Some VPN clients and VPN gateway devices such as CISCO and Checkpoint support RADIUS Challenge/Response authentication mode. When a user attempts to logon, the Radius server will send a challenge code to the Radius client and prompts the user to enter the response code. To support Challenge/Response, you will need to create a logon procedure with two logon steps.
DualShield supports RADIUS Challenge/Response in two modes, native and pseudo, depending on the the type of authenticators to be used.
Native Challenge/Response
DualShield providers authenticator tokens that support challenge/response (such as Deepnet MobileID and GridID). To implement RADIUS challenge/response with tokens that natively support Challenge/Response, you will create a logon procedue with two logon steps.
In the first logon step, you would normally place the Static Password.
In the second logon step, you would place the authenticator to be used and you must select the "Challenge & Response" option in the logon step.
The 2-step logon With the logon procedure shown above, the logon process will be as below:
- The VPN client will ask the user to enter their static password
- The users enters a static password
- The server checks the validity of the user’s static password.
- If the server verifies the user's static password, then it generates a challenge code, sends it to the user, then prompts the user to enter the response.
- The user will use their token to generate a response code by entering the challenge code, and enters it to continue.
...
If the authenticator token to be used does not support challenge/response (such as Deepnet SafeID and T-Pass), DualShield can still support RADIUS challenge/response mode. In this mode, you will create a logon procedue with two logon steps. In the first logon step, you would normally place the Static Password. In the second logon step, you would place a token authenticator.
The pseudo challenge/response logon procedure is typically used for one-demand password such as T-Pass. With the logon procedure shown above, the logon process will be as below:
- The VPN client will ask the user to enter their static password
- The users enters a static password
- The server checks the validity of the user’s static password.
- If the server verifies the user's static password, then it generates an on-demand password, sends it to the user, then prompts the user to enter the password.
- The user receives the on-demand password, and enters it to continue.
NOTES
If you have a logon procedure with two or more logon steps, and you place more than one authenticator (including an on-demand password in a logon step), then the order of the authenticators is significant.
...
If the first authenticator is an on-demand password, then the server will generate a password and send it out. If the first authenticator is an out of band anthentication, then the server will push out a logon request to the user's mobile phone.
Example:
A logon step has the following authenticators:
...