April 16th, 2006, 05:54 PM
LDAP two factor authentication
I was looking for some help researching a new solution for my company. I was interested in implementing an LDAP solution for my company, and wanted to see if you guys know if two-factor authentication is possible. I wanted to outfit the employees with some cheap USB keys.
Here's my overall goal I guess. I'm going to be implementing a Samba PDC that authenticates to LDAP for all the windows clients. I wanted to see if it's possible to use a hardware token to add an extra layer of security. It's also a very VPN dependent shop, so I am going to try my hand at doing OpenVPN with authentication using the same USB key. That way for all the laptop users, they'd have to steal the laptop and the USB key. If they have to use it for both home and work, they'll be more likely to put it on their car keys instead of permanently stored in a laptop bag or leaving it plugged in the computer.
i'm open to ideas and suggestions as we're going to be switching out some old servers and putting together something brand new. I also have VMware server to test anything, so please any suggestions at all would be great. Oh, and I am the IT budget so I guess my total to spend on hardware or software would be about $1000.
Thanks for your help guys.
April 16th, 2006, 09:26 PM
I think OpenVPN is a good inexpensive choice, (I say inexpensive because if it works for you I would certainly donate), although it doesn't support L2TP or IPSEC, it does support SSL, TLS, VPN's, NATs, Certificates and has a wide OS scope. Kudos to them.
I know that future Netgear products, in particular, will support SSL over VPN with certificates and I'm happy they are moving from a difficult (should I say problematic) propietary VPN setup to a easier (what's becoming) industry standard way of doing things (SSL over VPN).
I do like Vasco's Virtual Digipass (but haven't installed it) and I do have experience in setting up an RSA SecureID two factor (wireless key fob) system with Checkpoint VPN, but with a meager budget of $1000 for hardware and/or software, I don't know where you are going to source your solution. Two factor is not cheap, although I don't know what the open source community holds.
Anyways, my suggestion, is continue with the idea of running SSL certif over VPN with a single factor auth system, see if that's all you need.
I do have a question.
Instead of using the USB devices as part of a two factor VPN auth system, what about using a single factor VPN system (as discussed) and use the USB devices as authorization for hardware access?
Beta tester of "0"s and "1"s"
April 17th, 2006, 03:57 AM
ZT3000: what do you mean about hardware access? I'm not trying to go full blown two factor, i'm merely thinking about certificates on USB keys. I know pam_usb provides support for it, but i'm just wondering if LDAP has any kind of schema or implementation of it somewhere. I hate mixing clients but our bread and butter software demands a windows environment, unless i run it as a web service from Win2k3, which shits all over my budget with just 10 users. i also have to provide for about 20, and i want room to move to 30 or more.
The boss here has almost no concept of computers in general and i'm unavailable during all of the business day because this is a second job. I'm positive openvpn will support our needs for VPN i'm just looking for a kick-ass low cost implementation of 2 factor authentication since we have alot of people in and out of the office. i already know most passwords in the shop and they all suck. making users change them or remember more difficult ones will make it worse since they will just become post-its or resets. i guess i'm trying to have my cake and eat it too. champaigne taste on a beer budget as they say.
If i could just have 2 certificates stored on a cheap usb drive i'd be happy. 1 certificate for openvpn which i know is poosible, and 1 for local access in office which i'm sketchy on.
April 17th, 2006, 05:57 AM
I get a better picture of what you are looking for after your last post.
I understand pam_usb but I don't know if there is an equivalent "ldap_usb" (if I can use that expression). Open source is my weakness....
However, since most of my knowledge is the Microsoft arena, I can suggest you check out the A-Key from Authenex. It supports two factor authentication via usb thru LDAP or AD (Active Directory). Their price is about 1/3 of anyone else. The last quote I have from them was $37,000 for a 1,000 seat. Whereas other quotes were at $60-100 a seat per thousand.
Perhaps you would give them a shout on a quote for a lower seat count.
Two factor blurb
I understand that one.
champaigne taste on a beer budget as they say
Hope this helps.
Beta tester of "0"s and "1"s"
April 17th, 2006, 10:09 PM
So you want to lock down the LAN with 2FA as well as the VPN? You might be able to do on a windows server using window certs, but you say that is beyond the budget. How about using Openvpn inside the lan as well as outside?
I would bet that you can run the Openvpn certificates from USB drive without buying actual tokens. You would have to create each of the tokens, I would suspect.
You can also look into the open source version of our software-based two-factor authentication system, which will tie into Openvpn via tacacs or ldap and will run on a USB drive or on the PC. The advantage would be that the PIN is checked on the server, so if someone steals the laptop with the USB key (the whole briefcase, e.g.), they wouldn't have the PIN.
We have a doc on how to setup openvpn and WiKID here: http://www.wikidsystems.net/howtos/openvpn_two_factor/
Another possibility is to use a different GINA for windows login. Check out http://pgina.xpasystems.com/. There isn't a GINA specifically for certs, but there is one for PAM and LDAP. Perhaps that would work for the LAN.