schuitkds
(schuitkds)
1
what would be a low cost 2 factor system for VPN access if I want to give remote users access to files ON a windows server system with AD.
6 Spice ups
If you have good cell phone access, phone factor works great and is free.
We use it here, it is fantastic, but we get great reception.
Heh… DBS, you can ignore my PM 
Ya saw your PM, chuckled to myself …One step ahead 
schuitkds
(schuitkds)
5
how does the implementation work or how do you setup within a VPN appliance
in particular a sonicwall Aventail SSL VPN
Essentially you set up phone factor server on a windows box. Add users phone numbers and the type of authentication you want voice, or pin, or nothing. You can have this set up an an hour.
You then tell your sonicwall to authenticate with the server (RADIUS) and voila you have 2 factor.
What happens is when someone logs into the sonicwall vpn they will use their windows creds and from there they will get a phone call where they either use their voice, a pin, or just answer.
We use a fortigate so I cannot give specifics on the sonicwall but the software is extremely straightforward.
Or you can use a Yubikey (Yubico | YubiKey Strong Two Factor Authentication) which will do two factor authentication with anything that can use AD authentication. Setup the Yubikey to do static (really, really long) password. Setup AD to require complex passwords and expire passwords every 90 days. Set your password to (some pin)+Yubikey password. Every 90 days change the pin.
The Yubikey costs about $25 and that is it for hardware and software costs. Admin is a little more, but no more that single factor admin for AD would cost.
2 Spice ups
HJ Martin wrote:
Or you can use a Yubikey (Yubico | YubiKey Strong Two Factor Authentication) which will do two factor authentication with anything that can use AD authentication. Setup the Yubikey to do static (really, really long) password. Setup AD to require complex passwords and expire passwords every 90 days. Set your password to (some pin)+Yubikey password. Every 90 days change the pin.
The Yubikey costs about $25 and that is it for hardware and software costs. Admin is a little more, but no more that single factor admin for AD would cost.
Problem is, it is a token, I personally don’t like tokens because they get lost. If the token is something near and dear to the user they are great…like a phone. Access cards also work great, E6400 laptops from dell support this kind of 2 factor which is nice if you have the contactless cards of the right frequency.
schuitkds
(schuitkds)
10
would that be vor VPN access only or AD system as a whole
schuitkds, if that was addressed to me, the Yubikey would be set up for AD as a whole. As long as the VPN supports AD authentication then you are in.
Digital Blacksmith you are correct about the token problem. Working in govt. requiring employees to use their personal cell phones as a component of the auth system is out of the realm of possibility. Buying them cell phones is also not possible. At $25 a pop Yubikeys are affordable and easy enough. Employees already have to keep track of keys and ID badges, one more thingy is not a big deal.
Why is it out of the realm of possibility? I worked for a gov’t agency not too long ago and it would be perfectly acceptable. Unless of course you are referring to the whole snafu of “you require me to have a cellphone so you get to pay for it”. A simple waver can help there.
However, phonefactor really is only good for mobile users, if you are a mobile user, chances are, you have a cell phone, for in-office users there are great things to be had that do the same thing.
That is the big one, if we require the employee to use personal equipment we have to defray their costs. It is easier to issue everyone a cell phone, and that is not in the budget.
