Answer the question
In order to leave comments, you need to log in
How to set up authentication in an AD domain using Em-Marine (Bolid) cards?
Поставлена задача:
На компьютере работают посменно несколько диспетчеров, которые заходят в домен под своими аккаунтами Disp1, Disp2, Disp3.
В здании установлена СКУД Болид, доступ в помещения по карточкам Em-marin.
Необходимо настроить доступ (аутентификацию в домене) пользователей с помощью этих карт. Другими словами диспетчер подошел, карту приложил, комп разблокировался.
Для этих целей был куплен USB считыватель Proxy-USB-МА, ридер читает 5 байт с карты и добавляет к ним Enter (эмулирует клавиатуру). В принципе, такой уровень безопасности устраивает (СКУД + везде камеры + минимальные права), но пользователи жалуются, что руками вводить логин неудобно.
Is there a way to not touch the user's keyboard at all and authenticate with the domain?
PS: Yes, I know that the correct way is cards with Aladdin + certificate server + CA, but this is money, other readers and separate cards for ACS and for the domain, but you need to go everywhere with one card.
Answer the question
In order to leave comments, you need to log in
The RFID card can only be used for identification purposes. Do not authenticate users based solely on the provided ID.
I have not had to work with RFID readers that emulate a keyboard. Can you explain what exactly they do: do they emulate typing on a 5-byte keyboard + enter? What can be in these 5 bytes?
Theoretically, if I understand the work of readers correctly, then you can:
Set users a password equal to the same 5 bytes on their cards and they will only have to enter / select a login and attach a card.
This cannot be called authentication, but rather authentication bypass.
The idea is cool, but IMHO very expensive - each reader from 1500 rubles. Quite an expensive pleasure, if I were the director, I would never do this, although .. all the leaders are different and quite often there are outright paranoids who are willing to pay for it.
And the car - IMHO - some kind of G, in appearance, as from the 90s.
I was especially pleased that when you enter the system there is no login at all - only a password.
And when changing the password, if you enter an already "taken" password - the system directly says "this password belongs to the user Ivanov Ivan Ivanovich"
You can,
www.rohos.ru/2017/10/windows-logon-rfid-hitag-inda...
The program can completely replace the login with an Em Card. Either Card + PIN or Card + Windows Password. Works in Active Directory.
But you can only use RFID readers that transfer card data via USB. But Through the keyboard and 5 characters - this is Already a security hole. It is not recommended to use it this way.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question