RE: Protecting a network with RADIUS / RSA

Tech-Archive recommends: Fix windows errors by optimizing your registry

We did manage to run the script and change the setting however, as Steve
stated the token changes the cached infomration is incorrect and disables the
toekn. We did try this using a password associated with teh account and this
did work but was painfully slow.


"SteveD" wrote:

Thanks for the reply Ashok,

I saw that on MSDN but that appears to apply to web listeners which would
suggest a web publishing rule rather than a firewall access rule.

Also RSA is a use once passcode so cannot be cached - unless the cacheing is
done at an ISA level and it doesn't check back via radius...

Steve

"Ashok" wrote:

Hi Steve,

I think there is an artcile somewhere in tech net where it has a script that
you can use to make isa server cache the credential for a session so it
doesn't ask all the time.

This also results in reduced traffic to radius server.

Let me see if i can fine the article/link.

Here we go:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isasdk/isa/fpcweblistenerproperties_singleradiusserverauthpersession.asp

HTH,

Ashok.




"SteveD" wrote:

I hope someone can help me with a RADIUS re-authentication issue in ISA 2004
SP2.

I want to protect a network with ISA and two factor authentication (RSA). As
RSA is mainly supported in ISA 2004 for server publishing and VPN I have had
to implement as follows:

1) Configure RSA RADIUS server and allow using a firewall rule
2) Configure the RADIUS server in ISA
3) Configure authentication on the 'Internal' network to RADIUS
4) UNCHECK the 'Require all users to authenticate' (to allow anonymous
traffic for DHCP / DNS etc)
5) Create a firewall rule for HTTP / HTTPS trafic and set users to RADIUS

Now, all of this works. When I attempt to access the sites in the firewall
rule I am prompted for credentials and I can enter my RSA username /
passcode.

The problem is that I am constantly asked to re-authenticate (the google
homepage requires two authentications)

As the RSA passcode can only be used once (by design) so is not cacheable.

Can you configure the reauthentication settings for RADIUS or disable
reauthentication?
.

Relevant Pages

  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... on the phone with RSA doing that repeatedly. ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... nodesecret in the registry and then cleared it on the RSA Admin server I ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)
  • RE: OWA Publishing problem for ISA 2006- using SecurID
    ... nodesecret in the registry and then cleared it on the RSA Admin server I ... The reason, from what I can gather, is that SDTEST write the securid file to ... a different location and the nodesecet is just set between the ACE and ISA ... ACE server doesn't think it's supposed to. ...
    (microsoft.public.isa.publishing)
  • Re: IE 6.1 and IE5 with ISA 2000 RSA authentication.
    ... > Dear ISA Community, ... > a RSA login when navigating through the internet homepage links. ... > closing the second window produced from clicking on a primary webpage. ...
    (microsoft.public.isa)
  • Re: ISA2004 and OWA Exchange 2003 Questions.
    ... Maybe you are aware, but just to be clear, you do face limitations when ... publish "servers" or use the firewall features of ISA 2004. ... >> the ISA box to the RADIUS server that is on the ... >> Ronaldo Nascimento ...
    (microsoft.public.isa)