0

I have a SonicWall TZ-210.

I want an extremely easy way to limit external remote access to the VPN beyond just username and password, but I do not wish to buy/deploy a OTP appliance because that is overkill for my situation.

I also do not want to use IPSec because my remote users are roaming.

I want the user to be in physical possession of something, whether that is a pre-configured client with an encrypted key or a certificate .cer/.pfx of some sort.

SonicWall used to offer "Certificate Services" for authentication, but apparently discontinued that a long time ago. So, what is everyone using in its place?

Beyond the "Fortune 500" expensive solution, how do I limit access to the VPN to only those users who have possession of a certificate file or some other file or something beyond passwords?

Thanks.

pghcpa
  • 111
  • 6

2 Answers2

1

According to the "SonicOS Enhanced 5.6 Administrator's Guide" they support Entrust, Microsoft, OpenCA, OpenSSL, and Verisign CA's. Here is a document entitled "Using OpenSSL to Create a Private Certificate Authority". Here is another document entitled "Using Microsoft’s CA Server with SonicWALL Devices". Roaming users do not prevent you from using ipsec. See the vpn section of the administrators guide linked above. Other than the SonicWall licensing cost and having an Certificate Authority set up there are no other costs besides time. Granted setting up a CA is a non-trivial task.

sdanelson
  • 301
  • 2
  • 3
  • Thank you for taking the time to answer, but you answered a different question than I meant to ask. I found and deployed the solution which is described below. – pghcpa Feb 20 '11 at 03:41
0

The simple answer is to set up a secret key and encode that in an encrypted .RCF file.

When installing the SonicWall VPN client software - user clicks on the .RCF which creates the profile, including the encrypted secret key which the user never sees, knows or enters. Only by possessing the .RCF provided by the network administrator can a successful profile be created.

User still has to enter their Username and Password.

If the user leaves the company, a new .RCF is generated and distributed containing a new encrypted secret key.

This is elegantly simple to setup and works perfectly, but for some reason SonicWall support doesn't tell you this easy way to establish a second factor for VPN access.

Anyone guessing the VPN login credentials, still can't get in because they don't have the physical .RCF that is used to create the profile with the secret key -- so this is much more secure than just distributing login credentials that easily leak, get written down or are easy to guess.

The user cannot give out the secret key to anyone (or write it down somewhere, etc.) because they never possessed it, though there is always a risk that they will continue to store the .RCF on their machine -- it still keeps the password-guessing public out of the VPN. I distribute the .RCF on a read-only CD and ask for it to be returned once the VPN is installed.

OTP servers are of course more secure, but a lot more expensive and complicated.

pghcpa
  • 111
  • 6