Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Two Factor - Virtual Private Network

From: Nick Owen <nickowen () mindspring com>
Date: Mon, 16 Nov 2009 10:14:55 -0500
On 11/11/2009 08:13 AM, self.away wrote:

Hi.
I'm trying to setup a remote access vpn (user dials up from home to
our vpn server).The first goal was to set up a pptp vpn based on
microsoft rras which turned out pretty easy.
Now it has been required to add an extra layer of security to vpn
authentication by adding a certificate which as far as i read it
should be accomplished adding EAP authentication to our vpn pptp
configuration.
However it seems when adding EAP to vpn pptp ,authentication login to
our VPN will only require certificate installed on remote vpn user
workstation and not user/password.
How can i get both user/password and certificate in the authentication
process for vpn pptp with microsoft rras?
Is there any other opensource vpn solution based on two-factor authentication?


As for the last question, there are a number of options, though the
easiest will probably not be a 100% open source solution, because you
are going to an MS authentication server.  What you really want to think
about is what VPN solutions work with what two-factor authentication
solutions using the authentication protocols in my environment.

I discussed this strategy in a recent webinar, which you can see here:
http://rec1.dimdim.com/view/dimdim/183030aa-1f68-102d-9515-003048642bd7
which describes two-factor auth, auth protocols & a number of
open-source remote access solutions.

Here's some how-tos that might help as well:

two-factor authentication & openvpn:
http://www.wikidsystems.com/support/wikid-support-center/how-to/using-wikid-strong-authentication-with-openvpn

two-factor and astaro:
http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-wikid-two-factor-authentication-to-the-astaro-security-gateway

increasing the security of pptp (poptop):
http://www.howtoforge.net/security-issues-and-poptop-pptp

If you're need for both a password and a cert is driven by regulatory
requirements, you should also make sure that you can prove the cert has
a passphrase and key expiration.

HTH,

Nick



-- 
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open-source Two-Factor Authentication
http://twitter.com/wikidsystems
#wikid on irc.freenode.net

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: