This can be accomplished with some intelligent client connect scripts and some session tracking. I'd suggest a database that keeps connection statistics and uses some logic that figures same IP + close connection time equals no OTP required. You can, essentially generate a server side token based on various connection data.
Good luck. :) On Sep 10, 2013, at 9:04 PM, Michael Ludvig <mlud...@logix.net.nz> wrote: > On 11/09/13 13:17, Jason Haar wrote: >> On 11/09/13 12:34, Michael Ludvig wrote: >>> We used to do cert-based authentication which was good because on >>> connection drop it re-authenticated without any user interaction and >>> often users didn't even notice. Now that we moved to OTP users >>> rightfully complain about the lower comfort. Is there >> I think you're asking a bit too much :-) >> >> Either your mandate is to implement an "extremely" high security >> solution (in which case tokens are the only option IMHO), or your >> mandate is to implement a "very strong" security solution - in which >> case client certs by themselves absolutely do the trick (certs on tokens >> I place into the "extreme" category of course) > > I'd be happy with "very strong" + OTP ;) > Unfortunately we have to use OTP to be in compliance with some other > sites we connect to, that's why we had to move from our trusted and > loved cert-based auth :( > >> So if you *have* to use tokens, then user-annoyance is probably a >> side-effect that cannot be avoided. > > Great. Can I use this as auto-reply to our users' complaints? ;) > >> If you're willing to hack, you might have been able to do something >> where client certs are used to establish the tunnel, but firewall acls >> on the gateway quarantine the client until they go to a web page and >> authenticate using the OTK. > Thanks for the suggestion. We already call a client-connect script to do > some firewall work based on LDAP group membership, I just have to think > how to get the OTP from the user in that script... > > > But seriously - is the "cookies" idea that bad? > 1) Initial connect - client supplies username + password + OTP, once the > channel is set up it securely receives a "cookie", it gets renewed every > 10 minutes while the tunnel is up. > > 2) Connection drops and client reconnects (without restarting) - instead > of username + pass + OTP it offers the cookie, server checks the > validity, optionally the source IP, gets the username from its cache and > re-establishes the tunnel without requesting the credentials again. > > Is that doable and how hard would be to implement it? > > Michael > > > > > > ------------------------------------------------------------------------------ > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for IT > 2. Standardize and globalize service processes across IT > 3. Implement zero-touch automation to replace manual, redundant tasks > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
