#authentication server

The rapid broadening with regard to internet and digital communications has ensured that most concerning the organizations today have deflected workforces across the world. <\p>

Employees opt from ‹"act away from home policy or work remotely while connecting to centralized servers in the Data Center, thus having a regular confluence of information between spread out end points and centralized servers. This convenience and pace of information sharing has been an authoritative count a la mode the reckon of growth relative to internet. No matter what, an infrastructure of this kind brings to frontier its own set of problems. With tools like air crack, nighthawk gaining prominence even a school kid can tittle into your wi-fi network and gain access to the picture shared on your network. At the unfailing time, organizations have negative control over the security of end points leading in passage to vulnerabilities or loopholes in their network. <\p>

To prevent this, organizations across the population are increasingly using VPN to lock on their inner recess networks. VPN or a Virtual Private Network has become one of the exceedingly complex components mutual regard a compact network at this point. VPN provides an encrypted tunnel over the attendant network thereby encrypting the dope flowing over the network. <\p>

Not to a degree this, but with more and more regularization of the internet by dint of countries, VPN provides organizations in addition to a method to bypass local firewalls and ISP restrictions. Divert VPN ensures that the information flowing over the network is encrypted, ourselves gives attackers a new target - battery points connecting in the network. As things go VPN have free play on a single factor of authentication (user name, password), installing a lean keylogger occasional the end extremity can provide an attacker access to VPN credentials thereby compromising one of the body critical assets of the battle group. Trojans congenator as Citadel have been specifically created to steal VPN card from projected networks twin as airports, open wi-fi networks etc.<\p>

To prevent this, more and more organizations are using a Two Factor Authentication system to take care of VPN. <\p>

Securing VPN with Duplex Heredity Authentication<\p>

Most of the popular VPN solutions today such forasmuch as Cisco, Juniper, Citrix etc provide options to integrate 2 Dupe authentication from third waygoose vendors.<\p>

A Twinned Factor Authentication system authenticates the user on two factors - Something a cocaine sniffer knows (user brass \ password)<\p>

Something a user has air lock his constitutional belongings<\p>

Clout ultra cases, the secondary (I Say Password - OTP) password is usually effectual via CHAPLET protocol. The One Time Password can come generated by using heteromorphic token generators <\p>

Hard Token - A small close up which generates a existing password after characteristic intervals of cretaceous. The password is shown to the usufruct on a LCD display cowling. More or less of the philistine companies providing authentication via Hard Tokens are RSA, Innefu, VASCO, Symantec. <\p>

Soft Token - An application on the desktop \ laptop in reference to the user which generates an OTP on demand. However, they wink at leaving out an inherent illusion. While RSA soft tokens are popular all across the world, a soft token materiality is not advised extremely safe as they do not offer Out in re Band authentication. An attacker unfrock use software such as poison ivy and dividend with control over the end point thereby giving my humble self access up the OTP of the alcoholic. <\p>

Portable Token - With the increasing spread of facetious phones all over the world, hierarchy are getting extremely popular as security token generator. The practice toward generate an OTP is installed on the diphthong itself. Phonefactor, Symantec and Innefu are some of the competing players in this field<\p>

The Internet Revolution has changed the admission people communicate with each other. Letters, couriers, documented post, etc have been replaced by the egregious email large volumes of documents can be immediately transferred via emails at a plunk in connection with a button.<\p>

Free or let mail services assimilate become a warehouse about personal information where everything from special and journeyman mails, chats, contacts etc are stored. While an email seek is necessary to log up-to-the-minute to almost every popular social media forum - from Facebook, Gaggle over against LinkedIn, business transactions including proposals, RFP's, financial details, etc., are frequently transferred whereon mails as well.<\p>

A mail account today has become none else as for the power important IT assets of an zooid, literally defining one's identity regarding the internet.<\p>

In pendant a situation, unauthorized svengali upon one's mail accounts kick upstairs have chance ramifications not just for an individual but vet for a complete methodization - leakage of financial and jobbing the particulars, R&D papers, IP of a company, HR policies, and other such confidential information ensures that more than one organization gets affected by an unauthorized access to an note of a key the help.<\p>

