AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Offline Workstation logon with YubiKeys Offline Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In
CLOSE

VPN and RADIUS Configuration

VPN/RADIUS Authentication Overview

AuthLite has support for several arrangements of RADIUS authentication. Different situations you may encounter are described below.

  • Different RADIUS clients have different expectations about how the authentication will work

  • Different VPN tunnel types treat the password field differently

RADIUS for Username and OTP authentication (no password)

Many vendors, such as Citrix and Juniper, allow you to configure 2-factor authentication by setting up two separate authentication mechanisms. The first mechanism (usually Windows native, or LDAP) is used for the "normal" authentication to Active Directory of the username and password. The second mechanism is set to RADIUS, and pointed at an AuthLite-aware RADIUS service.

The RADIUS server will only receive the username and the OTP. In this setup, the bulk of your AD infrastructure need not even be AuthLite-aware, since the only OTP authentication point is the RADIUS service, and the other DC's just get standard username/password requests.

You can set up this configuration with IAS/NPS as your RADIUS service. Select "one factor" in the AuthLite IAS/NPS PAP settings.

RADIUS for authentication of OTP and password together

Some systems such as the Cisco VPN do not split up their authentication into two steps as above. You can use one RADIUS target to authenticate both factors at once, in several different configurations.

How credentials are entered

  • MS-CHAPv2 with OTP in the username field, and password in the password field. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username field. Supported by IAS/NPS. PPTP NOT RECOMMENDED 1

  • PAP with OTP in the username field, and password in the password field. Supported by IAS/NPS.

  • PAP with the username in the username field, and the password and OTP together in the password  field. Supported by IAS/NPS.

Constraints for different authentication scenarios

There are several considerations that will constrain which authentication strategy you can use:

  • 802.1x authentication uses PEAP between the workstation and access point, and then RADIUS with MS-CHAPv2 between the access point and the authentication server. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username  field. Consequently, your access point won't ever see the real user names, instead it will see the OTP strings. To support 802.1x authentication you need to use IAS/NPS. Security Note2

  • If you are using a PPTP VPN tunnel, you must use MS-CHAPv2 authentication. MS-CHAPv2 hashes the password field at the client, so the OTP must be sent in the username field. NOT RECOMMENDED3

  • If the VPN (or front end) server needs to do its own policy checking or logging based on the entered username, then you won't be able to use MS-CHAPv2 because the real username is not ever sent to the VPN (or front end) server. You'll have to choose one of the PAP modes.

1   As of 2012, PPTP tunnel security using the MS-CHAPv2 protocol has been completely broken. Consider immediately changing to some more secure technology.

2   The security of industry standard 802.1x wireless authentication is not affected by the 2012 breaking of the MS-CHAPv2 protocol because the entire tunnel is independently encrypted by PEAP first.

3   As of 2012, PPTP tunnel security using the MS-CHAPv2 protocol has been completely broken. Consider immediately changing to some more secure technology.

Next Steps: