Integration How-tos

Two-Factor Authentication to your VPN, SSL-VPNs, Applications, etc.

admin 2FA ASA

admin 2FA ASA
Click to view full-size image…
Size: 144KB


Click to view full-size image…
Size: 95KB


Click to view full-size image…
Size: 18KB

Configuring CAS on Ubuntu for Two-factor and Mutual htttps authentication with WiKID

In our ongoing effort to show how easy it is to add two-factor authentication to various services, we have integrated the open-source single sign-on tool CAS with WiKID for two-factor authentication. The CAS server is running on Ubuntu 11.04 Server and is using Radius to talk to the WiKID Strong Authentication Server Enterprise Edition.

Single sign-on is a great technology.  Requiring users to login to multiple applications is huge hassle, encourages password reuse and simple passwords.  Security needs to focus on usability.  If you can make a user's life better while increasing security, everybody wins.

In this how-to we will set up the open-source CAS SSO product with one-time passwords for sessions and mutual https authentication for host authentication.   Obviously using two-factor authentication for the login increases security because the user must have the factors to get access, in this case, knowledge of the PIN and possession of the private key embedded in the token.  Less obvious is the benefit of strong mutual authentication.  WiKID does this by downloading a hash of the CAS web site's SSL certificate with the one-time password. Before presenting the OTP, the token goes to the CAS URL via the user's connection, grabs the SSL cert and hashes it. If the hashes match, the OTP is presented and the default browser is launched to the CAS URL.  If they do not match, then there is a potential attack and the user gets an error stating that the URL has changed.  MiTM attacks are much easier to perform today thanks to the ubiquity of WiFi.

Building CAS and the cas.war file

First, CAS is built with Maven, so you need to install it:

sudo apt-get install maven2

Next download the latest version of CAS from the site. The current release is 3.4.11.

wget http://downloads.jasig.org/cas/cas-server-3.4.11-release.tar.gz

untar cas-server-3.4.11-release.tar.gz

Edit pom.xml

cd cas-server-3.4.11/cas-server-webapp/

vim pom.xml

I added the following dependency to add support for radius:

<dependency>
     <groupId>${project.groupId}</groupId>
     <artifactId>cas-server-support-radius</artifactId>
     <version>${project.version}</version>
</dependency>

 

Edit deployerContext.xml

vim src/main/webapp/WEB-INF/deployerConfigContext.xml

In this file, you want to comment out the SimpleTestUsernamePasswordAuthenticationHandler, which is for demo purposes and add in information on your radius configuration. These beans are listed under Authentication Handlers.

	<property name="authenticationHandlerskid10.jpeg
CAS_wikid09.jpegCAS_wikid09.jpeg">
			<list>
				<!--
					| This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
					| a server side SSL certificate.
					+-->
				<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />
				<!--
					| This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
					| into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials 	
					 | where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
					| local authentication strategy.  You might accomplish this by coding a new such handler and declaring
					| edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
					+-->
<!--				<bean
					class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" /> -->


  <bean  class="org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler">
	<property name="servers">
		<bean class="org.jasig.cas.adaptors.radius.JRadiusServerImpl">
			<constructor-arg index="0" value="10.100.0.170" />
			<constructor-arg index="1" value="secret" />
			<constructor-arg index="2">
			    <bean	class="net.jradius.client.auth.PAPAuthenticator" />
                        </constructor-arg>
		</bean>
  	</property>
   </bean>
     </list>
     </property>

In this example, the CAS server is talking directly to the WiKID server. You might also have a radius server such as freeradius or NPS between CAS and WiKID doing authorization. If you have more than one of these, you can list the servers for redundancy:

                       <bean
        class="org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler">
        <property
                name="servers">
                <list>
                        <bean
                                class="org.jasig.cas.adaptors.radius.JRadiusServerImpl">
                                <constructor-arg index="0" value="10.100.0.170" />
                                <constructor-arg index="1" value="secret" />
                                <constructor-arg index="2">
                                        <bean
                                                class="net.jradius.client.auth.PAPAuthenticator" />
                                </constructor-arg>
                        </bean>
                        <bean
                                class="org.jasig.cas.adaptors.radius.JRadiusServerImpl">
                                <constructor-arg index="0" value="10.100.0.171" />
                                <constructor-arg index="1" value="secret" />
                                <constructor-arg index="2">
                                        <bean
                                                class="net.jradius.client.auth.PAPAuthenticator" />
                                </constructor-arg>
                        </bean>
                </list>
        </property>
        <property
                name="failoverOnException"
                value="true" />
</bean>

