You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Some VPN clients and VPN gateway devices such as CISCO and Checkpoint support RADIUS Challenge/Response authentication mode. When a user attempts to logon, the Radius server will send a challenge code to the Radius client and prompts the user to enter the response code. To support Challenge/Response, you will need to create a logon procedure with two logon steps.

The 2-step logon process will be as below:

  1. The VPN client will ask the user to enter their static password
  2. The users enters a static password
  3. The server checks the validity of the user’s static password.
  4. If the server verifies the user's static password, then it generates a challenge code, sends it to the user, then prompts the user to enter the response.
  5. The user will use their token to generate a response code by entering the challenge code, and enters it to continue.


NOTES

If you have a logon procedure with two or more logon steps, and you place more than one authenticator (including an on-demand password in a logon step), then the order of the authenticators is significant.

As soon as the server has successfully completed one step (the user has passed the step), the server will go through the authenticator list to the next step, one by one according to their order in the list. On each authenticator, it will check if the user has a token for this type of authenticator. If the user does not have a token of this type, then the authenticator is removed from the list. 

If the first authenticator is an on-demand password, then the server will generate a password and send it out. If the first authenticator is an out of band anthentication, then the server will push out a logon request to the user's mobile phone.


Example:

A logon step has the following authenticators:

  • One-Time Password
  • On-Demand Password

User "A" has the following tokens

  • MobileID
  • T-Pass

User "B" has the following tokens:

  • MobileID

User "C" has the following tokens:

  • T-Pass

For User "A", the server will NOT send on-demand password, as the user has a MobileID which is listed to be preferred over T-Pass.

For User "B", the server will NOT send on-demand password, as there is no such token at all.

For User "C", the server WILL send on-demand password, as the user does not have MobileID but has the T-Pass.

  • No labels