This document describes how to configure a Microsoft ISA server to support two-factor authentication from WiKID Systems. We will configure both boxes to communicate using Radius.
First, we will configure the Microsoft Server:
- On the IAS Server machine, click Start -> Administrative Tools -> Internet Authentication Service.
- On the Internet Authentication Service console, right click the RADIUS Clients node in the left pane and click New RADIUS Client.
- On the Name and Address page, enter a Friendly name for the WiKID server, such as "WiKID server". Enter the IP address of the WiKID Server and click Next.
- On the Additional Information page, keep the Client-Vendor option as "RADIUS Standard". Enter a password in the Shared secret text box and in the confirmation box. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. Click Finish.
Now, we'll configure the WiKID server to process the one-time passwords from the Microsoft ISA Server. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part.
- Log into the WiKID server and click on the Domains Tab
- Click on Create a New Domain
- Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 18.104.22.168, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step>)
- Click Network Clients tab and on "Create a new Network Client".
- Enter the information requested. For the IP Address, use the IP address of the Microsoft ISA server. Select Radius and the domain you just created. Click "Add" when you're finished.
- On the next page, enter the shared secret you entered on the Microsoft ISA server. You do not have to enter any information under "Return Attributes".
- Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.
That should be it for setting up the Microsoft ISA server for two-factor authentication. Now, let's test the system by setting up user manually:
- Start the WiKID token client
- Select "New Domain" and enter the 12 digit domain identifier you set up on the WiKID server
- Enter your desired PIN. You will get a registration code back from the WiKID server.
- Login to the WiKID Admin server again and click on the Users tab, then "Manually Validate a User"
- Click on your registration code (it should be the only one) and enter your desired username - it should be a username the Microsoft ISA server will accept.
- Your username is now valid. Now start up the browser and try to login with a WiKID one-time password.
Trouble-shooting: If it doesn't work, check the WiKID server logs. When a one-time password is requested, you will see "Passcode Request Successful" in the logs. After that you should see "Successful Online Passcode Validation". If you don't see anything after the "Passcode Request Successful", then the one-time password validation is not getting to the WiKID server. Be sure to run "wikidctl restart" on the WiKID server.
Once you have tested the system, take a look at how to roll out two-factor authentication to all your users.