[KB3403] Configure my authentication endpoint for use with ESET Secure Authentication

Issue

Solution

ESA differentiates three client types (for example, VPNs) based on the way they handle authentication in an Active Directory (AD) environment.

Client does not validate username and password

All VPNs should support this scenario. If you set Client Type to Client does not validate username and password when configuring a RADIUS client in the ESA Web Console, both factors (username and password as the first factor, and OTP as the second factor) are verified by ESA.

Requirements

Configure the authentication of your VPN connection to use RADIUS authentication pointing to a RADIUS server you configured in ESA Web Console. 

How does it work?

  • SMS-based OTPs—At the first login attempt, the user is prompted for a password. The login attempt fails, but the user receives an OTP via SMS. At the second login attempt, the user enters the OTP they received into the password field.
  • Mobile Application OTPs / Hard Token OTPs—Users log in using both their password and OTP at the same time as passwordOTP.
  • Mobile Application Push—Users attempt to log in using their login credentials. A push notification is generated on the user's mobile device. Approving the notification results in a successful login.
SMS and Push authentication

If a user has both SMS and Push authentication enabled, only SMS will work.

  • User without 2FA / whitelisted user: Users log in using their login credentials. ESA validates the password.

Client validates username and password

Make sure the VPN supports this and is configured correctly. Incorrect configuration can lead to skipping password verification. If you set Client Type to Client validates username and password when configuring a RADIUS client in the ESA Web console, then the first factor (username and password) is validated by AD.

Requirements

Set up one authentication pointing to your server and one RADIUS authentication pointing to the ESA RADIUS server.

How does it work?
VPN provides two password fields, the first one for the user's password, and a second one for OTP.
  • SMS-based OTPs—There are two login attempts required. First, users enter their password to the first password field, then type sms, without quotation marks. If the correct username and password are supplied, the login screen will show up again without any error message, and the user receives an OTP via SMS. On the second login attempt, the user enters the received OTP into the second password field.
  • Mobile Application OTPs / Hard Token OTPs—Users enter the generated OTP into the second password field.
  • Mobile Application Push—Users enter "empty", "none" username or "push" without quotation marks into that field. ESA generates a push notification and waits for its approval.
  • User without 2FA / whitelisted user: Users leave the second password field empty, or type "none" or "push" without quotation marks into that field.

Use the Access-Challenge feature of RADIUS

Use this option if your VPN server contacts only ESA RADIUS to verify both factors (username and password as the first factor, and OTP as the second factor), but the authentication consists of two steps.

The following RADIUS clients support the RADIUS Access-Challenge feature:

  • Junos Pulse (VPN)
  • Linux PAM module

The following RADIUS clients should not be used with the Access-Challenge feature:

  • Microsoft RRAS
Requirements

Configure the authentication of your VPN connection to use RADIUS authentication pointing to a RADIUS server you configured in ESA Web Console. 

How does it work?
The login has 2 phases, generic login and entering OTP or approving push notification. The VPN displays a popup dialog or another page to enter the OTP or waits for approval of push notification.
  • SMS authentication: Users log in using their login credentials, in the next screen or popup dialog they enter the OTP received via SMS.
  • Mobile OTP / Hard Token: Users log in using their login credentials, in the next screen or popup dialog they enter the generated OTP.
  • Push authentication: Users log in using their login credentials and approve the generated push notification.
Push authentication

If the user only has Push authentication enabled, no subsequent page will be displayed to request OTP or inform about pending approval of push notification, but the user does have to approve the push notification. If they do not, the login attempt will fail.

  • User without 2FA / whitelisted user: Users only use login credentials. 

Client does not validate username and password - avoid compound

Use this option only if your VPN server uses MS-CHAPv2 (where a compound password is not supported), and it contacts ESA RADIUS to verify both factors (username and password as the first factor, and OTP as the second factor).
Requirements

Configure the authentication of your VPN connection to use RADIUS authentication pointing to a RADIUS server you configured in ESA Web Console. 

How does it work?
  • SMS-based OTPs, Mobile Application Push—At the first login attempt, the user is prompted for a password. The login attempt fails, but the user receives an OTP via SMS. At the second login attempt, the user enters the OTP they received into the password field.
  • Mobile Application OTPs / Hard Token OTPs—Users do not have to enter their password, only the OTP. To lower the security risk, force Mobile Application PIN:
    1. In ESA Web Console, navigate to Settings > Mobile Application.
    2. Turn on Users Must Use a PIN Code.
    3. Click Save.
  • User without 2FA / whitelisted user: Users log in using their login credentials. ESA validates the password.

<‎deprecated>

In ESA version 2.8 and earlier, the administrator could end up with inconsistent settings of  Client does not validate username and password and Client validates username and password client type. In ESA 3.0, such configured client types are labeled as <deprecated>. We recommend using the corresponding non-deprecated version of such client types.
 

Sample integration guides

Click the appropriate link below to view the ESET Secure Authentication integration guide for your configuration. The integration guides are designed to be used in combination with the ESET Secure Authentication Verifying ESA RADIUS functionality document. Note that some of the guides might be outdated and serve as a sample. For an up-to-date integration guide, consult the vendor of your VPN appliance with regard to the supported Client types described above.

VPN, Firewall and UTM endpoints:

Cloud and VDI endpoints

In addition to the application-specific integration guides, we recommend that you also read the ESET Secure Authentication online help when implementing ESET Secure Authentication. If you plan to add ESET Secure Authentication to an existing application using the ESET Secure Authentication API, the ESET Secure Authentication API User Guide and ESET Secure Authentication SSL Certificate Replacement documents are also available.

Dodatkowa pomoc

Więcej informacji