VPN and RADIUS Configuration
VPN/RADIUS Authentication Overview
AuthLite has support for several arrangements of RADIUS authentication. Different situations you may encounter are described below.
Different RADIUS clients have different expectations about how the authentication will work
Different VPN tunnel types treat the password field differently
RADIUS for Username and OTP authentication (no password)
Many vendors, such as Citrix and Juniper, allow you to configure 2-factor authentication by setting up two separate authentication mechanisms. The first mechanism (usually Windows native, or LDAP) is used for the "normal" authentication to Active Directory of the username and password. The second mechanism is set to RADIUS, and pointed at an AuthLite-aware RADIUS service.
The RADIUS server will only receive the username and the OTP. In this setup, the bulk of your AD infrastructure need not even be AuthLite-aware, since the only OTP authentication point is the RADIUS service, and the other DC's just get standard username/password requests.
You can set up this configuration with IAS/NPS as your RADIUS service. Select "one factor" in the AuthLite IAS/NPS PAP settings.
RADIUS for authentication of OTP and password together
Some systems such as the Cisco VPN do not split up their authentication into two steps as above. You can use one RADIUS target to authenticate both factors at once, in several different configurations.
MS-CHAPv2 with OTP in the username field, and password in the password field. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username field. Supported by IAS/NPS. PPTP NOT RECOMMENDED 1
PAP with OTP in the username field, and password in the password field. Supported by IAS/NPS.
PAP with the username in the username field, and the password and OTP together in the password field. Supported by IAS/NPS.
Constraints for different authentication scenarios
There are several considerations that will constrain which authentication strategy you can use:
802.1x authentication uses PEAP between the workstation and access point, and then RADIUS with MS-CHAPv2 between the access point and the authentication server. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username field. Consequently, your access point won't ever see the real user names, instead it will see the OTP strings. To support 802.1x authentication you need to use IAS/NPS. Security Note2
If you are using a PPTP VPN tunnel, you must use MS-CHAPv2 authentication. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username field. NOT RECOMMENDED3
If the VPN (or front end) server needs to do its own policy checking or logging based on the entered username, then you won't be able to use MS-CHAPv2 because the real username is not ever sent to the VPN (or front end) server. You'll have to choose one of the PAP modes.
1 As of 2012, PPTP tunnel security using the MS-CHAPv2 protocol has been completely broken. Consider immediately changing to some more secure technology.
2 The security of industry standard 802.1x wireless authentication is not affected by the 2012 breaking of the MS-CHAPv2 protocol because the entire tunnel is independently encrypted by PEAP first.
3 As of 2012, PPTP tunnel security using the MS-CHAPv2 protocol has been completely broken. Consider immediately changing to some more secure technology.