05-03-2013 09:22 AM
I am trying to get multi-factor authentication working for VIA. The goal is either 1) concatenate the domain user's password and the one-time security code generated by Symantec VIP (similar to RSA SecurID), or 2) VIA clients prompts the user to enter name, password and secure code in the dialog box. Anyone setup Symantec VIP for any Aruba product?
The initial setup as per Symantec's advice was to setup its gateway server as a RADIUS authentication server. For testing purposes, I configured this server for a WLAN VAP that used Captive Portal for authentication. I was able to authenticate by passing the one-time security code along with my username, thus the communication via RADIUS worked. I tried to port the same authentication server for VIA authentication, but it completely fails.
So I seek help troubleshooting why it doesn't work with VIA and need guidance on further configuration to be able to authenticate the user by prompting for AD password and this one-time security code.
05-03-2013 09:44 AM
To use the Symantec server (or other token-based server) for VIA auth, you need to make sure you have configured only IKE v1. IKE v2's authentication mehods (X.509 cert, EAP-TLS, or EAP-PEAP) do not support the usage of a token server; which usually support PAP or MSCHAP in this function.
Can you confirm your VIA authentication profiles are setup to IKE v1 and not IKE v2?
To answer your first question, to my knowledge there is not any way to enter additional fields for passwords/tokens or to concatenate a passord and security code as you suggest (unless the Symantec server is able to parse out the two somehow and to understand that the last 6 digitys are the code and rest is the password; for example).
Alternatively, I have setup some customers to use certificate-based auth then username/token as a way to do two-factor auth.....also through IKE v1.
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
05-03-2013 09:48 AM
Thanks. I saw a section in the VIA discussion group where you replied to a similar scenario. I will try the IKEv1.
As for the concatenation...yes, I can setup the gateway server to interpret/parse/delineate the password + token.