Presentation is loading. Please wait.

Presentation is loading. Please wait.

TwoFactor Authentication Service Jason Testart, Computer Science Computing Facility.

Published byEdmund Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "TwoFactor Authentication Service Jason Testart, Computer Science Computing Facility."— Presentation transcript:

1 TwoFactor Authentication Service Jason Testart, Computer Science Computing Facility

2 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Authentication Nomenclature Two-Factor Authentication Strong Authentication One-time password (OTP) Token-based authentication “RSA” and “SecurID” GINA

3 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Why TwoFactor authentication? Thin clients Hacked workstations Lack of encrypted connection Shared accounts are bad

4 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Hardware Tokens

5 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Some History SecurID system purchased in 1996 by DP Needed for access to OGF DCS and MFCF: ssuw on xhiered Unix MFCF/CSCF assumed control of SecurID service from IST in 2004 after OGF upgrade

6 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** ACE Servers

7 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** CRYPTO-Shield by CryptoCard Less expensive Tokens don’t expire Ability to import from ACE server Good Linux support Now supports the Blackberry Canadian company

8 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Got root? CRYPTO-Server does RADIUS Sudo is PAM enabled Pam-radius module works on Solaris, Linux, OS X Instead of ssuw, use “sudo –s”

9 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Switches and Firewalls Firewall FreeRADIUS server CRYPTO-Server Firewall provides userid+password to FreeRADIUS server

10 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Switches and Firewalls Firewall FreeRADIUS server CRYPTO-Server FreeRADIUS provides, via PAM, userid+password to CRYPTO-Server

11 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Switches and Firewalls Firewall FreeRADIUS server CRYPTO-Server CRYPTO-Server accepts or rejects authentication request.

12 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Switches and Firewalls Firewall FreeRADIUS server CRYPTO-Server If the CRYPTO-Server accepted the authentication, then the FreeRADIUS server looks-up the user in its users file and returns a “success” to the firewall along with the defined attributes for the user.

13 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Active Directory Use a new domain for just Administrators CRYPTO-Logon agent on each domain member (replaces the GINA) CRYPTO-Logon DC service on each domain controller Place users of new domain in universal group(s) Give universal group(s) elevated privileges to other domains in the forest

14 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Active Directory Architecture CRYPTO-Server AD Forest cscf.uwaterloo.ca cscf.uwaterloo.cacs.uwaterloo.ca sysadmins.cscf.uwaterloo.ca student.cs.uwaterloo.ca superusers.uwdomain.uwaterloo.ca uwdomain.uwaterloo.ca Hosts in the “sysadmins” and “superusers” domains authenticate against the CRYPTO-Server. AD Forest uwforest.uwaterloo.ca

15 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Hardware Total of 6 hosts needed 2 for CRYPTO-Server (master and replica) 4 for Windows domain (3 DCs, 1 TS) All hosts are virtual 3 in MC, 3 in DC (BCP) Have capacity for 6 more virtual machines Everything is behind the Netscreens

16 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Challenges/Limitations OS X functionality is limited in how we use it Limited integration with SSO plans Enforcing compliance

17 WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service*** Thanks for your time! For more information, please visit: https://www.cs.uwaterloo.ca/twiki/view/CF/TwoFactor Any Questions?

Download ppt "TwoFactor Authentication Service Jason Testart, Computer Science Computing Facility."

Similar presentations

McAfee One Time Password

McAfee One Time Password
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Introduction to Unix GLY 560: GIS for Earth Scientists Class Home Page:

Introduction to Unix GLY 560: GIS for Earth Scientists Class Home Page:
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.

1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.

Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.

Authentication and authorization Access control consists of two steps, authentication and authorization. Subject Do operation Reference monitor Object.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.

Objectives  Understand the purpose of the superuser account  Outline the key features of the Linux desktops  Navigate through the menus  Getting help.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Similar presentations

Ads by Google