On Thu, Oct 09, 2003 at 09:31:06AM -0400, Sean Che wrote: > Some differences: > * Bluesocket uses web-based interface for authentication, which makes > support of PDA or other non-prevailing OSs possible/easier. As I know, > lots of VPN solutions require client software. Usually they just don't > support PalmOS, WindowCE or MAC or Linux. etc
Just following up on my previous. The roll-your-own system we've developed also uses an web-based front end. It uses SSL, which does cause a few problems for a few clients. Still, we need to protect the password and this does it. Another option is NoCat, which loads a Javascript applet to the client. The applet then handles the encryption so that the client doesn't have to. Another plus is that the applet keeps running in the background and re-authenticates the client every few minutes. That keeps live connections open and allows the server to drop dead ones. It also opens the possibility of automatic reconnect if the client goes to sleep. There are some problems with the NoCat option, though. First, the client must support Javascript (which I, for one, disable as a matter of course). Also, if the client follows up by opening a VPN connection the re-auth traffic may not have a route back to the NoCat server. I've seen this happen. The user had to re-auth and reconnect his VPN every ten minutes. > * Bluesocket gives users options. They could choose to use VPN if they > think their data need to be encrypted; or not to use VPN, which is > easier for those who don't bother to learn. I really hope my management will allow me to release my code some day. We're doing the same things... > * Bluesocket supports more than just Radius or LDAP authentication. It > could pass 802.1x authentication packet transparently. Um... I've talked to some of the 802.1x folks and they are very clear that 802.1x traffic should *not* pass through the AP. Personally, I think that's impractical, but the reasoning is sound. The thinking is that the AP is a layer2 device and that 802.1x is a layer2 protocol. Ah, well. > Users could also > choose NTLM, MAC device authentication (e,g wireless LAN cell phone), > local user database authentciation. So there's more space left for user > to choose. ...but if they are trying to access my network then I, as the Admin, want to choose which auth scheme they use. As it is, we run a big ol' X.500 database. We can, and do, store LM and NTLM hashes, so we could (in theory) support NTLM or NTLMSSP style auth. The advantage is that it's a challenge/response system, which means that no passwords (even encrypted) are being transported. Personally, I'd like to store my public key in the database and use that. > * Bluesocket also supports more detailed controls such as those based > on user, role, location, port. Curious... I've heard people talk about this (we've taked with the Reefedge folks about their product, which we liked) but I don't know of any practical applications. How would you use this? (Probably obvious but I haven't thought it through.) Chris -)----- -- Christopher R. Hertel -)----- University of Minnesota [EMAIL PROTECTED] Networking and Telecommunications Services "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.