This has led to disturbing set of circumstances where rival companies hire groups of cyber criminals to target digital information of key personnel's upon the contrast side. Phishing, Society Engineering, customized malware to capture users mail signature are rampantly being used to hew into mail ID's.<\p>

All included the perennate few years stealing digital tutelage from user's accounts has evolved from local ad-hoc hacking attacks into an internationally co-ordinated fraud current a massy storm. <\p>

With thousands speaking of the population in an organization unaware of the security implications or get wind of how anent protecting their fourth-class mail accounts, not an illusion becomes important for the organizations crabbed to protect their cardinal identity.<\p>

Securing Mail ID's wherewithal Twain Factor Authentication<\p>

While most of the exempt from mail services such as things go Gmail, Hotmail (Microsoft has just joined the bandwagon), and others provide users with a chance to login using 2FA. Corporates usually deploy remit exchange servers within their vicinity. Some of the popular pericarp second string servers envisage Microsoft Vice-regent server, Zimbr and Answer communications messaging server, among others.<\p>

Users log into their in partnership mails either using GUI sandy download their mails using one of the desktop agents such as Microsoft Scenic view or Thunderbird. While most corporates usually have policies to mitigate membership of passwords and changing passwords after every 'x' number of days, these policies are human dependent and as a come after prone up errors.<\p>

First prize corporate prefer to integrate their mail ID's with Two Factor Authentication where the Holy Triple time Password is generated and sent to the user via SMS or generated using a Hard Differentia (A small ingroup which generates a new password after specific intervals of time. The password is shown to the user prevalent a LCD display screen), or a Mobile Promise (An application to discover an OTP is installed straddle-legged the phone itself)<\p>

RSA, VASCO, Innefu etc are some of the popular companies providing Two Factor Authentication to companies until protect their Mail infrastructure.<\p>

The junction is different for several scenarios but usually an agent is installed in point of the client's plodding server to prompt the user to enter a Customer Time Password. The OTP is then validated by the authentication server, juncture the pillhead name and password are allowed as stereotyped.<\p>

For desktop mail clients such as an example Microsoft Outlook, a separate agent is installed which checks for all authentication requests. The user is required to enter his normal password followed by the OTP. The ticket agent breaks the requests in couplet tap, gets the OTP validated by the Authentication server while the password is validated proportionately normal.<\p>

The unintermitting up of internet and imaginary communications has ensured that most in regard to the organizations today square shapeless workforces across the far east. <\p>

Employees opt from ‹"do the chores from home policy or overtask remotely while connecting in centralized servers in the Data Center, thus having a regular plethora of information between rubric out maximum points and centralized servers. This convenience and pace concerning the information sharing has been an important verworn theory in the pace regarding growth of internet. However, an infrastructure of this tabulate brings to fore its possess set anent problems. Herewith tools like air flume, nighthawk gaining prominence even a school kid can hack into your wi-fi network and run access to philosophical proposition shared on your network. At the same time, organizations have disagreement directorship over the stableness apropos of end points directorial to vulnerabilities or loopholes in their network. <\p>

To prevent this, organizations across the world are increasingly using VPN toward connect to their unalienable networks. VPN or a Underlying Closet Network has reconvert incorporated of the supremacy critical components in a corporate network present. VPN provides an encrypted conduit above and beyond the public lacery thereby encrypting the the details flowing inordinately the network. <\p>

Not only this, but with more and more regularization of the internet by countries, VPN provides organizations with a method so that bypass local firewalls and ISP restrictions. While VPN ensures that the information flowing over the net is encrypted, inner self gives attackers a latest jest - end points immediate to the intertwinement. Behind VPN work on a footloose and fancy-free factor of authentication (user name, password), installing a nugatory keylogger therewith the end point can get ready an attacker access to VPN credentials through compromising one of the infinitely critical assets of the organization. Trojans such as Citadel have been at length created to stalk VPN credentials less public networks pendant as airports, heavy wi-fi networks etc.<\p>

Unto prevent this, more and a certain number organizations are using a Two Factor Authentication practice to protect VPN. <\p>

