You could always take the route of not trusting the wireless network at all. Users who get to wireless can only go to the Internet.
Put all the APs in a DMZ. Users who can open up a VPN to your microsoft vpn servers can authenticate and get to the corporate network. This is the way things were done on the Apple campus for a long time. -john On Thu, Jun 9, 2011 at 3:15 PM, eric clark <cabe...@gmail.com> wrote: > Tokens are an option but I should have been more clear. > As we're a windows shop (apologies, but that's the way it is), we were > planning on going with user credentials and the machine's domain > certificate. Your solution might still be viable, but I'm not certain if I > can get at the machine certs with LDAP that way,have to check that. > > > On Thu, Jun 9, 2011 at 3:08 PM, John Adams <j...@retina.net> wrote: > >> On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabe...@gmail.com> wrote: >> >>> Wondering what people are using to provide security from their Wireless >>> environments to their corporate networks? 2 or more factors seems to be >>> the >>> accepted standard and yet we're being told that Microsoft's equipment >>> can't >>> do it. Our system being a Microsoft Domain... seemed logical, but they >>> can >>> only do 1 factor. >>> What are you guys using? >> >> >> Move to 802.1X with Radius. >> >> Connect your APs or AP Controllers to a decent OTP system like >> otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP. >> Extend the LDAP schema to hold the private keys for the OTP system. >> >> Many vendors offer this solution, although I suggest that you don't go >> with SecurID or any token vendor that does not disclose their algorithm to >> you. Go open, and use OATH. >> >> The work being done on OATH is where future one-time, two-factor systems >> are headed: >> >> http://www.openauthentication.org/ >> >> -john >> >> >
