Re: SecurID and FreeS/WAN GW

From: Bennett Todd (
Date: 03/21/02

Date: Wed, 20 Mar 2002 18:37:37 -0500
From: Bennett Todd <>
To: Kee Hinckley <>

2002-03-12-22:29:11 Kee Hinckley:
> At 9:46 PM -0500 3/12/02, Bennett Todd wrote:
> >If I wanted to set up a SecurID-authenticating Road Warrier
> >solution, I'd create a simple SSL-secured web page that can be used
> >to temporarily enable a particular cert for normal road-warrier
> >IPSec; that way, even though my server-side implementation would be
> >tied to a particular implementation, it could at least in principle
> >be re-implemented for others, and any client with a web browser and
> >an IPSec implementation could log in.
> Sure, but what a royal pain to use.

Sorry? It'd be possible with any web browser and a standard IP
stack, as opposed to impossible without a specific, proprietary,
vendor client.

And if you had some specific behaviour you wanted --- e.g. a
commandline or gui that prompted for the username and auth
credentials, then fired them off at the server and started up IPSEC,
it'd be easy to script in any reasonable language; all the
interactions are at least standardized.

> The current Cisco IPSec client I'm using appears to send the user
> password with the SecurID parameter appended to it.

Of course, that's what any SecurID authentication implementation
does, it concatenates the user password and the SecurID number as a
single-use password. IPSec has no support for such user passwords in
its protocols, so some external hack needs to be bolted on. You can
use a proprietary hack, or build one on standard protocols.

> But ideally IPSec should have a way of dealing with the three
> standard security pieces--something I know, something I have and
> something I am.

At the moment, IPSec has no provisions for supporting user
authentication at all --- it's being worked on, but for now you've
got to use some external add-on. Once IPSec gets the ability, it
will certainly support passing username/passwd. It may or may
not support an interactive cycle where the server can present a
challenge, so the possibilities for 2-factor auth may be confined to
systems that can be run "blind", like e.g. SecurID and S/Key.

As for "something I know, something I have and something I am", I
assume by that last you mean biometrics; I certainly wouldn't call
that a "standard security piece" in any forum outside of biometrics
salescritter conventions, and of course movie scriptwriting.


Relevant Pages

  • Re: SecurID and FreeS/WAN GW
    ... >incorporating user authentication (like e.g. SecurID) into IPSec ... >is a special one-off ad-hoc hack. ... server just today using IPSec and SecurID. ...
  • RE: kerberos + securid (hpcmp)
    ... I can tell you that the CyberSafe commercially available Kerberos ... products support using SecurID to get the initial TGT. ... SecurID the KDC, and also the clients need SecurID support - e.g. it is ... passwords to access any of our production machines. ...
  • Re: RSA SecurID Opinions?
    ... >I've obtained a demo kit which I intend trying out, generally speaking does ... >anyone have any thoughts on SecurID? ... bit of support). ...