Two factor authentication – Amer Networks E5Web GUI User Manual

8.7. Two Factor Authentication

When access to resources is based on username and password credentials, the security can be
further strengthened by using Two Factor Authentication (sometimes referred to as two step
verification). The first factor is the username/password combination and the second factor is a
one-time code which might be sent to the user at the time of the login or might be generated in
some way by the user.

Typically, the second code is sent to the user's mobile phone via SMS or similar phone messaging
service.

cOS Core provides support for two factor authentication by being able to recognize a RADIUS
Access-Challenge message and displaying a special webpage to request the additional code. This
webpage has the cOS Core Banner File name LoginChallenge.

Processing Sequence

The sequence of processing for two factor authentication with cOS Core is as follows:

1.

Authentication is set up as normal using an authentication rule and IP rules (or IP policies).

2.

The authentication source will be an external RADIUS server that has been configured to
perform two factor authentication.

3.

A user tries to access resources through the Clavister Security Gateway and they are
presented with the standard cOS Core login page in which they enter their username and
password credentials.

4.

cOS Core now sends these credentials to the RADIUS server for authentication in a RADIUS
Access-Request message.

5.

The RADIUS server does two things:

i.

It causes a one-time code to be sent to the user. For example, in a text message to their
cell phone. If the code is generated by the user themselves then this may not be
necessary.

ii.

It informs cOS Core that two factor authentication must be used by sending a RADIUS
Access-Challenge message.

6.

When cOS Core is told that two factor authentication is being used, it automatically displays
to the user the webpage defined by the banner file called LoginChallenge.

7.

The user enters the code they receive or generate into the displayed web page and cOS
Core sends the entered code to the RADIUS server as the password in another
Access-Request message.

8.

The RADIUS server checks the code sent by cOS Core against the code expected and ínforms
cOS Core if the user is authenticated by sending back an Access-Accept or Access-Reject
message.

Some points to note about setting up two factor authentication:

•

The same cOS Core setup is used if the challenge code is generated by a local code
generating device such as the RSA SecureID™ product or if a RADIUS server causes it to be
sent to the user.

•

No extra configuration is required in cOS Core. However, the banner file LoginChallenge may
need to be edited to display the appropriate text and this is discussed further in Section 8.4,

Chapter 8: User Authentication

556