topic Re: Two factor authentication in SASE and Remote Access

Two factor authentication

Oscar_David_Gom — Thu, 12 Sep 2019 14:52:08 GMT

Hi,

I need a little help. I want to apply a second authenticaiton factor to my C2S connections, actually the users connects to de VPN by Endpoint security VPN, they use their credentials from AD, now I want to set up a second factor using a RADIUS server that generates a token. Lets illustrate my scenario:

Scenario

So the thing I want and hope is, Client communicates with FW, FW asks AD server for identities, then FW asks RADIUS for token and thats it, so what I configured is this:

Configure a new multiple options, first username, then RADIUS

1st factor configuration

2nd factor configuration

AND! is not working, after authenticate with AD, it asks for a user, I thought it was the token but wasn't, dont know if this is the correct configuration, can you help me on how to start the troubleshooting?

I read that there is some configuration that let me use pass+token, but i cant make it works, or maybe configure.

Thanks in advance.

Re: Two factor authentication

Nüüül — Thu, 12 Sep 2019 14:59:05 GMT

Hi,

so the vpn client is asking 1st for username and password, than for username and token/otp?

What solution do you use there? Where does that get it´s users, from AD? Do you see unsuccessful logins on the Radius Server?

is the Gateway defined as Radius Client on the server?

Are you able to authenticate with otp using tools like NTRadping on your local machine?

Daniel

Re: Two factor authentication

Oscar_David_Gom — Thu, 12 Sep 2019 15:26:34 GMT

so the vpn client is asking 1st for username and password, than for username and token/otp?

Asking for user/pass, then for a user, no more.

What solution do you use there? Where does that get it´s users, from AD? Do you see unsuccessful logins on the Radius Server?

A solution from NetIQ.

If you're talking about where the fw gets users, from AD, the Radius is just for generate the OTP, it should be getting users from de AD?

Cannot confirm at this moment the logins on radius server

is the Gateway defined as Radius Client on the server?

AFAIK, yes.

Are you able to authenticate with otp using tools like NTRadping on your local machine?

No response.

Thanks

Re: Two factor authentication

Nüüül — Thu, 12 Sep 2019 16:22:03 GMT

Ok, when you then just enter the username again, you might get asked for the OTP, or something?

At NetIQ you have to configure a user store (they call it repository) to bind i.e. a token to a particular user. otherwise the solution cannot validate the token you entered. In most cases this solutions are using the Active Directory too. yes.

As I read, NetIQ is Linux based, you might want to check the logs mentioned here:

https://www.netiq.com/documentation/advanced-authentication-62/install-upgrade-guide/data/t45y9mnldg39.html

or here:

https://www.netiq.com/documentation/advanced-authentication-62/helpdesk-administrator-guide/data/monitoring_user_report.html

if you get any failed requests.

Are you able to check if Config on NetIQ is OK?

https://www.netiq.com/documentation/advanced-authentication-62/server-administrator-guide/data/t43991ne372u.html (yes it is saying fortinet, but that should not be that important here) check point should be defined here as Radius Client. Doublecheck the Pre Shared Key/Secret. if this is incorrect, authentication fails too.

Re: Two factor authentication

Oscar_David_Gom — Thu, 12 Sep 2019 18:32:50 GMT

Ok, when you then just enter the username again, you might get asked for the OTP, or something?

No, it just says, wrong username or pass. From this point, what you're saying about bind a user with a token from NetIQ is a very very posible reason, let me check that.

THANKS