2 Factor Authentication with VPN

[stan]

Hello All:

Can anyone suggest the best method to accomplish 2 factor authentication for
VPN clients? I have tried using Microsoft Certificate Services and can't
quite get it working. I have certificate server setup, can issue
certificate to clients through web.
But when I try to login from a client with the certificate installed, i get
usename and or password invalid for domain.

Can't figure out why. I guess my first question is - will the above satisfy
2 factor authentication if I get it working and....what am I doing wron that
is causing this password error.?? Thanks

 

[Pavan]

Stan,
To accomplish this you need issue "Machine Certificates" and "User
Certificates" and also configure "EAP-TLS" on both the server and the client
computers.

Here is a white paper that might help you

http://www.microsoft.com/technet/tr...windowsserver2003/deploy/confeat/rmotevpn.asp

Hope this helps

-Pavan

 

[Steven Liu]

Hi Stan,

If you are using the Windows 2000 server, you can refer to the following
articles:

259880 Configuring a VPN to Use Extensible Authentication Protocol (EAP)
http://support.microsoft.com/?id=259880

325033 Configuring Microsoft L2TP/IPSec VPN for Earlier Clients
http://support.microsoft.com/?id=325033

Thanks for using Microsoft Newsgroup!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[Nick Owen]

Stan:

I once heard a security guy call certificates "1 and a half
authentication". I guess it depends on who your talking to. In most
cases, certs aren't workable because you can't install them everywhere
and if your users want to use a kiosk for example, certs are out. I
don't have a lot of experience with them, but people seem to have a
lot of trouble with them - anecdotally at least. From a security
perspective, if the cert is cloned, it can be brute-forced attacked.
I would also suspect that initial validation, the process of assuring
that the right person gets the right cert is awkward with certs though
certainly less awkward than a hardware-based token - the analysts will
tell you that costs $15 a pop in soft & hard costs.

You also don't get a lot of other benefits from certs. For example,
if you wanted to allow customers, vendors, consultants, etc access to
your network with strong authentication, you probably couldn't put
certs on their machines. Increasingly, cross-enterprise
authentication is cropping up as a problem
(http://www.wired.com/news/privacy/0,1848,59024,00.html).

Here is a link to a paper on how to evaluate two-factor authentication
systems based on relative security, operational factors and financial
impacts:
http://www.wikidsystems.com/WiKIDReviewersGuidev1.pdf. Perhaps it
will be helpful.

Nick Owen

 

[Steve Buckley]

I fully recomend using a hardware container like Rainbow iKey for this, it
will give you 2 factor security for a PPTP VPN and 3 Factor for an L2TP VPN.
I don't own shares in this company, but I wish I did.
If you are interested they will send you a full tutorial on how to do this
and the USB based cryptokeys are less than fifty US dollars each.