Re: SecurID and FreeS/WAN GW

From: Bennett Todd (
Date: 03/21/02

Date: Wed, 20 Mar 2002 18:37:37 -0500
From: Bennett Todd <>
To: Kee Hinckley <>

2002-03-12-22:29:11 Kee Hinckley:
> At 9:46 PM -0500 3/12/02, Bennett Todd wrote:
> >If I wanted to set up a SecurID-authenticating Road Warrier
> >solution, I'd create a simple SSL-secured web page that can be used
> >to temporarily enable a particular cert for normal road-warrier
> >IPSec; that way, even though my server-side implementation would be
> >tied to a particular implementation, it could at least in principle
> >be re-implemented for others, and any client with a web browser and
> >an IPSec implementation could log in.
> Sure, but what a royal pain to use.

Sorry? It'd be possible with any web browser and a standard IP
stack, as opposed to impossible without a specific, proprietary,
vendor client.

And if you had some specific behaviour you wanted --- e.g. a
commandline or gui that prompted for the username and auth
credentials, then fired them off at the server and started up IPSEC,
it'd be easy to script in any reasonable language; all the
interactions are at least standardized.

> The current Cisco IPSec client I'm using appears to send the user
> password with the SecurID parameter appended to it.

Of course, that's what any SecurID authentication implementation
does, it concatenates the user password and the SecurID number as a
single-use password. IPSec has no support for such user passwords in
its protocols, so some external hack needs to be bolted on. You can
use a proprietary hack, or build one on standard protocols.

> But ideally IPSec should have a way of dealing with the three
> standard security pieces--something I know, something I have and
> something I am.

At the moment, IPSec has no provisions for supporting user
authentication at all --- it's being worked on, but for now you've
got to use some external add-on. Once IPSec gets the ability, it
will certainly support passing username/passwd. It may or may
not support an interactive cycle where the server can present a
challenge, so the possibilities for 2-factor auth may be confined to
systems that can be run "blind", like e.g. SecurID and S/Key.

As for "something I know, something I have and something I am", I
assume by that last you mean biometrics; I certainly wouldn't call
that a "standard security piece" in any forum outside of biometrics
salescritter conventions, and of course movie scriptwriting.