| Home Prev |  cOS Core 15.00.01 Administration Guide
|
Next |
|---|
When a user accesses resources located behind a Clavister firewall, security can be further strengthened by using multi-factor authentication. This is also sometimes referred to as 2-factor authentication or 2-step authentication. The first factor is usually a conventional username and password credential combination. The other factor is typically a multi-character code which is sometimes referred to as a one-time password (OTP).
Multi-Factor Support is Automatic
By default, cOS Core provides automatic support for multi-factor authentication by being able to recognize a RADIUS Access-Challenge message and displaying a special webpage to request that an additional code is entered. This webpage is predefined in cOS Core and has the Banner File name LoginChallenge. The code that the user enters might be sent to the user at the time of authentication by the RADIUS server, perhaps using SMS or email. Alternatively, the code might be generated by the user with a code generation application which has been previously synchronized with the server.The PhenixID Authentication Server (PAS) software product is an example of a RADIUS server that provides multi-factor capabilities (PhenixID is a Clavister subsidiary).
Mobile VPN IPsec clients are also supported by multi-factor authentication when using the following authentication methods:
IKEv1 with XAuth.
IKEv2 with EAP.
Clavister's own OneConnect client is an example of a VPN client that supports multi-factor authentication. It is discussed further in Section 11.7, OneConnect VPN.
Multi-Factor Processing Sequence
The sequence of processing for multi-factor authentication with cOS Core is as follows:Authentication is set up as normal using authentication rules and suitable IP rule set entries.
The authentication source in the authentication rule that triggers will be an external RADIUS server that has been configured to perform multi-factor authentication. Perhaps, a PhenixID Authentication Server (PAS).
A user tries to access resources through the Clavister firewall. They are presented with a standard cOS Core login challenge page and they enter their credentials.
cOS Core now sends these credentials to the RADIUS server for authentication in a RADIUS Access-Request message.
In multi-factor authentication, the RADIUS server will do two things:
It informs cOS Core that multi-factor authentication must be used by sending back a RADIUS Access-Challenge message.
As mentioned previously, the server may also take an additional action for multi-factor authentication, such as sending a one-time code to the user. If the RADIUS server used is the PhenixID Authentication Server (PAS) product, a variety of such multi-factor methods are available.
The diagram below illustrates all the steps up to this point. In this diagram, it is assumed that the RADIUS server sends an SMS message with a one-time code to the user's smartphone.
The process now completes with the following steps:
The user enters the code they receive or generate themselves, and cOS Core relays the entered code to the RADIUS server in another Access-Request message.
The RADIUS server verifies the code. If the user is authenticated then an Access-Accept is sent back to cOS Core and the client is given access to protected resources. If it is not verified, the server sends back an Access-Reject message and access is denied by cOS Core.
Notes on Multi-Factor Authentication
Some points to note about setting up multi-factor authentication with cOS Core are the following:The same cOS Core setup is used if the challenge code is generated by a local code generating device such as the RSA SecureID™ product or if a RADIUS server causes it to be sent to the user.
No extra configuration is required in cOS Core. However, if the banner file LoginChallenge is used in the challenge process, it may need to be edited to display the appropriate text. This is discussed further in Section 10.3, Customizing Authentication HTML.
The administrator must configure the RADIUS server appropriately and the server's documentation should be consulted on how to do this.
If the RADIUS server causes a code to be sent to the user, this is independent of cOS Core. Various third party solutions are available to generate this code.
