Skip Links

Two-factor authentication through Windows Server 2008 NPS

Nick Owen of WiKID Systems Inc. offers a step-by-step tutorial to help enterprises add strong authentication to the network.

By Nick Owen, CSO
May 07, 2010 03:11 PM ET

CSO - Increasingly, whether due to regulatory requirements or a basic recognition that static passwords just don't provide adequate security, organizations are implementing some form of strong authentication. Like all new efforts, before you start you want to be reasonably assured that you will succeed. In this tutorial we will document how to add two-factor authentication to various Microsoft remote access solutions through the Windows Server 2008 Network Policy Server. For two-factor authentication, we will be using the WiKID Strong Authentication Server - Enterprise Edition. WiKID is a dual-sourced, software-based two-factor authentication system. While the document is product specific, the process is typically the same no matter the products.

Assume that you have a mixed OS environment with some Windows, some Linux/Unix. You have a new requirement for two-factor authentication to meet PCI requirements. You intend to protect all key systems, which are mostly linux and you are going to lock down your remote desktop with two-factor authentication too (though we will only discuss the SSH here). The plan is to create an SSH gateway server that is locked down with two-factor authentication. Admins can then jump from the gateway box to other servers using public key authentication.

SSH offers a highly secure channel for remote administration of servers. However, since you face an audit for PCI, you have become aware of some potential authentication related short-comings that may cause headaches in an audit. For example:

* There is no way to control which users have public key authorization

* There is no way to enforce passphrase complexity (or even be sure that one is being used)

* There is no way to expire a public key

Additionally, your intention is to add two-factor authentication to other services, such as RDP and a VPN. There is great benefit in having a single two-factor authentication service for all those services and SSH keys will not work for other services.

An overview

After everything is configured, the system will work like this: The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access. Note that this process is only for authentication, session management is still handled by the SSH gateway or any other remote access service you are using.

First we will enable Windows Server 2008 Network Policy Server (NPS)

Add the "Network Policy and Access Services" role to your domain controller.

Enable these role services during installation:

* Network Policy Server

* Routing & Remote Access Services

* Remote Access Service

* Routing

Next we add a new RADIUS Client - The SSH Gateway in this case.

From Administrative Tools select Network Policy Server

Right click on Radius Clients and Select New

Add a name, the ip address of your remote access server (RAS, VPN, etc) and create a shared secret. You will enter the same shared secret on the WiKID server.

Click OK

Add a new Radius Server - The WiKID Strong Authentication Server

Right click on Remote RADIUS servers and name the group, something like "WiKID".

Click the Add button to add a new radius server in the group.

Enter the IP address of the WiKID server on the first tab. On the second tab, enter the shared secret. That should be all you need to change.

Creating a Network Policy

Now that we've created the radius client and radius server (WiKID), we need a new Network Policy that tells IAS which users to proxy to WiKID.

Enter a name and leave Type of network access server as Unspecified or choose your remote access system.

Click on the Conditions tab. I added a condition for all requests from my server's IP address.

Click on the Settings Page. Click on Authentication and Select the button for "Forward requests to the following remote RADIUS server group for authentication. Choose WiKID.

Configuring the WiKID Strong Authentication Server.

Now that we've configured the NPS to proxy authentications, we need to configure WiKID to accept them. See the WiKID installation manual for the details on how to install and configure the WiKID server. Here we're just going to be adding a radius network client for the NPS:

Log into the WiKIDAdmin web interface.

Click on the Network Clients tab.

Click on "Create New Network Client". Give the Network Client a name, specify the IP address, select Radius as the protocol and choose which WiKID Domain to use. (WiKID domains hold the users and specify certain security parameters such as PIN length, the lifetime of the one-time passcodes, max bad PIN/passcode attempts, etc.)

Click Add

On the next page, enter the Shared Secret. This is the same secret you entered in NPS above in the second tab of the 'Add Radius Server' step on the NPS. Be sure these match! WiKID support adding radius return attributes at the Network Client level and on a per-user group level, however, that is beyond the scope of this document.

You will get a notice that the network client has been added. You will need to restart the WiKID server from the command line. This loads the network client into the radius interface and opens the radius ports on the built-in WiKID firewall.

# wikidctl restart

Configuring the SSH Gateway Server

Configure the SSH Gateway

Now we will configure the central SSH gateway. This linux box is the gateway/proxy to all the production servers in the farm. It should be locked down tight with no extraneous software or services running on it. It should have an external interface for in-bound connections and an internal interface for internal connections. First, we will configure the gateway box to use WiKID for strong authentication of SSH users.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News