When a roaming client tries to access resources located behind a Clavister firewall, RADIUS based authentication can be strengthened by utilizing multi-factor authentication. This is sometimes also referred to as 2-factor authentication or 2-step authentication. The first factor is usually a conventional username and password credential combination. The other factor is typically a multi-character code which is sometimes referred to as a one-time password (OTP).
Multi-Factor Support is Automatic
By default, cOS Stream provides automatic support for multi-factor authentication by being able to recognize a RADIUS Access-Challenge message and requiring that an additional code is provided by the authenticating client. The code that the client returns might be sent to the user at the time of authentication by the RADIUS server, perhaps using SMS or email. Alternatively, the code might be generated by the user with a code generation application which has been previously synchronized with the server.The PhenixID Authentication Server (PAS) product is an example of a RADIUS server that provides these multi-factor capabilities (PhenixID is a Clavister subsidiary). See the separate PhenixID documentation for a description of how to set up different multi-factor RADIUS authentication scenarios.
Multi-Factor Processing Sequence
The sequence of processing for multi-factor authentication with cOS Stream is as follows:Authentication is set up as normal using authentication profiles and suitable entries created in the main IP rule set. The authentication method in the authentication profile that triggers will be an external RADIUS server that has been configured to perform multi-factor authentication. Perhaps, a PhenixID authentication server.
A client tries to access resources through the Clavister firewall and is required to authenticate.
The client returns basic access credentials. Typically, this might be username and password.
cOS Stream sends these credentials to the RADIUS server for authentication in a RADIUS Access-Request message.
In multi-factor authentication, the RADIUS server will do two things:
It informs cOS Stream that multi-factor authentication must be used by sending back a RADIUS Access-Challenge message.
As mentioned previously, the RADIUS server may need to take an additional action for multi-factor authentication, such as sending a one-time code to the user. However, the user may be able to generate this code themselves.
The diagram below illustrates all the steps up to this point. In this diagram, it is assumed that the RADIUS server sends an SMS message with a one-time code to the user's smartphone.
The process now completes with the following steps:
The client returns the requested code and cOS Stream relays this to the RADIUS server in another Access-Request message.
The RADIUS server verifies the code. If the user is authenticated then an Access-Accept is sent back to cOS Stream and the client is given access to the requested resources. If it is not verified, the server sends back an Access-Reject message and access is denied by cOS Stream.
Notes on Multi-Factor Authentication
The following points should be noted about setting up multi-factor authentication with cOS Stream:The multi-factor feature does not need to be enabled in cOS Stream. Requests for extra login factors sent back from RADIUS servers are automatically forwarded to clients.
A challenge code could be generated by a local code generating method (such as RSA SecureID™) or the RADIUS server can cause the code to be sent to the user.
The RADIUS server must be configured appropriately and the server's documentation should be consulted on how to do this.
When the RADIUS server causes a code to be sent to the user, this is done independently of the firewall. Various third party solutions are available to generate this code and it will not be discussed further in this document.