[vpn] authentication with vpn

Kent Dallas kent at dalliesin.com
Thu Jan 3 14:47:00 EST 2002 

Jean-Philippe,

One other thought:  You may want to investigate a compulsory L2TP solution.

If you can find a service provider that supports such a solution in your
area, the users would dial-in to a local ISP POP, but instead of getting
Internet access, the NAS would forward RADIUS/CHAP authentication data to
you.  Once you authenticate the user, the user's PPP session would be
forwarded to a L2TP network server on your network.  You could then
terminate the PPP session, assigning a private IP address, DNS server, and
WINS server.

This solution offers "Intranet" access across Internet facilities, with a
"look and feel" just like logging on to the ISP itself.  It is very easy for
end users, as they don't have to do anything out of the ordinary.  And it
does not require any special VPN client to install or manage.  If the user
needs Internet access within the same session, you would have to proxy their
HTTP requests from your internal network.

Most compulsory L2TP solutions do not include encryption, so you will have
less privacy than you would have with an IPsec solution.  However, based on
your description, security does not appear to be your top concern.

If you desire an IPSec solution, you can have the ISP proxy the RADIUS
authentication to a server you control. Then the Internet access and VPN
could authenticate to the same database.  Users would not have to learn two
different passwords, but they would have to enter the same password twice.

If you do end up with a solution using only one password, understand that
the entire security of your system will be limited to the strength of the
passwords chosen.  In this case, I would strongly recommend some "end user
training" on how to develop strong passwords.  You can find much more detail
on this topic at http://www.dalliesin.com/pswd.html.

Best of luck,
Kent Dallas

-----Original Message-----
From: jean-philippe.planquart at wanadoo.fr
[mailto:jean-philippe.planquart at wanadoo.fr]
Sent: Tuesday, January 01, 2002 4:57 PM
To: vpn at securityfocus.com
Subject: [vpn] authentication with vpn





I want to deploy vpn service for home users to access to intranet network.

Users will first connect through an ISP service, and then to an
authentication server to
access to my intranet. With this solution, users must authenticate twice :
- first to the ISP to authorize access to Internet
- Second, to the authentication Gateway to authorize access to the Intranet.

Then, after authentication, we build vpn between home user and the Gateway.
With this
solution, people have to learn 2 passwords ( for ISP and for my Gateway ).
Has any body a solution to enter only one password ?


VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list