 

You can now build the war file using Maven:

mvn clean package

Note that the CAS documentation for radius has an error in it. If you get the following error:

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 
'org.jasig.cas.adaptors.radius.JRadiusServerImpl#1dd7736' defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]: 
Cannot create inner bean 'net.sf.jradius.client.auth.PAPAuthenticator#1c958af' of type [net.sf.jradius.client.auth.PAPAuthenticator] 
while setting constructor argument; nested exception is org.springframework.beans.factory.CannotLoadBeanClassException: 
Cannot find class [net.sf.jradius.client.auth.PAPAuthenticator] for bean with name 'net.sf.jradius.client.auth.PAPAuthenticator#1c958af' 
defined in ServletContext resource [/WEB-INF/deployerConfigContext.xml]; nested exception is java.lang.ClassNotFoundException: 
net.sf.jradius.client.auth.PAPAuthenticator

This is due to using the outdated line

<bean class="net.sf.jradius.client.auth.PAPAuthenticator" />

Rather than the correct:

<bean class="net.jradius.client.auth.PAPAuthenticator" />

Configurating Tomcat

Star by downloading the latest tomcat and untar it. At the time of this writing that was 7.0.22.

sudo tar -xzvf apache-tomcat-7.0.22.tar.gz

Create an SSL keystore:

keytool -genkey -alias tomcat -keyalg RSA

You will probably want to import a signed certificate for production, but this will do for testing.

Edit the $tomcathome/conf/server.xml file to create an SSL port.

sudo vim conf/server.xml

Create the listener:

     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="/path/to/.keystore"
               keystorePass="keystorePassphrase"
               clientAuth="false" sslProtocol="TLS" />

Start tomcat:

sudo $tomcathome/bin/startup.sh

If all is well, you should have a listener on port 8443

sudo netstat -anp | grep 8443
tcp6 0 0 :::8443 :::* LISTEN 10105/java

Copying the war file into tomcat's webapps directory will deploy it:

cp /home/username/cas-server-3.4.11/cas-server-webapp/target/cas.war $tomcathome/webapps/

If you look in $tomcathome/logs/catalina.out, you should see this line: "INFO: Deploying web application archive cas.war".

Configuring WiKID

Adding a Radius Network Client

The CAS server will be a radius network client to the WiKID Strong Authentication Server. On the WiKIDAdmin web ui, got the the Network Clients tab and select "Create a new network client", then enter the information appropriate for your CAS server, selecting RADIUS as the protocol.

CAS_wikid01.jpeg

Click Add or Modify and enter the shared secret. Make sure that the shared secret is the same as in the deployerContext.xml file.

CAS_wikid02.jpeg

Now let's add mutual https authentication to the mix. Go to the domains tab on the WiKIDAdmin and edit or create the domain you intend to use. Under the Registered URL, the URL for your CAS server:

CAS_wikid03.jpeg

The WiKID server will go to that URL and store a hash of the SSL certificate. Please note radius does a lot of caching, so you need to restart WiKID. If WiKID is controlling the firewall, this will also open a port to the CAS server. From the command line of the WiKID server run:

wikidctl restart

User registration and logging In

Registering the token

Start your WiKID software token. Select Action, Create new domain. Enter the 12 digit domain identifier for your WiKID server. This is typically the zero-padded IP address.

CAS_wikid08.jpeg

You will be prompted to set a PIN.

CAS_wikid09.jpeg

You will get back a registration code from the server. This registration must be validated for the user to login.

CAS_wikid10.jpeg

Log in to the WiKIDAdmin and click on the Users tab and then Manually validate a user. You will see your registration code.

CAS_wikid11.jpeg

Click on the registration code and enter your username on the following page.

Now, head back to the token to the and select Get Passcode.

CAS_wikid04.jpeg

Enter your PIN.

CAS_wikid05.jpeg

You will get back an OTP from the WiKID Strong Authentication Server. Additionally, your default browser will be opened the CAS login page as specified under the Registered URL.

CAS_wikid06.jpeg

 

Now Login to the CAS SSO page with your username and WiKID one-time passcode.

