To chime in on smartcard two-factor, specifically losing/misplacing the smartcards: in the DoD (where I work) losing your smartcard is treated as a personnel management issue, not an IT issue. If you lose your DoD Common Access Card you have to go to an enrollment station to have it replaced. Lose it enough times and your supervisor (military or civilian) will take note and the appropriate personnel actions will be carried out. The same problem exists with RSA hard tokens, and even with soft tokens really (you can lose or wipe your phone after all). Can’t solve people issues with tech, unfortunately.
> On Jun 2, 2015, at 4:15 PM, Robert Cato <[email protected]> wrote: > > > We have the same laptops, but utilize RSA. We can issue the RSA as a hard > (USB) token or soft (there is an app for that) token to reduce the need for > keeping track of the hard token. > > We like NetMotion Wireless to keep the system state stable as the mobile > users move in/out of signal coverage. > > Robert > > On Tue, Jun 2, 2015 at 1:59 PM, Gordon Pegue <[email protected] > <mailto:[email protected]>> wrote: > OK…. > > > > > > My question to those that might support a law enforcement agency is do you > have mobile laptops in your police cars that access the FBI NCIC system? > > > > I have a small fleet (6 units) of Dell Latitude XFR armored laptops that I’m > trying to get deployed (my first laptop deployment project) and I’m having > difficulties with the fingerprint reader hardware / software in the unit. The > Dell software is, quite frankly, a POS, so I was wondering if your mobile > units use the fingerprint reader to provide multi-factor authentication in > addition to a user name / password combination and if so, what fingerprint > software you might be using. > > > > More specifically, my units are using a sprint mobile card and once an > officer is authenticated locally, I have a script that runs at logon that > launches the mobile connection software, fires up the VPN connection > software, authenticates the VPN tunnel to my perimeter firewall / VPN > endpoint and launches the Mobile application software (what the officer uses > to do his/her job). Because of the way this all works (and it works very > well) and because of university IT policy, I am not able to authenticate > against the university AD. Hence, each officer has a local user account setup > on the laptop. This is where I run into difficulties with the Dell > fingerprint software. FBI security policy delineates – if I am correct in my > interpretation of the policy – that a mobile laptop contained in a police > conveyance has to have multi-factor authentication implemented. I have chosen > “password and fingerprint swipe” as the logon method because fingerprints are > a lot harder to lose than a smartcard. Anyhow, the Dell fingerprint software > is not smart enough to sense when a new user (for example when a new officer > is hired) is logging onto the laptop for the first time and allow the > enrollment of a fingerprint before completing the authentication. What this > means is that I then have to manually setup each and every officer on each > and every laptop before I can enable the “password and fingerprint swipe” > logon and deploy the unit. > > > > If you are using a similar system, would you have advice or suggestions on > how you got yours to work, especially if your using a third-party fingerprint > software system? > > If you’re using a smartcard system, how do you minimize the possibility of > your officers losing or misplacing their smartcard and thus not being able to > complete their laptop logon? > > > > TIA > > Gordon > > > > > > From: [email protected] <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] On Behalf Of Micheal Espinola Jr > Sent: Tuesday, June 02, 2015 11:09 AM > To: [email protected] <mailto:[email protected]> > Subject: Re: [NTSysADM] Law Enforcement IT query > > > > It sounds like it would be an interesting conversation to keep on-list. No > "IT support", but I have coordinated with local and federal on a few > occasions. > > > > -- > Espi > > > > > > On Tue, Jun 2, 2015 at 9:07 AM, Gordon Pegue <[email protected] > <mailto:[email protected]>> wrote: > > I am curious if any of the folks subscribed to this list provide IT support > to a law enforcement or police agency and would be willing to engage in an > off-list correspondence. > > > > > > Thanks in advance > > Gordon > > > >
