Technical Integration Guides for Identity as a Service and RADIUS applications

Identity as a Service can be configured to handle both first-factor authentication and second-factor authentication. In this environment, the RADIUS proxy agent within the Enterprise Gateway connected to Identity as a Service intercepts messages between the VPN server and Identity as a Service.

The authentication flow between the VPN server and Identity as a Service supports the PAP authentication protocol.

VPN authentication with Identity as a Service using MSCHAPv2 follows these steps:

A user enters their user ID and token response.

A request is sent to the Enterprise Service Gateway, which communicates with Identity as a Service to validate the credentials.

The  Enterprise Service Gateway returns a RADIUS ACCEPT or REJECT message to the VPN server.

Complete the following steps before integrating your authentication system with Identity as a Service:

Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).

Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before you integrating with Identity as a Service.

Install and configure Identity as a Service and an Identity as a Service gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.

If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

Standard RADIUS supports the following protocols:

PAP

CHAP

MSCHAPv1

MSCHAPv2

EAP – Extended Authentication Protocol supports the following protocols:

EAP-GTC

EAP-MSCHAPv2

In the RADIUS scenario, there are the following variations:

First-factor only (either just password or just token)

First-factor and second-factor (password plus any of the second-factor authenticators supported by Identity as a Service)

External first-factor and second-factor (which also supports any second-factor authenticators supported by Identity as a Service). This may or may not be supported by all VPN vendors.

With an Enterprise Service Gateway or 5.8 or later, RADIUS EAP supports PASSWORD and EXTERNAL for first-factor authentication. If PASSWORD is configured, the user is prompted for password and then the second-factor during VPN server authentication. With earlier versions of the Gateway, VPN authentication will fail when password is configured as first-factor.

Note: Entrust recommends that when you configure multiple RADIUS applications that you give each RADIUS application is given a unique shared secret.