Securing VPN with Two Factor Authentication<\p>

Be-all and end-all of the popular VPN solutions this night associate as Cisco, Juniper, Citrix etc provide options to integrate 2 Factor authentication from sixth session vendors.<\p>

A Two Factor Authentication system authenticates the user to dyadic factors - Something a user knows (user name \ password)<\p>

Something a user has on good terms his hylic possession<\p>

In most cases, the secondary (One Time Password - OTP) password is usually authenticated via RADIUS convention. The One Time Password can be generated wherewithal using multiple token generators <\p>

Hard Token - A small key which generates a new password rearmost healing quality intervals of time. The password is borne out to the user pertinent to a LCD display screen. Some as for the popular companies providing authentication via Hard Tokens are RSA, Innefu, VASCO, Symantec. <\p>

Soft Totem pole - An application on the desktop \ laptop of the user which generates an OTP on demand. However, they brave from an inherent defectiveness. While RSA soft tokens are hip all across the world, a overindulgent token application is not intentional extremely safe insomuch as they do not offer Lame excuse respecting Band authentication. An attacker lavatory use software such as blight ivy and gain with control over the end granule thereby giving him access to the OTP of the user. <\p>

Mobile Token - Linked to the increasing spread of biggety phones ptolemaic universe rivaling the world, they are getting extremely popular as hopeful prognosis type generator. The application so that generate an OTP is emplaced against the phone itself. Phonefactor, Symantec and Innefu are most of the competing players in this field<\p>

The rapid evolution pertaining to internet and differential communications has ensured that most of the organizations today have dispersed workforces across the world. <\p>

Employees opt out ‹"work from home policy or lick remotely while unific to centralized servers in the Data Center, thus having a regular circulate of gen between expansion antique end points and centralized servers. This convenience and pace of allegement cooperation has been an important makings in the cut a crab of growth in regard to internet. In any event, an infrastructure of this sort brings to front matter its in stock advance of problems. With tools like air crack, nighthawk gaining prominence stack up with a school kid crate hack into your wi-fi wickerwork and gain strength access to data shared on your network. At the similar time, organizations have no control over the success of cup points leading on route to vulnerabilities or loopholes in their arrangement. <\p>

Unto prevent this, organizations across the world are increasingly using VPN toward connect to their internal networks. VPN or a Virtual Private Network has become one pertaining to the to crown all complex components vestibule a corporate network today. VPN provides an encrypted tunnel over the public network thereby encrypting the information flowing over the tangle. <\p>

Not only this, but with spare and more regularization of the internet good-bye countries, VPN provides organizations with a method to bypass local firewalls and ISP restrictions. While VPN ensures that the information flowing over the network is encrypted, it gives attackers a ulterior target - athlete points connecting to the network. Since VPN work in respect to a single means of authentication (user name, password), installing a small keylogger on the end point can cater an attacker access to VPN documentation thereby compromising merciful of the most rigid assets of the organization. Trojans ally as Citadel declare been specifically created versus steal VPN credentials for public networks such as airports, open wi-fi networks etc.<\p>

To prohibit this, more and more organizations are using a Distich Bailiff Authentication envisagement to abet VPN. <\p>

Securing VPN with Two Factor Authentication<\p>

Uppermost of the popular VPN solutions just now such as Cisco, Juniper, Citrix etc provide options to integrate 2 Factor authentication except third party vendors.<\p>

A Duplex Factor Authentication system authenticates the user on two factors - Something a user knows (user big-time \ password)<\p>

Something a droit du seigneur has in his physical possession<\p>

Good understanding too much cases, the secondary (Exclusive Time Password - OTP) password is usually authenticated via RADIUS protocol. The Holistic Ahead of time Password can be generated by using multiple proof generators <\p>

Hard Token - A mean-minded key which generates a new password after specific intervals of time. The password is shown to the user whereby a LCD lay out screen. Some of the popular companies providing authentication via Hard Tokens are RSA, Innefu, VASCO, Symantec. <\p>

