X set up... so instead of going on the server, his will be checked in the set entry cache on the WDS and the charge to go on the server will be dropped... so I think the WPA2-PSK with FSR would work, but you may not feel the real meat of FSR...

  If you don't have a RADIUS server such as Cisco ACS... Then, you can configure your AP as a local RADIUS server and then configure the EAP methods or 802. 1 X with the local server.

  Here is the link to...

  http://www.Cisco.com/en/us/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap9-localauth.html

  Concerning

  Surendra

  ===

  Please do not forget to note positions that answered your question or was useful

• Strategy of the ISE, DACL and VLAN change together

  So I had a hard time finding consistency in a policy that changes the VLAN and applies to a DACL. Originally, I discovered that the remarks were causing to ruin. But I can't find any consistency. Can I use vanilla ' oermit all ' DACL to ISE, as well as a change VLAN and it just doesn't work. My AuthZ is very simple... If you are wired_MAB and your point of endpoints in a particular group, then apply a policy that changes the VLAN and applies to a DACL. This seems like it was originally what ISE is supposed to do, but it seems so buggy. Strange thing is that if I change VLAN by itself, it works. But when I add to the DACL does not work either. Anyone have any ideas why this is?

  Your main problem, will probably be with assignment of DACL, which requires the switch to know the ip address of the client, before any list DACL will apply, at least in host multi-auth mode, I know a "bug", where analysis of device does not work yet once you change your local network virtual access initial port to another virtual LAN and try to apply a DACL using the validation of the MAB When this fails, try to check your schedule of ip device, and see if you hit the same "bug" is I've touched before. You should see this device analysis think that your device still has the original investigation period vlan or none at all. Remember that DHCP Snooping is also used to fill the device-tracking table, so make sure you use it also. Other than that, you could try mode closed, but that if them run could not be suitable for your environment.

• NAT 0-list of access

  NAT with NAT Timeout values 0

  A server outside the firewall starts a session on the server inside. The server stores the session via the IP address and the Source port inside this connection must remain open, but if there is no communication after the time specified in the timeout xl, it is demolished... then, outside server initiates a new session with a source port different... Once this happens several times, the service on the internal server dies.

  If I use:

  notimeout list allowed access host ip 10.10.10.4 255.255.255.255 any

  NAT (outside) 0-list of access notimeout

  As the pix don't build an xlate array, it will bypass the timeout for the xlate? Once 10.10.10.4 allows a connection to a host on the otherside of the pix, will he be able to be idle indefinitely?

  Thank you

  Of course, but you have some problems of syntax. Refer to the following:

  PIX #(config) access-list no.-Timeout allowed ip 10.10.10.1 host 172.16.1.1

  PIX #(config) nat (inside) - No.-Timeout 0 access list

  PIX #(config) conn timeout 0:0:0

  * No need for 255 mask all when you specify host. And you want to apply the NAT inside interface. Translations when using a nat ACL 0 device still can be built from the less secure interface. And your timeout on the conn will be global. I do not recommend the use of what it can cause side effects. Each conn that is left in an open incorrectly state never fade conn PIX table. This can cause memory exhaustion over time, so if you're going to do this, please check the "County conn hs' and"sh conn detail"often of output and make sure that you don't have many & open on the PIX. It may require manual intervention you clear the & or reload the PIX.

  If you are in a situation where the connection must remain open indefinetly between these machines, you may be better of the location of these two hosts on the same segment so as not to take these measures. Just a thought.

  Scott

• SSL VPN authentication using different sequences of identity Sources

  Morning,

  At the moment we have SSL VPN configuration passing security to GBA. This is accomplished by using strong authentication. GBA the

  Sequence identity Sources is WBS then AD.

  We want to implement on the same firewall a few users select proper respect by AD authentication, they will have a group name different tunnel connecting etc.

  GBA im not sure how I would setup two sequences of Sources Identidy therefor using the same Service selection rule. At the moment I have if RAY and IP is XXX then political use of XXX

  We are currently installed ISE so in the not to distant future is ACS can not do this can ISE?
  If it's confusing that I can extend were nesscessary
  Thank you

  S

  Hello

  I don't know how it looked like GBA but on its flexible ISE

  If the rule is simple

  If the RADIUS request is device ASA type formed then check the tunnel-group-name attribute (146) and will benefit from its interventions to the string value choose LOCAL or AD store.

  

  hope this helps

  concerning

• dACL on Cisco 3550 switch

  I have 3550 Switch Cisco IOS (12.1 (19) EA1c).     I want to activate the feature list dACL on it, but it does not support add this command -followed ip device

  No idea why it does not accept.  This version of ios not does support the dACL list feature?

  You must at least 12.2 (44) SE dACL-support on the 3550.

  Edit: It is documented in the ISE compatibility list:

  http://www.Cisco.com/en/us/partner/docs/security/ISE/1.1.1/compatibility/ise_sdt.html

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• VPN concentrator - using several authentication servers

  Hello

  I have a question regarding the use of more than one authentication server to authenticate users connecting to a VPN concentrator.

  Is it possible to add several, different (for example: SDI and RADUIS) servers for authentication in the list and make sure that users authenticate to each other to establish the VPN. It seems just a user to authenticate through one of them to establish a VPN. Can you make the user to authenticate through multiple servers?

  Thank you

  Cam

  Cam

  I have no experience with this issue, so I have an opinion but no facts. I suppose that it is possible to separate the authentication of the user of the NAC/posture validation.

  Perhaps someone with experience with this or the necessary expertise for this can help us with some facts.

  HTH

  Rick