DualShield integrates with VPN appliance via RADIUS to add two-factor authentication to VPN logins. Therefore, for VPN integration, we need to build a RADIUS application.

If you are new to DualShield, then you might want to first refer to the general instruction on how to build an application in DualShield.

Complete the following steps to build an application for VPN integration.

Create RADIUS logon procedure

Before an application can be created, a logon procedure must be created first.

In the Admin Console, in the side panel, select "Authentication | Logon Procedure"

Click the "CREATE" button on the toolbar

In the "Name" field, enter a name for this new logon procedure, e.g. "Office 365"

In the "Type" field, select the type of the logon procedure from the drop list, e.g. "Web SSO"

Click the "SAVE" button to save it.


Now that a new logon procedure is created, you want to add logon steps.

To add logon steps to a logon procedure or to change logon steps, firstly navigate to the logon procedure.

Navigate to Authentication | Logon Procedures

Click the context menu icon "..." of the application to be edited, e.g. "Office 365"

select "Logon Steps" to bring up the logon steps editor

To add a logon step, click the "ADD" button

Select the one or multiple authentication methods that you want to add to this step, e.g. "One-Time Password" 

Click the "SAVE" button to save it

You can change the order of the steps by clicking the "UP" and "DOWN" buttons.

The type of logon procedure for VPN integration must be RADIUS.

Once a logon procedure has been created, you need to add logon steps into the newly created logon procedure. Depending on the VPN system and the authenticators to be used, you have two options: one-step logon and two-step logon.


Traditional VPN clients do not support two-factor authentication. In order to provide two-factor authentication without changing the VPN client, the common practise is to concatenate passwords from both factors, i.e. Account Password (Static Password) and One-Time Password (OTP), to form a type of new password called “passcode”. DualShield provides and supports the following types of passcodes:
  • Static Password
  • One-Time Password
  • One-Time Password + Static Password
  • Static Password + One-Time Password

For instances, if the user’s Static Password is “mypass” and the One-Time Password is “123456” then the passcode entered into the VPN client can be one of the following:

  • mypass
  • 123456
  • 123456mypass
  • mypass123456

To provide One-Step Logon you will create a logon procedure with only one logon step.

If you are planning to use on-demand password, e.g. Deepnet T-Pass, then you should consider deploying a Two-Step logon procedure. However, if you must use the on-demand password in a One-Step logon procedure because your VPN system does not support Challenge/Response then please refers to Appendix A.


NOTES

CHAP and MS-CHAP.v2 is not supported when the passcode consists of the AD password (Static Password). In other words, if the User Directory or Identity Source of a VPN application is an external AD or LDAP server, and the passcode is “Static Password”,  “One-Time Password + Static Password” or “Static Password + One-Time Password”, then CHAP and MS-CHAP.v2 cannot be supported.

If you have to use CHAP or MS-CHAP v2, then the passcode should not include AD password, or the User Directory or Identity Source of the VPN application is created in the internal SQL server.


The majority of main stream VPN products, such as Cisco and Checkpoint etc, support RADIUS Challenge/Response authentication mode. We can utilize this feature to implement a two-step verification process for VPN logins.

The 2-step logon process will be as below:

  1. Step 1: The VPN client will ask the user to enter their 1st credential, e.g. static password
  2. Step 1: The users enters their 1st credential.
  3. The server checks the validity of the user’s 1st credential.
  4. Step 2: If the server successfully verified the user's static password, then it will prompt the user to enter the 2nd credential, e.g. one-time password.
  5. Step 2: The user enters their 2nd credential.
  6. The server checks the validity of the user’s 2nd credential.

To provide Two-Step Logon, you will need to create a logon procedure with two logon steps.


NOTES

If you have a logon procedure with two or more logon steps, and you place more than one authenticator (including an on-demand password in a logon step), then the order of the authenticators is significant.

As soon as the server has successfully completed one step (the user has passed the step), the server will go through the authenticator list to the next step, one by one according to their order in the list. On each authenticator, it will check if the user has a token for this type of authenticator. If the user does not have a token of this type, then the authenticator is removed from the list. 

If the first authenticator is an on-demand password, then the server will generate a password and send it out. If the first authenticator is an out of band anthentication, then the server will push out a logon request to the user's mobile phone.


Example:

A logon step has the following authenticators:

  • One-Time Password
  • On-Demand Password

User "A" has the following tokens

  • MobileID
  • T-Pass

User "B" has the following tokens:

  • MobileID

User "C" has the following tokens:

  • T-Pass

For User "A", the server will NOT send on-demand password, as the user has a MobileID which is listed to be preferred over T-Pass.

For User "B", the server will NOT send on-demand password, as there is no such token at all.

For User "C", the server WILL send on-demand password, as the user does not have MobileID but has the T-Pass.

Create RADIUS application

In DualShield, an application does not have a type. Therefore, creating an application for any integration is the same. 

In the admin console, in the side panel, select "Authentication | Applications"

Select "CREATE" on the toolbar

Select the Realm to be linked to this application, e.g. Deep.Net

Select the Logon Procedure to be used by this application, e..g. Office 365

Click "SAVE" to save the application.



However, you must select a Logon Procedure that is of the type of RADIUS. In the example below, "VPN" is a RADIUS logon procedure.

 


Publish RADIUS application

Generally, an application has to be published before it can be accessible by users.

To publish an application on an authentication agent, first navigate to the application list by select "Authentication | Applications" in the side panel

Click the conext menu icon "..." of the application, e.g. "Office 365" to access its context menu

select "Agents" in the context menu

select the authentication agent on which the application is to be published, e.g. "Single-Sign-on Server"

Click "SAVE" button to save settings


A RADIUS application has to be published on one or many RADIUS agents/servers.

 


  • No labels