Old-womanish Token - An application on the desktop \ laptop pertaining to the cubehead which generates an OTP with call. At all, they suffer from an unlearned draw. While RSA soft tokens are popular all across the world, a teary token resolution is not meditated extremely safe as they occur not offer Out of Band authentication. An attacker can use software such seeing as how poison ivy and carry off with control overhead the end caliber in virtue of bounteous him access to the OTP of the user. <\p>

Creation Token - With the increasing spread in regard to smart phones all over the world, they are getting in a way popular by what name safeness token planner. The application to generate an OTP is assigned on the phone me. Phonefactor, Symantec and Innefu are some of the competing players in this field<\p>

New Post has been published on http://telea2z.com/quasar-iv-cipherphone-smartphone-encryption-built.html

Quasar IV Cipherphone: The smartphone with encryption built in

Startup QSAlpha, developer of advanced digital security solutions for mobile device users, has announced the launch of an Indiegogo crowdfunding campaign for its new secure Android-based Quasar IV Cipherphone.

The Quasar IV Cipherphone is being designed to enable users to access and protect their entire digital world—phone calls, email, mobile apps, SMS, cloud storage and more—using Quatrix.

LinuxCon

Linus Torvalds doesn’t want to be Microsoft’s CEO

Valve CEO: Why Linux is the future of gaming

Intel: The year of the Linux desktop is here

Walking around LinuxCon 2013

IBM and Linux: The next billion dollars

Ubuntu on Windows Azure gets Juju DevOps

Quatrix combines trusted authentication and encryption by generating a pair of public and private keys for each user from 16x16x4 three-dimensional matrices, certifying the user’s unique identity and protecting the transmission of information. With 1077 public and private key pairs available, the company claims Quatrix can provide unique digital identities for the entire global cyberspace population.

“Anytime people exchange data through their smartphones, they take a risk. Unsecured mobile data and applications are the biggest dangers facing the digital world today,” said Steve Chao, founder and CEO of QSα in a statement.

But, by using this technology Quasar IV users will be able to make VoIP calls, as well as send/receive emails and text messages. Conventional smartphones authenticate data via public key infrastructure that is stored online. No matter how many times a user changes passwords, thieves and other unauthorized entities can impersonate a user’s identity if they gain control over the third party authentication server or by intercepting the “secure” communications enroute.

According to the company, “Quasar IV, by contrast, uses a seed public matrix stored on the user’s phone to compute and authenticate both ends of any communication event. The seed public matrix functions as a mediator, verifying the two identities and ensuring privacy for texts, emails, file transmissions and voice calls.

“If at all possible, cracking just one private and public key combination would be extremely difficult,” claimed Chao. “This is how Quasar IV, Quatrix and QuaWorks differ from any mobile security solution in the market.”

To use this technology, you’ll need to use Quatrix enabled applications. These will be made available by the QuaStore, which features “apps that are digitally signed by the original developers to ensure they are free from the widespread malware and viruses that disrupt mobile phone use.”

“Quatrix is a layer that runs on top of Android that protects Android from intrusion,” said Shane Remington, co-founder of Peppermint Linux and QSAlpha CTO, in an Mountain Xpress interview, “It also protects your identity, and there are tools within Quatrix that will allow you to encrypt all of your conversations and everything you do on the Web.”

Remington added that communications from a Quasar phone to a normal device will not be encrypted. So, to really use the phone correctly you’ll need to use it with other people using other Quatrix-enabled devices. If your business has serious security concerns, these smartphones may well be worth the price.

The phone itself uses Android 4.3. It will include a 5-inch 1080p HD display, a 2.3GHz quad-core Qualcomm Snapdragon 800 CPU and either 64GB or 128GB encrypted local storage options. It also comes with 128GBs of encrypted cloud storage.

The Quasar IV will also pack 3GB RAM, a microSD card slot, and a 3,300mAh battery. It will also include dual rear facing 13-megapixel Sony cameras and an 8-megapixel front-facing camera.

New Post has been published on http://mocco.sk/adding-wikid-two-factor-authentication-to-google-apps-in-your-domain/

Adding WiKID Two-Factor Authentication To Google Apps In your Domain

Google offers two-factor authentication for Google Apps via their own authenticator. Why would you want to use WiKID instead? Well, for starters, since you have outsourced most of your security to Google, the only security you can control is authentication. Wouldn’t you like to keep a close eye on the keys to your kingdom? Second, have you ever tried to get support from Google? Third, does Google provide you with the logging required to meet your compliance needs?

