[141628] in North American Network Operators' Group
Re: Multi Factor authentication options for wireless networks
daemon@ATHENA.MIT.EDU (John Adams)
Thu Jun 9 18:08:49 2011
In-Reply-To: <BANLkTim+=r9zg_nt7GkkFByHzC-g0SdQvw@mail.gmail.com>
Date: Thu, 9 Jun 2011 15:08:44 -0700
From: John Adams <jna@retina.net>
To: eric clark <cabenth@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Jun 9, 2011 at 3:02 PM, eric clark <cabenth@gmail.com> wrote:
> Wondering what people are using to provide security from their Wireless
> environments to their corporate networks? 2 or more factors seems to be the
> accepted standard and yet we're being told that Microsoft's equipment can't
> do it. Our system being a Microsoft Domain... seemed logical, but they can
> only do 1 factor.
> What are you guys using?
Move to 802.1X with Radius.
Connect your APs or AP Controllers to a decent OTP system like
otpd+rlm_otp+freeradius and then connect to the Microsoft domain using LDAP.
Extend the LDAP schema to hold the private keys for the OTP system.
Many vendors offer this solution, although I suggest that you don't go with
SecurID or any token vendor that does not disclose their algorithm to you.
Go open, and use OATH.
The work being done on OATH is where future one-time, two-factor systems are
headed:
http://www.openauthentication.org/
-john