 

CAS_wikid07.jpeg

CAS_wikid13.jpeg

 

If you run the PC software token in debug mode, you will see the token validating the SSL certificate for you:

Received 128 bytes from server.
validatedURL() processing response ...
validatedURL() returned url: https://cas.wikidsystems.com/cas/login
validatedURL() hash_from_server: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() hash_from_me: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() validated_url: https://cas.wikidsystems.com/cas/login
Validity check returning: https://cas.wikidsystems.com/cas/login

 

If there is a Man-in-the-Middle attack the user will get an error that the URL has changed. The debug output will show that the hashes do not match:

Received 128 bytes from server.
validatedURL() processing response ...
validatedURL() hash_from_server: 14Bqov7lBEMn+DavECDMovCBTF0=
validatedURL() hash_from_me: /HAtxIVzVL6yo1OjTkPca74xd8s=
Validity check returning: null

 

Conclusion

Single sign-in is a great tool but it creates a "keys to the kingdom" situation where compromising a single set of credentials can result in a much larger breach than without SSO. Additionally, organizations are using SSO for cloud-based services such as Google Apps.

Document Actions

How add a RADIUS network client to the WiKID server

About 98% of our customers use the RADIUS protocol to enable two-factor authentication for networking equipment, VPNs. etc.

After you have downloaded the WiKID two-factor authentication server, installed it and configured it, you will want to add Network Clients.   This can either be your RADIUS server if you are using freeradius or NPS (which we recommend) or a Cisco ASA or any VPN  if you want them talking directly.  On the WiKIDAdmin click on the Network Clients tab.

2 factor for cisco asa - WiKID

Click on Create a New Network Client.

2 factor for cisco asa - WiKID2

Give it a useful name, enter the IP address of the RADIUS server or the Cisco ASA depending on your setup.  Select RADIUS as the protocol and select the WiKID domain to use.  Click Add.

2 factor for cisco asa - WiKID3

Enter the Shared secret. Remember this must match what is entered in the RADIUS server or the Cisco ASA or WiKID will not be able to decode the RADIUS packets.

On the WiKID terminal run 'wikidctl restart'.  This updates the RADIUS cache and if you are using our ISO virtual appliance opens up the firewall for the IP address of the network client.  If you are using the packages, please open port 1812 UDP for the correct IP address.

Document Actions

How to add mutual HTTPS authentication to a Cisco ASA SSL/IPSec VPN

If you are worried about MITM attacks - which thanks to ubiquitous WiFi are much easier - this tutorial will show you how to combine WiKID's two-factor authentication and mutual https authentication to thwart most network-based MITM attacks.

WiKID uses a hash of the  server certificate stored on the authentication server to perform site/mutual authentication. When the user requests a one-time passcode (OTP), the hash is also sent from the server to the software token client. Before presenting the user with the OTP, the token client fetches the certificate from the website over the user's internet connection, hashes it and compares it to the hash retrieved from the server. If the hashes match, the URL is presented as validated and the default browser is launched to that URL.  As usual, the OTP is automatically copied into the clipboard. This functionality is currently only available in the PC tokens.

First, I assume you have setup your Cisco ASA for two-factor authentication for sessions as previously described.  You will not need to make any changes on the ASA for the configuration. It is all on the WIKID server.

Head to the WiKIDAdmin, Domains tab.  Click the Edit link on the far right side if you have a domain or click Create A New Domain if you haven't.  You will see the screen below:

The only change I made was to add the SSL URL for the Cisco ASA to the optional Mutual HTTPS Auth URL box.  Note that this is in our lab, so we are using 10.100.0.0 as the external network and 192.168.1.1.  In most cases, your domain ID/server code would be based on an external IP and the Mutual HTTPS Auth URL would be the external network of the ASA.

Now, start (or restart) your WiKID token on your PC.  Get a passcode and you will see that the browser is launched to the URL you enter.  Great, it worked!  But, it's a bit hard to see the value.  Let's edit our iptables and make it fail. Here's what I entered on my test box:

sudo iptables -t nat -A OUTPUT -d 10.100.0.188 -j DNAT --to-destination 10.100.0.30

Now, when you try to get an OTP you get an error:

It's a bit cryptic, but enough to let your users know something bad has happened.

