Unified Wired & Wireless Access

Reply
New Contributor
ibarrere
Posts: 2
Registered: ‎09-11-2013

Two-factor authentication with password+PIN code

We're trying to get two-factor authentication working with a different 802.11 vendor and we're having some trouble. We need the credentials to be Active Directory username in the username field and Active Directory password followed immediately by token PIN code in the password field. Many sources are pointing to EAP-GTC as the EAP method for this type of transaction in order to separate the password and PIN code on the backend.

 

Does anybody know if this type of setup is supported by Aruba gear?

Moderator
cjoseph
Posts: 12,356
Registered: ‎03-29-2007

Re: Two-factor authentication with password+PIN code

[ Edited ]

ibarrere wrote:

We're trying to get two-factor authentication working with a different 802.11 vendor and we're having some trouble. We need the credentials to be Active Directory username in the username field and Active Directory password followed immediately by token PIN code in the password field. Many sources are pointing to EAP-GTC as the EAP method for this type of transaction in order to separate the password and PIN code on the backend.

 

Does anybody know if this type of setup is supported by Aruba gear?


ibarrere,

 

The question is, what is authenticating these existing transactions, an external radius server?  Is this already working or is it something that you have to build from scratch? EAP-GTC is an EAP protocol, but there are quite a few other moving parts to this.

 

Colin Joseph
Aruba Customer Engineering
New Contributor
ibarrere
Posts: 2
Registered: ‎09-11-2013

Re: Two-factor authentication with password+PIN code

Thanks for the response.

 

We're building it from scratch, for the most part. We already have our 802.11 network authenticating via Active Directory, which prompts our users (mostly on Windows) for their AD username and password. We're trying to implement a two-factor method that prompts for the same username and password, but with the addition of the second factor (token PIN code, in our preferred case) concatenated onto the end of the password, or even a third box in the prompt for the PIN code.

 

What we've been experimenting with so far has been using a third party server running some sort of two factor application (RSA SecurID, etc). The two factor application typically includes a RADIUS proxy as well, so all the authentication messages go straight to the two factor server and the applicable ones are handed off to the domain controllers.

 

Most of the complexity of this solution lies in the two factor application. As far as I can tell, our current 802.11 implemention simply hands off the requests from the clients to the server and does minimal processing on top of that. We've gotten it working with username, PIN number, and token PIN code (where PIN number is something the user creates in the two factor application), but having it require AD username, AD password, and PIN code doesn't seem to work with any setup. I'm not sure this is the fault of the network gear, but I want to make sure that this sort of a thing is possible using Aruba before I look into replacing our 802.11 infrastructure.

Aruba
clembo
Posts: 1,243
Registered: ‎04-13-2009

Re: Two-factor authentication with password+PIN code

If I understand you right, you want to authenticate 802.1X wireless connections using username followed by AD password + tokencode.   If this is right, the issue is not with the networking gear; Aruba or otherwise.    The wireless supplicant on the device is what prompts, so adding a third box is on the device vendor (Apple, Microsoft, Android, etc.).   As for the ability to strip off the last say 8 digits of the password entered and assume this to be a tokencode, that is going to be on the RADIUS server.   If the RADIUS server can separate off the last 8 digits for example, it can authenticate the user with the remaining preceding characters; then use the rest for tokencode verification.

 

Authentication Manager's (SecurID) RADIUS is SBR.    As far as I know, this is not possible in Authentication Manager, NPS, or even ClearPass.

------------------------------------------------
Systems Engineer, Northeast USA
Email: clembo@arubanetworks.com

Search Airheads
Showing results for 
Search instead for 
Do you mean