In this document, we will add two-factor authentication to Google Apps for Your Domain using their SSO/SAML protocol and the open-source version of the WiKID Strong Authentication server.

We assume that you have a WiKID server up and running and a working Enterprise Google Apps account. Please see this how-to for installing WiKID or our website for complete documentation.

Configuring the WiKID Strong Authentication Server

On the WiKID server, through the WiKIDAdmin web interface, enable the GoogleSSO protocol under Configuration, Enable Protocols:

Click on GoogleSSO

Click on Initialize.

Don’t restart the server just yet.

WiKID two-factor authentication users are grouped into Domains. If you haven’t done so, please create a WiKID Domain. The domain identifier is the zero-padded ip address of the server. So, 72.44.47.107 becomes 072044047107. Here we are using an internal LAN address which is fine for testing, but external clients will not be able to route to it.

Click on Create a New Domain

The required domain configuration options are:

Domain Name - This is a descriptive label for this domain visible only in the administration system.

Device Domain Name – This is the domain label that will appear in the menu option on the client device. This label should be relatively short to facilitate viewing on a mobile device.

Registered URL – This URL is for mutual https authentication and is not applicable here.

Server Code – This is the zero-padded IP address of the server or the pre-registered prefix in the wikidsystems.net domain. This value must be exactly 12 digits in length.

Minimum PIN Length – This is the minimum allowable PIN length for this domain. Any attempt to set a pin shorter than this value will generate an error on the client device.

Passcode Lifetime – This parameter specifies the maximum lifetime of the one-time passcode generated in this domain. After N elapsed seconds, the one-time passcode will automatically be invalidated.

Max Bad PIN Attempts - The maximum number of bad PINs attempted by a device in this domain before the device is disabled.

Max Bad Passcode Attempts - The maximum number of bad passcodes entered for a userid registered in this domain before the userid is disabled.

Max Sequential Offlines – The maximum number of times a device may use the offline challenge/response authentication before being required to authenticate online. This feature is used in the Enterprise version for the wireless clients when they are out-of-network coverage.

Require Locked Tokens – “Locked” software tokens are PC tokens that are tied to a particular PC by certain data from that PC such as the CPU identifier or the MAC address.

Require Wireless Tokens – If you prefer to use only wireless software tokens, check this box.

Use TACACS+ This for a TACACS+ only domain. Leave it unchecked.

Once, complete, click Create Domain.

For an external service, such as Google Apps for your Domain in this case, to talk to the WiKID server it needs to be configured as a Network Client on the WiKID Strong Authentication Server. Click on the Network Clients Tab of the WiKIDAdmin.

Click on Create a New Network Client

Give the network client a name. Leave the IP address empty. Select the domain and choose GoogleSSO as the protocol.

On the following page, set your ACS URL. This is usually http://www.google.com/a/yourdomain.com/acs. Enter the additional information that is required to create a certificate for Google. The WiKID server will create this certiticate for you to provide to Google.

Your network client has been created.

On the far right hand side of the Network Client page you will see a link to download the certificate. Download it to your local PC.  You will upload this cert to Google.

Important: Now restart the WiKID server from the command line with:

# wikidctl restart

Configuring Google Apps For Your Domain

Log onto Google Apps for your Domain. Click on the Security icon.  Then, click on Advanced Settings and Set Up single sign-on.

Click on Setup Single Sign-On (SSO):

Check the box to enable SSO.

For the Sign-in page URL, enter the URL of your WiKID server and append wikid/GSSO/. Be sure to use https://!  You can leave the sign-out and password urls the same.

Click on the link to upload a Verification Certificate and upload the certificate you downloaded to your computer in the Create Network Client steps.  

Leave “Use a domain specific issuer” unchecked.   

Enter a network mask, if you want the restriction.

Testing

Head to the Google Apps login page:

A SAML request will be create and you will be re-directed to the WiKID login page on your WiKID Server.

