Protecting a network with RADIUS / RSA

Protecting a network with RADIUS / RSA

Post by U3RldmV » Thu, 23 Feb 2006 19:36:05

I hope someone can help me with a RADIUS re-authentication issue in ISA 2004

I want to protect a network with ISA and two factor authentication (RSA). As
RSA is mainly supported in ISA 2004 for server publishing and VPN I have had
to implement as follows:

1) Configure RSA RADIUS server and allow using a firewall rule
2) Configure the RADIUS server in ISA
3) Configure authentication on the 'Internal' network to RADIUS
4) UNCHECK the 'Require all users to authenticate' (to allow anonymous
traffic for DHCP / DNS etc)
5) Create a firewall rule for HTTP / HTTPS trafic and set users to RADIUS

Now, all of this works. When I attempt to access the sites in the firewall
rule I am prompted for credentials and I can enter my RSA username /

The problem is that I am constantly asked to re-authenticate (the google
homepage requires two authentications)

As the RSA passcode can only be used once (by design) so is not cacheable.

Can you configure the reauthentication settings for RADIUS or disable

Protecting a network with RADIUS / RSA

Post by QXNob2 » Sat, 25 Feb 2006 04:46:47

Hi Steve,

I think there is an artcile somewhere in tech net where it has a script that
you can use to make isa server cache the credential for a session so it
doesn't ask all the time.

This also results in reduced traffic to radius server.

Let me see if i can fine the article/link.

Here we go:




Protecting a network with RADIUS / RSA

Post by U3RldmV » Sat, 25 Feb 2006 18:00:27

Thanks for the reply Ashok,

I saw that on MSDN but that appears to apply to web listeners which would
suggest a web publishing rule rather than a firewall access rule.

Also RSA is a use once passcode so cannot be cached - unless the cacheing is
done at an ISA level and it doesn't check back via radius...


Protecting a network with RADIUS / RSA

Post by R2FyeSB » Wed, 01 Mar 2006 19:49:28

We did manage to run the script and change the setting however, as Steve
stated the token changes the cached infomration is incorrect and disables the
toekn. We did try this using a password associated with teh account and this
did work but was painfully slow.