Re: SecurID and FreeS/WAN GW

From: Kee Hinckley (nazgul@somewhere.com)
Date: 03/13/02


Date: Tue, 12 Mar 2002 22:29:11 -0500
To: Bennett Todd <bet@rahul.net>
From: Kee Hinckley <nazgul@somewhere.com>

At 9:46 PM -0500 3/12/02, Bennett Todd wrote:
>If I wanted to set up a SecurID-authenticating Road Warrier
>solution, I'd create a simple SSL-secured web page that can be used
>to temporarily enable a particular cert for normal road-warrier
>IPSec; that way, even though my server-side implementation would be
>tied to a particular implementation, it could at least in principle
>be re-implemented for others, and any client with a web browser and
>an IPSec implementation could log in.

Sure, but what a royal pain to use.
The current Cisco IPSec client I'm using appears to send the user
password with the SecurID parameter appended to it. That seems like
a reasonable solution. But ideally IPSec should have a way of
dealing with the three standard security pieces--something I know,
something I have and something I am.

-- 

Kee Hinckley - Somewhere.Com, LLC http://consulting.somewhere.com/ nazgul@somewhere.com

I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.