Skip to main content

How to configure IAS to proxy the username and one-time passcode to the WiKID server after validating the user is active in AD.

(NP: IAS is the radius plugin for Windows Server version prior to 2008.  For Windows Server 2008, IAS was renamed NPS.  We also have documentation on using NPS to process two-factor authentication requests.)

Start by configuring IAS to proxy one-time passcodes

Ensure that the IAS/RADIUS server is registered in Active Directory

 

 

1.jpg

 

 

2.jpg

 

 

3.jpg

 

 

5.jpg

 

 

Select Remote RADIUS Server Groups

 

6.jpg

 

Right click on the blank area and select “New Remote RADIUS Server Group”

 

7.jpg

 

The Wizard will start, click “Next”

 

8.jpg

 

Choose “Custom” and enter the name “WiKID Group”, then click “Next”

 

9.jpg

 

The “Add Servers” dialog will be displayed, click “Add”

 

10.jpg

 

Enter the IP address of the WiKID server and then switch to the “Authentication/Accounting” tab

 

11.jpg

 

Set the “Authentication Port” to “1812” and enter the shared secret which will be used when communicating with the WiKID server. Also, set the “Accounting Port” to 1813 and ensure that the box for using the same shared secret is checked. The last checkbox is optional and has no functionality with WiKID.

 

12.jpg

 

Click “Apply” and then “OK”. Finally, back at the “Add Servers” dialog, click “Next”.

 

13.jpg

 

You will be prompted if you would like to start the “New Connection Request Policy Wizard”. Accept this and click “Finish”.

 

14.jpg

 

“The New Connection Request Policy Wizard” will be displayed, click “Next”

 

15.jpg

 

Select “A typical policy for a common scenario” and enter the policy name as “WiKID Policy”

 

16.jpg

 

Select “Forward connection requests . . .” and click “Next”

 

17.jpg

 

Enter the FQDN for your Windows domain, select the “WiKID Group”, and click “Next”

 

18.jpg

 

Click “Finish”

 

19.jpg

 

Click on “RADIUS Clients” in the navigation tree, right click in the white space, and select “New RADIUS Client”

 

20.jpg

 

The “New RADIUS Client” dialog will appear. Enter a friendly name for the client and the client's IP address and click “Next”.

 

21.jpg

 

Select “RADIUS Standard” and enter a shared secret for the device to use when communicating with the IAS server. Click “Finish”.

 

22.jpg

 

Select “Remote Access Policies” from the navigation tree on the left, right click on the empty white space, and select “New Remote Access Policy”. N.B.: For the Remote Access Policy to apply properly, ensure that you are running your domain at 2003 functional level or higher.

 

23.jpg

 

The “New Remote Access Policy Wizard” will appear, click “Next”.

 

24.jpg

 

Select “Set up a custom policy” and enter the policy name as “WiKID Policy”. Click “Next”.

 

25.jpg

 

Add a policy condition of “Authentication-Type” as “PAP”. Click “Next”.

 

26.jpg

 

Select “Grant remote access permission” and click “Next”.

 

27.jpg

 

Click “Edit Profile”.

 

28.jpg

 

On the “Authentication” tab, uncheck all options except “Unencrypted authentication (PAP, SPAP)”.

 

29.jpg

 

On the “Encryption” tab, uncheck all options except “No encryption”.

 

30.jpg

 

Click “Apply” and then “OK”. Back on the Wizard dialog, click “Next” and then “Finish”

 

31.jpg

 

In the navigation tree on the left, click on “Connection Request Policies” and then double-click on the “WiKID Policy”.

 

32.jpg

 

The “WiKID Policy Properties” dialog will appear. Click “Edit Profile”.

 

33.jpg

 

On the “Edit Profile” dialog, go to the “Advanced” tab and click “Add”.

 

34.jpg

 

Find “Remote-RADIUS-to-Windows-User-Mapping”, double-click it, select “True” and click “OK”.

 

35.jpg

 

Click “Close”. On the “WiKID Policy Properties” dialog, click “Apply” and then “OK”.

 

 

Add the IAS Serve as a Network Client on the WiKID server

 

Log on to the WiKID server via the HTTPS interface: https:///WiKIDAdmin/

 

36.jpg

 

Log in as an administrator. Click on “Network Clients”

 

37.jpg

 

Click “Create A New Network Client”

 

38.jpg

 

Enter a friendly name for the client, enter it's IP address, choose “RADIUS”, select the appropriate domain, and click “Add”.

 

39.jpg

 

Enter a shared secret for the IAS server to communicate with the WiKID server (This should be the same as configured earlier inside of IAS.

 

40.jpg

 

Log on to the WiKID server as “root” and run the command “wikidctl restart” in order to apply the RADIUS server settings.

 

41.jpg

 

You will be prompted to enter the certificate store passphrase. Type it in and press enter to complete the restart.

 

42.jpg

 

At this point, any client you configure inside of IAS as a RADIUS client with PAP authentication will be AUTHORIZED against Active Directory and AUTHENTICATED by WiKID!

 



 

Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication