UPDATE: please see the newer document on adding two-factor authentication to a Sophos UTM. Sophos purchased Astaro some time ago.,
Astaro is a very popular Linux-based "all-in-one" security appliance offering spam filtering, malware protection, firewall, VPN, etc. The WiKID Strong Authentication Server is a dual-source two-factor authentication system. PINs are encrypted on a software token and sent to the WiKID server. If the PIN is correct, the encryption valid and the account active, a one-time password is generated, encrypted and returned to the user's token where it is decrypted and presented for use with a network-based services. This document will show how to add WiKID two-factor authentication to the Astaro Security Gateway version 7 using Radius.
Configuring Radius On The Astaro Security Gateway
Log into the WebAdmin on the Astaro Server.
Click on the Users link and then Authentication:
This will bring up the up the authentication management interface:
Select "Create Users Automatically". Astaro will automatically create user objects whenever an unknown user successfully authenticates using WiKID.
Click on the Radius tab and then the Enable button to activate the form:
If you haven't yet added the WiKID server to the network, click the green plus button on the Server line and add the WiKID server as a host. Use the internal network interface - you do not want Radius running on an external network because it is not encrypted. Keep the port as 1812. Type in the same shared secret as used on the WiKID server. Finally, click Apply to save the changes.
Now, you can configure your remote access services to use RADIUS:
Configuring The WiKID Server
We assume that you've already installed the WiKID server and have it up and running. We will start by creating a new WiKID domain to hold the Astaro VPN users. On the WiKIDAdmin web interface, click on the Domain tab and then "Create New Domain". This will bring up the Create Domain page:
The server code should be the zero-padded IP address of the WiKID server. The WiKID token clients will connect to the server over port 80 (because all the transactions are asymmetrically encrypted).
Next, we will create a network client for the Astaro server. In addition to opening a port on the firewall for the Astaro Security Gateway, this step will associate the WiKID domain and its users with the Astaro:
Radius traffic is encoded by a shared secret, so we need to enter the same shared secret here as we entered on the Astaro:
Your users should now be able to login to Astaro services using their WiKID credentials.