IPsec and User Authentication

Hi all --

I am in the middle of revising my VPN tutorial (the
USENIX/SANS class), and in looking at the IPsec
section a question has arisen.

How many of you are using IPsec for remote access
VPN -- that is, for replacing dial-ups for individual
users, rather than site-to-site?  If you are, what
are you doing for user authentication?

The book answers seem to be user-based digital
certificates (if you've got some way to associate
them with a user rather than a machine), one of the
"hybrid" authentication mechanisms (XAUTH and its
relatives), or some layering of IPsec with protocols
like PPTP or L2TP (which include "traditional" user
authentication support).  But I'm curious to see
what people who are really >doing< it are doing.

Thanks for any info.  For those who are curious,
I will post results to the list -- and if you really
want to get the gorey details, I'll be teaching the
class at SANS in Baltimore in May.

cheers -- tbird

VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html
life: http://kubarb.phsx.ukans.edu/~tbird
work: http://www.counterpane.com

VPN is sponsored by SecurityFocus.COM

VPN is sponsored by SecurityFocus.COM