Document Actions

How to add two-factor authentication for Admin access to a Cisco ASA 5500

Critical infrastructure needs security. If you manage a number of Cisco ASAs this tutorial will show you how to use RADIUS to add two-factor authentication to administrative tasks.

This tutorial builds on this previous tutorial on how to configure the ASA 5500 for two-factor authentication for users.  See that document for information on setting up a RADIUS Server Group which we use here.

Start the ASDM and navigate to Configuration, Device Management, Users/AAA, AAA Access. The first tab is Authentication.  Click on Require authentication to allow use of privileged mode commands or select the types of connections below.   Select the RADIUS Server Group you created previously.  Check "Use local when server group fails" if you are so inclined.

admin 2FA ASA

If you prefer to use the command line, you can use this command:

aaa authentication http console WiKID-radius LOCAL

Where WiKID-radius is the RADIUS Server Group and Local is configured as the backup.

Need inexpensive two-factor authentication? Download the WiKID Strong Authentication Server today. Free for five users.

Document Actions

How to add two-factor authentication from WiKID to a Nortel Contivity VPN concentrator

This document describes how-to configure the Nortel Contivity VPN Concentrator for two-factor authentication from WiKID. We assume that there will be a direct connection between the Contivity and the WiKID server using Radius, but there could easily be a Radius server in the middle, such as a Cisco ACS or Microsoft IAS server.

First, we will configure the Nortel Contivity VPN server for radius:

  • Configure Radius Support:
    • Login to the Nortel VPN Router Administration Console web interface.
    • Enable Username and Password authentication under Services > IPSec > Radius
    • Under Servers > Radius Authentication check "Enable Access to RADIUS Authentication"
    • Check "Response Only" and "PAP" under the Server-Supported Authentication Options.
    • In the RADIUS Servers section, check "Enabled", enter the IP address of the WiKID server, choose the private interface, leave the port as 1812, and enter and confirm the shared secret.
  • Configure an IPSec Group for WiKID - this sets the pre-shared secret for IPSec
    • Under Profile > Group > Add, add a new group (if desired)
    • Enter a Group Name, such as WiKID, a Parent and select OK
    • Under Profiles > Groups > Edit > IPSec > Authentication click Configure
    • Enter a group ID and password - this is the shared secret for the IPSec tunnel, not the user's password.
    • Select Username and password for the authentication type.

Now, we will configure the VPN Client using the Contivity Wizard.

  • Start the Connection Wizard and select Create a new connection
  • Give it a name
  • Select Username and Password (do not select hardware or software token).
  • Enter the Group ID and password for the WiKID user group.
  • Enter the IP address or host name for the Nortel Contivity VPN
  • Select to Not dial first - unless you want to.
  • Click Finish.

Now we'll configure the WiKID side. On the WiKID Server, be sure to enable Radius:

  • Click on the 'Configuration' tab in the WiKIDAdmin web interface.
  • Click on 'Enable Protocols'
  • If Radius is not Enabled, click on it.
  • You should be able to leave the settings as is and click 'Initialize'.

Next we add a specific network client for the Nortel Contivity VPN:

  • Click on the 'Network Client' Tab
  • Click on 'Create New Network' Client
  • Create a name such as "Nortel Two-factor VPN"
  • Choose a WiKID domain to the network client
  • Select 'Radius' as the protocol
  • Click 'Add'
  • On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
  • Click 'Add NC'
  • From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.

That is it. Now you should have properly configured two-factor authentication for your Nortel Contivity VPN Concetrator. You should now be able to generate an one-time password from a Windows, Linux , Mac, Android, Blackberry, J2ME or iPhone software tokens and get access to your VPN. When logging in, use the WiKID one-time password from your WiKID token client when prompted for a password.

Product names used within are trademarks of their respective owners.

Document Actions

How to add two-factor authentication to a Cisco ASA 5500/ADSM 6.2

Recently our partner Computer Port IT Solutions of Hyderabad, India needed to integrate WiKID's two-factor authentication server with a Cisco 5500 VPN. They provided us with a slick screencast of the steps.

As with most enterprise two-factor authentication deployments, Computer Port used Radius.  In this example, they pointed the Cisco VPN directly to WiKID, but they also could have routed the authentications through NPS.   In addition to this screencast version, please see this tutorial on adding two-factor authentication via the ADSM 6.4 and this one using the ASA console.

Remember: the WiKID Strong Authentication Enterprise server is free for up to five users.

Document Actions