On 11/09/13 12:34, Michael Ludvig wrote: > We used to do cert-based authentication which was good because on > connection drop it re-authenticated without any user interaction and > often users didn't even notice. Now that we moved to OTP users > rightfully complain about the lower comfort. Is there > I think you're asking a bit too much :-)
Either your mandate is to implement an "extremely" high security solution (in which case tokens are the only option IMHO), or your mandate is to implement a "very strong" security solution - in which case client certs by themselves absolutely do the trick (certs on tokens I place into the "extreme" category of course) So if you *have* to use tokens, then user-annoyance is probably a side-effect that cannot be avoided. If you're willing to hack, you might have been able to do something where client certs are used to establish the tunnel, but firewall acls on the gateway quarantine the client until they go to a web page and authenticate using the OTK. Then that clientcert+IP combination could be whitelisted for the next 'n' hours - something like that. Majorly hacky and I don't know of any other product with that kind of option. As far as I'm aware, if you're doing OTK, the expectation is you are using it every time you connect - just like you're currently seeing... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