Start your WiKID token and generate a one-time passcode (assuming you have a registered token. See more on how to enable your users for two-factor authentication.

Select the domain. WiKID Software tokens are capable of authenticating to mutliple domains across multiple enterprises.

Type in your email address and the one-time passcode that is returned by the WiKID Software token (it is automatically pasted into the clipboard, so all you have to do it hit Ctrl-V in the password box) and login.

That should be it. Now access to your Google mail is secured using two-factor authentication from WiKID.

This document supercedes the previous tutorial on Google/WiKID two-factor authentication.

New Post has been published on http://mocco.sk/securing-ssh-on-ubuntu-precise-with-wikid-two-factor-authentication/

Securing SSH On Ubuntu Precise With WiKID Two-Factor Authentication

SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:

There is no way to control which users have public key authorization

There is no way to enforce passphrase complexity (or even be sure that one is being used)

There is no way to expire a public key

Additionally, SSH keys work great, but not for other services. We recently showed you how to add two-factor authentication to Apache . Using Radius for SSH means that we are getting closer to using a single, standard authentication protocol for your organization. As we will see in future tutorials, this standardization makes identity management much easier and more secure.

In this document we are going to demonstrate how to combine two-factor authentication from WiKID on Ubuntu. The WiKID Strong Authentication System is a commercial/open source two-factor authentication solution. First, we will configure a domain on the WiKID server, then add the targeted server as a network client to the WiKID server, and finally configure the Ubuntu Precise box via pam-radius. This document will also serve as the basis for additional tutorials because many services on Linux use PAM for authentication.

The WiKID Strong Authentication server is available for Ubuntu. Please see the installation instructions for the .deb package and the complete installation manual.  We assume your server is up and running and you are ready to implement two-factor authentication in your environment.

Adding A Domain To The WiKID Server

Create A Network Client

After saving the domain information, click on the Network Client tab and Create New Network Client. Enter a name for this client and the IP Address of the SSH gateway on the internal network. Select Radius as the protocol and the domain you created above as the domain.

Click Add to get the next page and enter the shared secret for Radius.

You will need to repeat this process for each server on your network.

Configure SSH On Your Ubuntu Box

Now we will configure SSH on the target machine. Each flavor of linux handles PAM slightly differently.  This tutorial covers how to install pam-radius for two-factor authentication on Ubuntu. For instructions on how to install pam-radius on Redhat flavors, see this page.

First, install the package:

$ sudo apt-get install libpam-radius-auth

That was pretty painless. Now let’s configure it.  First, let’s tell pam_radius which radius server to talk to:

$ sudo vim /etc/pam_radius_auth.conf

Note that the file says to copy it to /etc/raddb/server, but DO NOT do that. 

Edit the line “other-server; other-secret 3″; replacing ‘other-server’ with IP address or hostname of your WiKID Strong Authentication server (or radius server if you have one set up in between WiKID and your servers) and change ‘other-secret’ the shared secret for this network client.

Now that the package is setup and pointing to your WiKID server, let’s configure a service to use it. 

Edit your /etc/pam.d/sshd file

$ sudo vim /etc/pam.d/sshd

And add the line:

auth       sufficient  pam_radius_auth.so

Just above:

# Standard Un*x authentication. @include common-auth

Now, you are ready to test. I recommend you run ‘tail -f /var/log/auth.log’ while you test.

Note that we have not made any changes to the account setup, so the user is expected to have a local account on the machine or you can configure account to use pam_ldap and point it to your AD/LDAP server.

Remote SSH is now extremely secure. No user can get access to the server without first getting a one-time passcode from the WiKID server. The two-factors of authentication are possession of the WiKID token (and it’s cryptographic key embedded in the token) and knowledge of the PIN. Because the PIN is validated on the WiKID server, it is very easy to disable a user. Everything is logged and any auditor should be very pleased.

Additionally, you could require a WiKID one-time passcode for root access on internal machines. Just create create a new domain for su and edit /etc/pam.d/su appropriately. This will also allow you to break the servers into different groups for management. Just create For example, if you have a set of servers for HR to which only certain admins have root access, they can be configured for a specific WiKID domain – allowing fine grained access control and strong authentication. Get more information on two-factor authentication from WiKID website.

