Fw: [vpn] authentication with vpn

Keith Pasley, CISSP kpasley6 at home.com
Wed Jan 2 21:24:44 EST 2002


Jean-Philipe,
Thought I would forward my reply to the list for comment/review, as well. In
agreement with the security risks mentioned in the previous replies from the
list, it sounds like you will have to somehow manage have usability/security
trade-off issue in what ever solution you decide to use.
Keith

> Fundamentally, this would involve  interoperability between the home user
> ISP auth system and your gateway authentication system.
>
> Have you discussed whether it is possible to synchronize the ISP
> authentication data with the your gateway authentication data for the home
> users, say with a token-based 2- factor authentication like Secure
ID/PassGo
> or even password -based RADIUS? This is assuming the home users are on the
> same dial-up ISP.
>
> The concept is: The users would authenticate to the dial-up ISP , if user
> passes the ISP's authentication then user is allowed onto the ISP.
> The ISP auth server would then pass the user authentication credentials
(via
> scripting or user profile configuration) to your gateway authentication
> server. If user passes your gateway authentication , then your gateway
> authentication server sends "ok" back to the user's VPN client, then a VPN
> tunnel is set up to your gateway. This would probably involve some
scripting
> and/or proxying for the dial-up ISP authentication servers (in the case of
> say, RADIUS) to talk with your auth server.
> Authenticating your DSL/Cable users , of course, would be simpler. They
> could authenticate directly to your gateway.
>
> One vendor I know of does this by caching a password in the client so the
> user only needs to "know" one of the 2 passwords needed to get thru both
> systems and into the VPN.
>
>
> Keith
> ----- Original Message -----
> From: <jean-philippe.planquart at wanadoo.fr>
> To: <vpn at securityfocus.com>
> Sent: Tuesday, January 01, 2002 4:56 PM
> Subject: [vpn] authentication with vpn
>
>
> >
> >
> >
> > I want to deploy vpn service for home users to access to intranet
network.
> >
> > Users will first connect through an ISP service, and then to an
> authentication server to
> > access to my intranet. With this solution, users must authenticate twice
:
> > - first to the ISP to authorize access to Internet
> > - Second, to the authentication Gateway to authorize access to the
> Intranet.
> >
> > Then, after authentication, we build vpn between home user and the
> Gateway. With this
> > solution, people have to learn 2 passwords ( for ISP and for my
Gateway ).
> > Has any body a solution to enter only one password ?
> >
> >
> > VPN is sponsored by SecurityFocus.com
> >
>
>


VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list