Re: Multi Factor authentication options for wireless networks

[John Adams <jna () retina net>]

You could always take the route of not trusting the wireless network at all.
Users who get to wireless can only go to the Internet.

Put all the APs in a DMZ.

Users who can open up a VPN to your microsoft vpn servers can authenticate
and get to the corporate network.

This is the way things were done on the Apple campus for a long time.

-john

On Thu, Jun 9, 2011 at 3:15 PM, eric clark <cabenth () gmail com> wrote:

> Tokens are an option but I should have been more clear.
> As we're a windows shop (apologies, but that's the way it is), we were
> planning on going with user credentials and the machine's domain
> certificate.  Your solution might still be viable, but I'm not certain if I
> can get at the machine certs with LDAP that way,have to check that.
>
>
> On Thu, Jun 9, 2011 at 3:08 PM, John Adams <jna () retina net> wrote:
>
> > On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabenth () gmail com> wrote:
> >
> > > Wondering what people are using to provide security from their Wireless
> > > environments to their corporate networks? 2 or more factors seems to be
> > > the
> > > accepted standard and yet we're being told that Microsoft's equipment
> > > can't
> > > do it. Our system being a Microsoft Domain... seemed logical, but they
> > > can
> > > only do 1 factor.
> > > What are you guys using?
> >
> >
> > Move to 802.1X with Radius.
> >
> > Connect your APs or AP Controllers  to a decent OTP system like
> > otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP.
> >  Extend the LDAP schema to hold the private keys for the OTP system.
> >
> > Many vendors offer this solution, although I suggest that you don't go
> > with SecurID or any token vendor that does not disclose their algorithm to
> > you. Go open, and use OATH.
> >
> > The work being done on OATH is where future one-time, two-factor systems
> > are headed:
> >
> > http://www.openauthentication.org/
> >
> > -john