Two factor Authenticaion

  • Thread starter Thread starter DOUG
  • Start date Start date
D

DOUG

Hello All:

Don;t know if this is the right newsgroup for this question but hopefully
someone may have some input. I need to move to a 2 factor authentication
system for our VPN users to satisfy a client. Is there anything natively in
windows that will allow me to do this? We are trying to avoid third party
apps or hardware.

Thanks
 
L2tp uses both machine and user authentication if that is any help and
requires a machine certificate. That will prevent a user from gaining access
just by knowing a user name/password - they must be accessing on a machine
with a certificate in the trust chain. Remote access policies can be
configured to allow only l2tp connections if necessary. You may also want to
post on the win2000.routing_remote access newsgroup. --- Steve
 
Thanks ...know fo any resources on this topic?


Steven L Umbach said:
L2tp uses both machine and user authentication if that is any help and
requires a machine certificate. That will prevent a user from gaining access
just by knowing a user name/password - they must be accessing on a machine
with a certificate in the trust chain. Remote access policies can be
configured to allow only l2tp connections if necessary. You may also want to
post on the win2000.routing_remote access newsgroup. --- Steve
Click to expand...
 
Aparently I misunderstood the two factor authentication term. After a litttle
research it sounds like a smart card type device for use authentication wich can
be implemented with W2K vpn through EAP-TLS, though I have not done it myself.
The following links may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;259880
http://www.microsoft.com/windows2000/en/advanced/help/sag_VPN_us09.htm
http://www.authenex.com/products_asas.cfm?menu3variable=asas
http://www.rsasecurity.com/company/news/releases/pr.asp?doc_id=140
 
I recommend using RADIUS between your VPN and the authentication
server. Almost all (if not all) VPN services support RADIUS and there
are a number of excellent free RADIUS servers out there.

I am assuming that your client is requiring you to use two factor on
your network. If they also are asking that they be able to access
your network using two-factor or that you access their network using
two factor or both (or possibly will in the future) then I would avoid
one-to-one type authentication systems such as SecurID or smartcards.
We have the ability to easily handle cross-enterprise authentication
for a multiple of scenarios and requirements.

If you're interested in evaluating strong authentication systems based
on relative security, operational factors and cost impacts, here is
some additional information:
http://www.wikidsystems.com/WiKIDReviewersGuidev1.pdf

Hope this helps,

Nick

ps: obviously, I work here ;)
 
Back
Top