Configure my authentication endpoint for use with ESET Secure Authentication (ESA)

Issue

  • Configure ESET Secure Authentication (ESA) for use with your authentication endpoint

Solution

VPN Types

ESA differentiates three VPN types based on the way they handle authentication in an Active Directory (AD) environment.

1. VPN does not validate AD user name and password

All VPNs should support this scenario. If you set VPN Type to VPN does not validate AD username and password when configuring a RADIUS client in the ESA Management console, both factors (AD username and password as the first factor, and OTP as the second factor) are verified by ESA.

Requirements

Configure the authentication of your VPN connection to use RADIUS authentication pointing to a RADIUS server you configured in ESA Management Console. 

How does it work?

  • SMS-based OTPs—At the first login attempt, the user is prompted for an AD password. The login attempt fails, but the user receives an OTP via SMS. At the second login attempt, the user enters the OTP they received into the password field.
  • Mobile Application OTPs / Hard Token OTPs—Users log in using both their AD password and OTP at the same time as ADpasswordOTP.
  • Mobile Application Push—Users attempt to log in using their AD login credentials. A push notification is generated on the user's mobile device. Approving the notification results in a successful login.

SMS and Push authentication

If a user has both SMS and Push authentication enabled, only SMS will work.

  • User without 2FA / whitelisted user: Users log in using their AD login credentials. ESA validates the password.

2. VPN validates AD user name and password

Make sure the VPN supports this and is configured correctly. Incorrect configuration can lead to skipping AD password verification. If you set VPN Type to VPN validates AD username and password when configuring a RADIUS client in the ESA Management console, then the first factor (AD username and password) is validated by the other PAM module:

Requirements

Set up one Active Directory authentication pointing to your Active Directory server and one RADIUS authentication pointing to ESA RADIUS server.

How does it work?

VPN provides two password fields, first one for the user's AD password, second one for OTP.
  • SMS-based OTPs—There are two login attempts required. On first one, users enter their AD password to the first password field, and into the second one they type "sms", without quotation marks. If correct AD username and password was supplied, the login screen will show up again without any error message, and the user receives an OTP via SMS. On second login attempt the user enters the received OTP into the second password field.
  • Mobile Application OTPs / Hard Token OTPs—Users enter the generated OTP into the second password field.
  • Mobile Application Push—Users leave the second password field empty, or type "none" or "push" without quotation marks into that field. ESA generates a push notification and waits for its approval.
  • Active Directory passwords without 2FA—Users leave the second password field empty, or type "none" or "push" without quotation marks into that field.

3. Use Access-Challenge feature of RADIUS

The following RADIUS clients support the RADIUS Access-Challenge feature:

  • Junos Pulse (VPN)
  • Linux PAM module

The following RADIUS clients should not be used with the Access-Challenge feature:

  • Microsoft RRAS

Requirements

Configure the authentication of your VPN connection to use RADIUS authentication pointing to a RADIUS server you configured in ESA Management Console. 

How does it work?

The login has 2 phases, generic AD login and entering OTP or approving push notification. The VPN displays a popup dialog or another page to enter the OTP or waits for approval of push notification.
  • SMS authentication: Users log in using their AD login credentials, in the next screen or popup dialog they enter the OTP received via SMS.
  • Mobile OTP / Hard Token: Users log in using their AD login credentials, in the next screen or popup dialog they enter the generated OTP.
  • Push authentication: Users log in using their AD login credentials and approve the generated push notification.

Push authentication

If the user only has Push authentication enabled, no subsequent page will be displayed to request OTP or inform about pending approval of push notification, but the user does have to approve the push notification. If they do not, the login attempt will fail.

  • User without 2FA / whitelisted user: Users use only AD login credentials. 

Integration guides

Click the appropriate link below to view the ESET Secure Authentication integration guide for your configuration. The integration guides are designed to be used in combination with the ESET Secure Authentication Verifying ESA RADIUS functionality document. Note that some of the guides might be outdated and serve as a sample. For an up-to-date integration guide, consult the vendor of your VPN appliance with regard to the supported VPN types described above.

VPN, Firewall and UTM endpoints:

Cloud and VDI endpoints

In addition to the application-specific integration guides, we recommend that you also read the ESET Secure Authentication online help when implementing ESET Secure Authentication. If you plan to add ESET Secure Authentication to an existing application using the ESET Secure Authentication API, the ESET Secure Authentication API User Guide and ESET Secure Authentication SSL Certificate Replacement documents are also available.

Dodatkowe materiały:

Dodatkowa pomoc