How It Works

The use of PassiveKey for VPN relies on the use of the RADIUS protocol. RADIUS is a well-established, vendor-neutral network protocol used for authentication, authorization and accounting (AAA). It is an Internet standard that was primarily designed to authenticate remote users for dialup services and it is widely implemented by numerous network security vendors such as Cisco, Juniper, Citrix and Check point.

A RADIUS authentication exchange involves a ""client"" and a ""server"", but in the most common case the end-user is neither! The RADIUS protocol is typically used between network servers or appliances so you should not need to open firewall ports to support RADIUS.

In the standard case, a network security appliance, firewall or Network Access Server (NAS) is the NAS client or RADIUS client and the PortalGuard server acts as the RADIUS server. The end-user only communicates with the NAS client to provide their login information which is then passed to the PortalGuard server for validation.

1) The user attempts to connect to the NAS/firewall using either a browser or VPN client software and is prompted for username and password.

2) The NAS communicates the credentials to the PortalGuard server using the RADIUS protocol.

3) The PortalGuard server validates the user's credentials against its configured user repository (e.g. Active Directory).

4) The user repository returns a success or failure code indicating the fidelity of the username and password.

5) PortalGuard queries its security policies and user profile store to determine what features are in e?ect for the user and what requirements have yet to be satisfied.

6) PortalGuard parses the data from the PortalGuard security policy and user profile and sees that the user is required to use 2FA.

7) PortalGuard sends a RADIUS challenge response that includes a custom message that will be displayed to the user.

8) The NAS displays the custom message requesting the user to enter an OTP.

9) The user presses the PassiveKey for VPN hot key combination which automatically generates a Timebased OTP, enters it into the field and submits it to the NAS.

10) The NAS sends the OTP to PortalGuard using RADIUS

11) PortalGuard accesses its profile data for the user to validate the OTP.

12) The OTP is validated.

13) The PortalGuard server sends back a 2nd RADIUS response that the authentication is successful & complete.

14) The NAS accepts the user's authentication and the VPN tunnel/session is established. The user is then able to access internal resources (e.g. crm.acme.com).

Please see the addendum at the end of this document for details about the technologies used in PassiveKey.

Use of PassiveKey has the following advantages:

1) Highly Usable: By reducing the OTP entry to a single hot key combination, it is impossible for users to mistype or fat finger OTPs.

2) Two-Factor authentication: The security of two-factor is achieved without the traditional headaches.

3) No hardware token to purchase, deploy, lose or maintain.

4) No per use charges each time a user authenticates.

5) Not reliant on cell phone signal strength like SMS or voice-based OTPs.

6) No user training – the message that prompts the user can be customized to display the appropriate hot key (e.g. Please press Ctrl+Shift-O to enter an OTP and continue).

7) Use of the industry-standard protocol RADIUS allows the method to work with all established hardware vendors.It also works with both IPSEC and SSL VPN types.

8) Silent and one-click installation op4ons for workstatisons