I'm setting up a VPN that needs to have clients on Linux, Windows, and Mac.
I was planning to sue a PPTP client, with RADIUS to the SecurID RSA install, but I can't find any way to set up a linux client that has PPTP/SecurID support.
What have other people done in this situation? OpenVPN? Is there a guide to setting up SecurID tokens on a OpenVPN client?
Cisco VPNs aren't really a solution here, since I need to implement it in software on the server-side, but I could do a linux-based IPSEC VPN.
Any suggestions would be appreciated.
-Colin
Best Answer
The SecurID tokens aren't supported because the validation software is non-free, as far as I know. I've had a lot of fun with the yubikey hardware OTP generator for better-than-username-and-password authentication via PAM. The yubikeys are also noticeably cheaper than SecurID tokens, and don't seem to have a limited lifespan.
Specifically, I've setup ssh using the yubikey for authentication, which opens up the possibility of using ssh-based VPNs. My writeup's at http://www.teaparty.net/technotes/yubikey.html if it's of any use to you. Everything involved is GPLed or better.
I've also seen people using PAM-based authentication steps with OpenVPN, which opens the possibility of getting OpenVPN to work with the yubikey. The guys at Securix Live say they're working on a fully two-factor PAM module for the yubikey, and while I haven't been able to get it to work yet, that would give you the final piece of what you asked for.
If you do get OpenVPN working with a yubikey, do let us know - and write about it!