On Sun, 2022-07-17 at 11:43 +0200, Harald Dunkel via FreeIPA-users wrote: > As written before, wifi and VPN connections are established *after* > theuser logged in using information stored in the cache. I can't help > it.Esp. I cannot support a VPN connection at boot time in a wifi > network Ihave no information about. > I understand that caching the user information is necessary. My > questionis, how to update this cache after the user logged in using > the cachedcredentials? > There are a lot of security features in FreeIPA: password policies, > one-time-passwords, expiration dates, security tokens, etc. What am > Isupposed to tell my colleagues? Whatever you do, never change your > pass-word to avoid confusion? > > Regards > Harri_______________________________________________FreeIPA-users > mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure So you're saying that your users are: 1 Authenticating to the device using a cached credential (they've already booted/authenticated on the lan) 2 Authenticating to the wifi network using a cached or provided credential 3 Authenticating to the VPN using this same cached credential.
If the password has expired everything breaks unless the protocols support password changes in an integrated manner seamlessly. I'm not sure how you'd do this. The only reason why a cached freeipa credential is required is to provide the system with a wifi password for the home office. (Otherwise you could switch this off an have a more secure system.) What I was alluding to was a simplified, layered approach with clear with a clean separation of the security layers. System boots, brings up network, brings up IPsec using RSA, user authenticates with freeipa using kerberos (if password changes is required it happens here). OR alternatively System boots, user authenticates using cached password, network comes up after providing password, IPsec comes up and then interaction with freeipa occurs. Using a simple password to mediate both VPN and user access can open your organisation up to Internet based attacks as you can't disable credentials due to authentication failures and a successful authentication gives you the keys to the kingdom. This isn't a great security practice. >From a system point of view: the PC has a degree of trust as it holds the network access credential. (TPM or a smartcard could help here) The user has degree of trust IPSEC is a trusted service Kerberos freeipa is a trusted service. Disabling split tunnelling simplifies the final picture.,
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
