VPN server configured as a Radius client only that supports sending passcode via Radius
Before you begin
When configuring your Connection Profile and associating it with your Internal Source, make sure that you’ve selected the following filter:
Connexion type = VPN-Access as the filter
You should have a working AD or LDAP directory service.
This use case supports the following secondary factors:
Standard push notification
Third-party authenticator app as OTP device
This use case supports email enrollment.
Configure MFA in the PacketFence UI
Follow these steps to enable communication between PacketFence Gateway and Akamai MFA and select secondary factors the users can use to authenticate.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Integration > Multi-Factor Authentication.
Click New MFA and select Akamai.
On the New Multi-Factor Authentication configuration page, enter these settings:
a. Name: Define the name of your integration.
b. App ID. Enter the Integration ID that you generated in the previous step.
c. Signing Key. Enter the Signing ID that you generated in the previous step.
d. Verifying Key. Enter the Verifying ID that you generated in the previous step.
e. Host. Enter the API Host copied from the Akamai MFA integration page. By default it is mfa.akamai.com.
f. Radius OTP Method. Select Strip OTP to configure OTP as your Radius authentication method. With this setting, you also need to define the Character separator value.
g. Character separator: Define the character that is used to split the password and OTP when the Strip OTP Radius method is selected. For example, select a comma.
h. Cache duration: Specify the amount of time PacketFence will store the MFA-related information of the user. By default, the cache duration is 60 seconds.
i. In Post MFA Validation Cache Duration, accept the default 5-second-long cache.
Associate the Authentication Source in the PacketFence UI
Follow this procedure to enable communication between PacketFence Gateway and your AD or LDAP user authentication source.
Log in to the PacketFence UI.
In the navigation menu, select Configuration > Policies and Access Control > Authentication Sources.
Click New Internal Source > and select AD or LDAP depending on your directory service.
On the New Authentication Source page, provide your directory service data to enable the directory's connection with PacketFence Gateway:
- Directory name and description
- Base DN
- Username attribute
- Bind DN
- Associate realms
To apply a conditional rule to your authentication source, click Add rule and enter the condition. For example, enter
memberof equals cn=otp_user,dc=acme,dc=comto check if a particular user is a member of a specific group.
Assign the authentication rule with the following actions:
a. Trigger Radius MFA. Select the MFA integration that you created in the previous step.
b. Role. Select any value, for example, default.
c. Access duration. Select any value, for example, 1 hour.
See the VPN Configuration Guide for more information on network equipment configuration steps.
Test your setup
When you try to access the VPN server, you’re prompted to authenticate with your VPN credentials.
The VPN authentication prompt contains the following input fields:
In the username field, enter your VPN username.
In the password field, enter your VPN password, followed by the character separator previously defined in the PacketFence Multi-Factor Authentication section, and the second factor. Depending on your preferred authentication method follow these steps:
a. To authenticate with a push notification, enter the word push. This sends a push notification to your trusted device. You can then tap Allow to acknowledge that the login is legitimate.
b. To authenticate with an SMS, enter the word sms. Optionally, you can also enter an index, like sms2 to use your second trusted smartphone. This sends a verification passcode to your trusted mobile device. The first authentication challenge is then rejected. In the second authentication attempt, the VPN client prompts you to enter your username in the username field. Next, in the password field, enter your password followed by a character separator, and the passcode that you received via SMS. Your input in the password field would look like this: your passwordyour SMS code.
c. To authenticate with a phone call, enter the word phone. You receive a phone call on your trusted authentication device. During the call, you can hear the voice message with your verification passcode. The first authentication challenge is rejected. In the second authentication attempt, the VPN client prompts you to enter your username in the username field. Next, enter your password followed by a character separator, and the verification passcode that you received during the call. Your input in the password field would look like this: your passwordyour passcode.
d. To authenticate with a push TOTP, third-party OTP device, bypass code, or hardware token, enter the passcode that was generated by your authentication device or the bypass code that you received from your help desk. Your input in the password field would look like this: your passwordyour passcode.
e. To authenticate with one of the authentication devices that you have enrolled, enter the authentication method and the index of this device. For example, enter the word push2, which sends the authentication request to your second device. You can then tap Allow to acknowledge that the login is legitimate.
Akamai MFA grants you access to the VPN server.
Updated over 1 year ago