We need to implement multi-factor auth on our SA devices..Anyone have any experience, recommendations or tips to share?
Well -pretty much any multi-factor authentication tool that is radius based will work just fine. I am sure you will get lots of replies but I have done implementations that involved sucessful integrations of the following into the SA box:
RSA (various tokens)
Quest Defender (various tokens)
Cryptocard (various tokens)
SecureAuth by Multifactor (certificate based)
we are trying that aswell right now. i successfully added active directory and RSA/ACE authentication servers but i have some problems by connecting to the radius. but thats more a radius problem of my windows IAS (internetauthenticationserver), which isnt able to bring port 1812 for radius up. has anyone experience with that?
We deployed 2 factor auth to our VPN environment by using AD username/password as the primary and User Certificates as the secondary. All mapping is done by username, but the Realm does confirm that the certificate is legitimate (can check certain parts of the cert) before allowing them in. This may not be an option for you, but we ended up developing a free solution to the certificates. A developer of ours used openSSL for Windows and built a .NET website around it to allow users to request / generate their own certificates. I don't know the specifics as to how he got it to work but I didn't get the impression it was especially difficult. The IVE is configured to trust client certs from (and only from) the CA that openSSL is using and the website allows users to self-generate certs to use for it.
There are other solutions that work just as well but they will all cost.
I think what Windows IAS Radius runs auth on port 1645 and accounting on port 1646
we used to use RSA but have moved to VASCO (they have over 75million users using VASCO tokens compared to 25million to RSA) VASCO does everything that RSA does for 1/4th the cost
We've been using the Entrust Identityguard tokens with good success.
We got them for virtually nothing. Here in Canada, the Fed Govt (PWGSC) has a govt wide contract for all Entrust products. So we got the Entrust IdentityGuard software for free, user CALs for free, updates and support for free...so all we've had to buy is the tokens @ 5$ each.
Only thing I prefer about the RSA type tokens is no button. On the Entrust tokens there is a button to generate the code, and even with a decently sized drift window, we still have users who press the button soooo many times the tokens become out of sync. RSA type tokens have no buttons....