Darren J Moffat wrote: > Darren Reed wrote: > >> Someone asked me today, will it be possible to use cards >> such as SecurID with IPFilter to authenticate network access. >> >> While my response is sure, we can do this, how would this >> fit in to the Solaris security model? > > > Before we go to the details of how to implement it I think we first > need to understand what authenticating network access means in this > context. > > What is the identity that is to be authenticated ? > user > ...
At the higher level, the question for this comes from: "when can I use IPFilter to control remote access like Firewall-1?" I don't yet have any further specifics on the requriements but I have encouraged the requestor to participate in this discussion. From memory about Firewall-1 and its user authentication.... In general it is a combination of user and host (often "*") that is authenticated using username/password (either from a private database, NIS or Microsoft or SecurID or...) so that the user can be given access to a remote service (Internet, web server, etc.) that is defined by an ACL entry in the firewall policy. What's different about 802.1x here is that it isn't necessarily access to the network itself that is being controlled but rather access to a particular service on the network where that service doesn't have the capability to enforce its own authentication checks. At least my understanding of 802.1x is that it is limited to authenticating access to the network, not so much access to devices on the network. Darren
