Multi Factor authentication options for wireless networks
Wondering what people are using to provide security from their Wireless environments to their corporate networks? 2 or more factors seems to be the accepted standard and yet we're being told that Microsoft's equipment can't do it. Our system being a Microsoft Domain... seemed logical, but they can only do 1 factor. What are you guys using? Thanks
On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabenth@gmail.com> wrote:
Wondering what people are using to provide security from their Wireless environments to their corporate networks? 2 or more factors seems to be the accepted standard and yet we're being told that Microsoft's equipment can't do it. Our system being a Microsoft Domain... seemed logical, but they can only do 1 factor. What are you guys using?
Move to 802.1X with Radius. Connect your APs or AP Controllers to a decent OTP system like otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. Extend the LDAP schema to hold the private keys for the OTP system. Many vendors offer this solution, although I suggest that you don't go with SecurID or any token vendor that does not disclose their algorithm to you. Go open, and use OATH. The work being done on OATH is where future one-time, two-factor systems are headed: http://www.openauthentication.org/ -john
Tokens are an option but I should have been more clear. As we're a windows shop (apologies, but that's the way it is), we were planning on going with user credentials and the machine's domain certificate. Your solution might still be viable, but I'm not certain if I can get at the machine certs with LDAP that way,have to check that. On Thu, Jun 9, 2011 at 3:08 PM, John Adams <jna@retina.net> wrote:
On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabenth@gmail.com> wrote:
Wondering what people are using to provide security from their Wireless environments to their corporate networks? 2 or more factors seems to be the accepted standard and yet we're being told that Microsoft's equipment can't do it. Our system being a Microsoft Domain... seemed logical, but they can only do 1 factor. What are you guys using?
Move to 802.1X with Radius.
Connect your APs or AP Controllers to a decent OTP system like otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. Extend the LDAP schema to hold the private keys for the OTP system.
Many vendors offer this solution, although I suggest that you don't go with SecurID or any token vendor that does not disclose their algorithm to you. Go open, and use OATH.
The work being done on OATH is where future one-time, two-factor systems are headed:
http://www.openauthentication.org/
-john
You could always take the route of not trusting the wireless network at all. Users who get to wireless can only go to the Internet. Put all the APs in a DMZ. Users who can open up a VPN to your microsoft vpn servers can authenticate and get to the corporate network. This is the way things were done on the Apple campus for a long time. -john On Thu, Jun 9, 2011 at 3:15 PM, eric clark <cabenth@gmail.com> wrote:
Tokens are an option but I should have been more clear. As we're a windows shop (apologies, but that's the way it is), we were planning on going with user credentials and the machine's domain certificate. Your solution might still be viable, but I'm not certain if I can get at the machine certs with LDAP that way,have to check that.
On Thu, Jun 9, 2011 at 3:08 PM, John Adams <jna@retina.net> wrote:
On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabenth@gmail.com> wrote:
Wondering what people are using to provide security from their Wireless environments to their corporate networks? 2 or more factors seems to be the accepted standard and yet we're being told that Microsoft's equipment can't do it. Our system being a Microsoft Domain... seemed logical, but they can only do 1 factor. What are you guys using?
Move to 802.1X with Radius.
Connect your APs or AP Controllers to a decent OTP system like otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. Extend the LDAP schema to hold the private keys for the OTP system.
Many vendors offer this solution, although I suggest that you don't go with SecurID or any token vendor that does not disclose their algorithm to you. Go open, and use OATH.
The work being done on OATH is where future one-time, two-factor systems are headed:
http://www.openauthentication.org/
-john
We use wireless authentication for the purposes of protecting the link layer... authenticated users are still outside the privileged corprate network and therefore need to vpn in. joel On Jun 9, 2011, at 3:02 PM, eric clark wrote:
Wondering what people are using to provide security from their Wireless environments to their corporate networks? 2 or more factors seems to be the accepted standard and yet we're being told that Microsoft's equipment can't do it. Our system being a Microsoft Domain... seemed logical, but they can only do 1 factor. What are you guys using?
Thanks
participants (3)
-
eric clark -
Joel Jaeggli -
John Adams