2002-03-12-22:29:11 Kee Hinckley: > At 9:46 PM -0500 3/12/02, Bennett Todd wrote: > >If I wanted to set up a SecurID-authenticating Road Warrier > >solution, I'd create a simple SSL-secured web page that can be used > >to temporarily enable a particular cert for normal road-warrier > >IPSec; that way, even though my server-side implementation would be > >tied to a particular implementation, it could at least in principle > >be re-implemented for others, and any client with a web browser and > >an IPSec implementation could log in. > > Sure, but what a royal pain to use.
Sorry? It'd be possible with any web browser and a standard IP stack, as opposed to impossible without a specific, proprietary, vendor client. And if you had some specific behaviour you wanted --- e.g. a commandline or gui that prompted for the username and auth credentials, then fired them off at the server and started up IPSEC, it'd be easy to script in any reasonable language; all the interactions are at least standardized. > The current Cisco IPSec client I'm using appears to send the user > password with the SecurID parameter appended to it. Of course, that's what any SecurID authentication implementation does, it concatenates the user password and the SecurID number as a single-use password. IPSec has no support for such user passwords in its protocols, so some external hack needs to be bolted on. You can use a proprietary hack, or build one on standard protocols. > But ideally IPSec should have a way of dealing with the three > standard security pieces--something I know, something I have and > something I am. At the moment, IPSec has no provisions for supporting user authentication at all --- it's being worked on, but for now you've got to use some external add-on. Once IPSec gets the ability, it will certainly support passing username/passwd. It may or may not support an interactive cycle where the server can present a challenge, so the possibilities for 2-factor auth may be confined to systems that can be run "blind", like e.g. SecurID and S/Key. As for "something I know, something I have and something I am", I assume by that last you mean biometrics; I certainly wouldn't call that a "standard security piece" in any forum outside of biometrics salescritter conventions, and of course movie scriptwriting. -Bennett
msg00252/pgp00000.pgp
Description: PGP signature
