Segui

Two-Factor Authentication

Functionality Description

With two-factor authentication, Endian VPN security is dramatically increased. Instead of just requiring a username and password, an additional piece of information is required that is generated by a token. In this case the authentication procedure is a combination of something you know (username and password) and something you have (time-based token).  This prevents unauthorized VPN access even in the event your username and password are stolen or compromised since the attacker must also have the token information to successfully authenticate.

General Description

There are a variety of tokens and token manufacturers in the field. Each of them implements their own algorithm and they all require you to implement their technology on the server-side. Most of these providers already now offer hardware solutions (i.e. physical tokens that display a code) and software solutions (e.g. smartphone applications).

Fortunately enough there is an open standard that has been defined and that can be used without having to rely on third party software licenses or hardware tokens. It is called the Time-based One-Time Password (TOTP) and has been released as RFC 6238.

User Setup

On the user side a smartphone application or any other device that is compatible to TOTP can be used. A number of compatible smartphone applications is already available. They are all available for free (other applications exist as well, this is only a short list):

Platform

Apps

Android

Google Authenticator, FreeOTP

iOS

Google Authenticator, FreeOTP

Windows Mobile

Microsoft Authenticator

In order to generate the one-time passwords, each user has to setup an account in the application. There are two ways for setting up the accounts:

  • create the account manually by copying the provided shared secret

  • taking a picture of the QR Code containing the account information from inside the application

This secret key will be used for all future logins. The application generates a new one-time password every 30 seconds – and since the algorithm is time-based this does not even require an Internet connection. In Figure 1 the interfaces of the above listed mobile applications can be seen.

Switchboard Setup

On the Switchboard side the defined algorithm will be implemented and integrated into the authentication module. To be able to achieve this the implementation must be done for two different subsystems of the Switchboard:

  • OpenVPN

  • Web Interface

Technical Implementation

OpenVPN One-Time Password Configuration

In order to use the two factor authentication, a one-time password authentication provider must be added and the provider scope must be configured to use this new provider.

In Figure 2 One-time password authentication server configuration the provider configuration for OpenVPN is shown (the configuration for IPsec L2TP and XAuth is identical). From the VPN > Authentication page a new authentication server has to be added and configured as following:

Configuration option

Value

Type

One-Time Password

User information provider

Local

Password provider

Local or any remote password provider

01A.jpg01B.png01C.png

 

Figure 1 Google Authenticator, FreeOTP and Microsoft Authenticator interfaces showing generated tokens


In this example a local password provider has been used to verify user names and passwords. However, the two-factor authentication implementation is also compatible with other password providers, e.g. RADIUS or LDAP. When used in combination with the Switchboard the user information provider field should be set to “switchboard”.

 02.png

Figure 2 One-time password authentication server configuration

After the creation of the authentication server, the OpenVPN authentication server mapping must be configured as shown in Figure 3. In this case the configured otp authentication server must be selected as backend instead of “local”.

03.png

Figure 3 OpenVPN authentication server mapping configuration

Switchboard One-time Password Configuration

The Switchboard configuration (Figure 4) is similar to the one for OpenVPN. Again it is possible to select “switchboard” or any external provider in the password provider field.

04.png

Figure 4 OTP authentication server configuration for the Switchboard

When configuring the Switchboard’s authentication server mapping it is necessary to select both “apache” and the one-time password authentication provider to make sure the system administrator can access the Switchboard’s pages just like any other Switchboard user.

User Configuration

The user configuration workflow is shown below in Figure 5.

05.png

Figure 5 User configuration workflow

Once both OpenVPN and the Switchboard have been configured to support the two-factor authentication a new field will appear in the user editor. Figure 6 shows the “One-Time Password secret” that is automatically generated. If you do not see a secret listed in the field, you can create one by clicking "Generate new secret".  This read only field contains the 80-bit shared secret for the given user that is required to synchronize the smartphone with the Switchboard.

06.png

Figure 6 VPN User editing form

It is possible to generate a new secret (invalidating a previously configured App account) and displaying the QR code to auto-configure the smartphone application (shown in Figure 7). The QR code can also be downloaded through the context-menu when clicking with the right mouse button on the image.

07.png

Figure 7 QR code to be used for app configuration

User Login

After having added a One-Time Password secret to the user the login procedure will slightly change. The user must now also provide a valid token provided by the mobile application when logging into the Switchboard. The overall process is as follows:

  1. User opens the VPN client application (Endian VPN, OpenVPN or mobile client) and prepares to login.
  2. Prior to typing the user password, the user opens the OTP application on their mobile device (links provided under "User Setup")
  3. To login, the user types their normal password with a space followed by the OTP token (password<space>OTP token) displayed on their mobile device all in the password field of the VPN client software (Example in Figure 8)

 

endian-two-factor-authentication_02.gif

Figure 8 Two-factor authentication procedure (using Endian Connect App)

Altre domande? Invia una richiesta

Commenti