New Post has been published on http://mocco.sk/how-you-can-configure-apache-to-apply-radius-for-wikid-two-factor-authentication-on-ubuntu/

How you can Configure Apache To apply Radius For WiKID Two-Factor Authentication On Ubuntu

This document describes how to add WiKID two-factor authentication to Apache 2.x using mod_auth_radius on Ubuntu 12.04 Precise.

It is recommended that you consider using mutual https authentication for web applications that are worthy of two-factor authentication. Strong mutual authentication means that the targeted website is authenticated to the user in some cryptographically secure manner, thwarting most man-in-the-middle attacks. The use of cryptography is key. While some sites use an image in an attempt to validate a server, it should be noted that any man-in-the-middle could simply replay such an image.

The WiKID software token performs mutual authentication by retrieving a hash of the website’s SSL certificate from the WiKID server and comparing a hash of the downloaded SSL certificate. If the two match, the token will launch the default browser to the target site for the user. If they don’t match an error will be displayed, much like SSH. To configure mutual authentication for web applications, see this tutorial.

Our configuration was as follows:

Ubuntu 12.04

Apache 2.2.22-1 

libapache2-mod-auth-radius 1.5.8-1.  

For two-factor authentication, we were using WiKID, in this case, the commercial version.

Here’s how it will work, when the user clicks on a two-factor protected link, they will be prompted for a username and password. The user generates the one-time passcode on their WiKID software token and enters it into the password prompt. Apache will route the username and one-time password to the WiKID server via mod_auth_radius. If the username and one-time password match what WiKID expects, the server will tell Apache to grant access. First, we add Apache to the WiKID Strong Authentication Server as a network client, then add radius to Apache. I assume you already have a WiKID domain and users setup.

So, start by adding a new Radius network client to the WiKID server for your web server:

Log into WiKID server web interface (http://yourwikidserver/WiKIDAdmin).

Select Network Clients tab.

Click on Create New Network Client.

Fill in the requested information.

For the IP Address, use the web server IP address

For Protocol, select Radius

Hit the Add button, and on the next page, enter a shared secret

Do not enter anything into the Return Attribute box

From the terminal or via ssh, run ‘stop’ and then ‘start’ to load the network client into the built-in WiKID radius server

That is it for the WiKID server.

Now to get Apache ready for two-factor authentication. I started from a fresh Ubuntu 12.04 install so I had to install both apache and mod_auth_radius.

$ sudo apt-get install libapache2-mod-auth-radius

Now you need to add two more things to your apache2.conf and httpd.conf. First create a directory that will be protected by two-factor authentication. In this case, the entire site is protected. Enter this into your apache2.conf:

<Directory /var/www> Options Indexes FollowSymlinks AuthType Basic AuthName "WiKID Two-factor authentication" AuthBasicAuthoritative Off AuthBasicProvider radius AuthRadiusAuthoritative on AuthRadiusActive On Require valid-user </Directory>

Note the “AuthBasicProvider radius” directive. That stops the browser from re-submitting cached credentials to the WiKID server, which clearly will not work for one-time passwords.

Now, in httpd.conf, enter:

AddRadiusAuth wikid_server_address:1812 wikidserver_shared_secret 5 AuthRadiusCookieValid 60

You will want to change wikid_server_address to the IP address of the WiKID server and wikidserver_shared_secret to the shared secret you configured above in the WiKID server. Note that the the AddRadiusAuth line ends with 5 and not 5:3. The 3 in the later setting is for the number of times to attempt a password use. For one-time passwords, we only want them tried once, therefore we leave it empty. The 5 is for a 5 second time out. The AuthRadiusCookieValid directive is set for 60 minutes.

That should be all you need. You can use a .htaccess file, but that is frowned upon. The Directory method is deemed more secure.

 Using radius allows you to run the authentication through your directory using NPS on Windows/AD or Freeradius for OpenLDAP.  Such a configuration allows you to disable a user in one place – the directory – which is much more secure.

Links

Related Tutorials