Re: VPN to Windows Network with ACE/SecurID
From: Vin McLellan (vin_at_theworld.com)
Date: 04/12/05
- Next message: cuppachino: "Re: Cannot get EFS recovery agent function to work!"
- Previous message: Jerry Bryant [MSFT]: "Microsoft Security Bulletins for April 2005"
- In reply to: gjb: "VPN to Windows Network with ACE/SecurID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Apr 2005 13:43:37 -0700
gjb wrote:
<snip>
> My question is this .... WHen the user VPN client establishes the VPN
> connection and is routed to the ACE server is there a way to perform
> the domain logon at the same time?
I figure you've probably reached out to the RSA Tech Support guys for
help on this by now, but if you have not, you might want to check out
RSA's new SecurID for Windows (SID4Win) infrastructure
<http://tinyurl.com/476wy>, and ask your RSA SSE or Customer Support if
it could help you address this issue.
The attention on RSA's SID4Win has largely focused on the way it
permits the replacement of the static password with an RSA SecurID as
native authentication for Windows XP machines (even when those PCs are
temporarily disconnected from the Net). With the RSA Authentication
Manager v. 6 (aka the latest & greatest ACE/Server), and the
appropriate ACE Authentication Agents, SID4Win can also integrate the
Domain logon and the local PC logon.
I frankly don't know how or if a VPN client would be integrated into
this, but others must have raised the same issue for corporate road
warriors.
Here's a rough sketch for how SID4Win handles the Domain logon and the
local XP Windows logon:
A user's PC, loaded with the RSA ACE/Agent Domain Authentication
Component, prompts a user for a SecurID two-factor passcode and sends
it to the DC via SSL. The Domain Controller (with RSA's ACE/Agent
Domain Authentication Server Component and Client Component) in turn
send the user's name and passcode to the RSA Authentication Manager
(aka ACE/Server.) If the passcode is correct, the user gains access to
domain resources and the RAM sends its stored copy of the Windows
password to the Windows logon process to open the door.
I've been consultant to RSA for many years, but I've never set on of
these up. You really want to talk to an RSA tech support guy to get
your options for your specific environment. I'm not sure of current
pricing either, but for several months RSA has been offering all these
new agents available free for most v6 RAM servers.
Suerte,
_Vin
- Next message: cuppachino: "Re: Cannot get EFS recovery agent function to work!"
- Previous message: Jerry Bryant [MSFT]: "Microsoft Security Bulletins for April 2005"
- In reply to: gjb: "VPN to Windows Network with ACE/SecurID"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
