RADIUS is a well-established, vendor-neutral network protocol used for Authentication, Authorization and Accounting (AAA).It is an Internet standard that was primarily designed to authenticate remote users for dial-up services and it is widely implemented by numerous network security vendors such as Cisco, Juniper, Citrix and Checkpoint.
A RADIUS authentication exchange involves a “client” and a “server”, but in the most common case the end-user is neither!The RADIUS protocol is typically used between network servers or appliances so you should not need to open additional firewall ports to support RADIUS.
In the standard case, a network security appliance, firewall or Network Access Server (NAS) is the “RADIUS client” or “NAS client” and the PortalGuard server acts as the “RADIUS server”.The end-user only communicates directly with the NAS client to provide the login information.
RADIUS authentication involves different response messages from the RADIUS server:
- Access-Reject - The credentials provided were incorrect.
- Access-Challenge - The authentication is partially correct, but the server needs the client to provide additional information to continue.
- Access-Accept - The authentication has fully succeeded.
Multi-factor VPN authentication
Due to the widespread support for the RADIUS protocol by network security vendors, RADIUS is an optimal choice for enabling multi-factor authentication for remote access users.Because the NAS client communicates directly with the PortalGuard RADIUS server, authentication decisions made by PortalGuard are strictly enforced.This ensures a high level of security and consistency.
Most network security appliances allow VPN users to be authenticated using different mechanisms.A few common options are:
- User accounts defined locally on the appliance
- LDAP authentication
- X.509 certificates
Enabling multi-factor authentication can be as straightforward as enabling RADIUS authentication on your network security appliance, pointing it to the PortalGuard server and adding a RADIUS client configuration in PortalGuard.
The same RADIUS setup can often be used to authenticate remote users looking for a SSL VPN via web browser -AND- remote users with VPN software installed locally on their workstation.This helps offer a high degree of consistency reducing the need for user training and education.
Since the authentication decisions made by PortalGuard are configured through policies, you can enforce different authentication types based on user, group or domain hierarchy.You may want to enforce Two-Factor Authentication (2FA) for some users and Knowledge-based Authentication (KBA) for others based on their level of access or the availability of secondary authentication channels (e.g. lack of a mobile device for receiving an OTP).
How It Works
SSL VPN 2FA using RADIUS
- The user attempts to connect to the NAS/firewall using either a browser or VPN client software and is prompted for username and password.
- The NAS communicates the credentials to the PortalGuard server using the RADIUS protocol.
- The PortalGuard server validates the user’s credentials against its configured user repository (e.g. Active Directory).
- The user repository returns a success or failure code indicating the fidelity of the username and password.
- PortalGuard queries its security policies and user profile store to determine what features are in effect for the user and what requirements have yet to be satisfied.
- PortalGuard parses the data from the PortalGuard security policy and user profile and sees that the user is required to use 2FA.PortalGuard sends an OTP to their enrolled mobile device.
- PortalGuard replies to the RADIUS request with an Access-Challenge response that includes a custom message that should be displayed to the user and a random identifier (the “state”) that the NAS will send back to PortalGuard to identify the same user session.
- The NAS displays the custom message requesting the user to enter the OTP that was sent to their mobile device.
- The user enters the OTP from their mobile device and submits it to the NAS.
- The NAS sends the OTP and state identifier to PortalGuard using RADIUS
- PortalGuard looks up the state to confirm the previous authentication then validates the OTP.
- Confirmed the OTP is OK.
- The PortalGuard server replies to the RADIUS 2nd request with an Access-Accept response.
- The NAS accepts the user’s authentication and the VPN tunnel/session is established.The user is then able to access internal resources (e.g. “crm.acme.com”).
The RADIUS option has the following requirements:
- The network appliance must support RADIUS as an authentication option.
- The network appliance must support the Access-Challenge response type as well as the State and Reply-Message attributes.
- PortalGuard must be licensed for RADIUS support.
- End-user enrollment of mobile devices or challenge answers must be performed external to the RADIUS protocol.