Multi Factor Authentication - D-Link NetDefendOS User Manual

8.7. Multi Factor Authentication

When access to resources located behind a NetDefend Firewall is based on credentials, the
security can be further strengthened by using Multi Factor Authentication. This is sometimes
referred to as 2-factor authentication or 2-step authentication. The first factor is usually a
username/password combination. A second factor is typically a one-time code which might be
sent to the user at the time of the login via SMS or e-mail, or might be generated in some way by
the user themselves (for example with a code-box).
Multi Factor Support is Automatic
By default, NetDefendOS provides support for multi factor authentication by being able to
recognize a RADIUS Access-Challenge message and displaying a special webpage to request the
additional code. This webpage has the NetDefendOS Banner File name LoginChallenge.
Mobile VPN IPsec clients are also supported by multi-factor authentication when using the
following authentication methods:
• IKEv1 with XAuth.
• IKEv2 with EAP.
Multi Factor Processing Sequence
The sequence of processing for multi factor authentication with NetDefendOS is as follows:
1. Authentication is set up as normal using an authentication rule and IP rules (or IP policies).
2. The authentication source will be an external RADIUS server that has been configured to
perform multi factor authentication.
3. A user tries to access resources through the NetDefend Firewall. They are presented with a
standard NetDefendOS login challenge page and they enter their credentials.
4. NetDefendOS now sends these credentials to the RADIUS server for authentication in a
RADIUS Access-Request message.
5. In multi factor authentication, the RADIUS server will do two things:
i. It informs NetDefendOS that multi factor authentication must be used by sending back
a RADIUS Access-Challenge message.
ii. Depending on the type of the additional challenge, the server might also cause a
one-time code to be sent to the user. For example, this might be in an SMS message to
a mobile device. Alternatively, the code might be generated by the user themselves
using, for example, a code box.
6. The user enters the code they receive or generate and NetDefendOS relays the entered
code to the RADIUS server in another Access-Request message.
7. The RADIUS server verifies the code. If the user is authenticated then an Access-Accept is sent
back to NetDefendOS and the client is given access to protected resources. If it is not
verfied, the server sends back an Access-Reject message to NetDefendOS and access is
denied.
Notes on Multi Factor Authentciation
650
Chapter 8: User Authentication