On 11/09/13 13:17, Jason Haar wrote: > On 11/09/13 12:34, Michael Ludvig wrote: >> We used to do cert-based authentication which was good because on >> connection drop it re-authenticated without any user interaction and >> often users didn't even notice. Now that we moved to OTP users >> rightfully complain about the lower comfort. Is there >> > I think you're asking a bit too much :-) > > Either your mandate is to implement an "extremely" high security > solution (in which case tokens are the only option IMHO), or your > mandate is to implement a "very strong" security solution - in which > case client certs by themselves absolutely do the trick (certs on tokens > I place into the "extreme" category of course)
I'd be happy with "very strong" + OTP ;) Unfortunately we have to use OTP to be in compliance with some other sites we connect to, that's why we had to move from our trusted and loved cert-based auth :( > So if you *have* to use tokens, then user-annoyance is probably a > side-effect that cannot be avoided. Great. Can I use this as auto-reply to our users' complaints? ;) > If you're willing to hack, you might have been able to do something > where client certs are used to establish the tunnel, but firewall acls > on the gateway quarantine the client until they go to a web page and > authenticate using the OTK. Thanks for the suggestion. We already call a client-connect script to do some firewall work based on LDAP group membership, I just have to think how to get the OTP from the user in that script... But seriously - is the "cookies" idea that bad? 1) Initial connect - client supplies username + password + OTP, once the channel is set up it securely receives a "cookie", it gets renewed every 10 minutes while the tunnel is up. 2) Connection drops and client reconnects (without restarting) - instead of username + pass + OTP it offers the cookie, server checks the validity, optionally the source IP, gets the username from its cache and re-establishes the tunnel without requesting the credentials again. Is that doable and how hard would be to implement it? Michael ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
