Some VPN clients and VPN gateway devices such as CISCO and Checkpoint The majority of main stream VPN products, such as Cisco and Checkpoint etc, support RADIUS Challenge/Response authentication mode. When a user attempts to logon, the Radius server will send a challenge code to the Radius client and prompts the user to enter the response code. To support Challenge/Response, you will need to create a logon procedure with two logon steps.
We can utilize this feature to implement a two-step verification process for VPN logins.
The 2-step logon process will be as below:
- Step 1: The VPN client will ask the user to enter their 1st credential, e.g. static password
- Step 1: The users enters a static passwordtheir 1st credential.
- The server checks the validity of the user’s static password1st credential.
- Step 2: If the server verifies successfully verified the user's static password, then it generates a challenge code, sends it to will prompt the user , then prompts the user to enter the response2nd credential, e.g. one-time password.
- Step 2: The user will use their token to generate a response code by entering the challenge code, and enters it to continue.enters their 2nd credential.
- The server checks the validity of the user’s 2nd credential.
To provide Two-Step Logon, you will need to create a logon procedure with two logon steps.
NOTES
If you have a logon procedure with two or more logon steps, and you place more than one authenticator (including an on-demand password in a logon step), then the order of the authenticators is significant.
...