Protect L2TP/IPsec and SSL VPN with two factor authentication using PhenixID MFA server.

Security Gateway Articles and How to's
Post Reply
Anton
Posts: 24
Joined: 16 Jun 2016, 18:50
Location: Clavister HQ - Örnsköldsvik

Protect L2TP/IPsec and SSL VPN with two factor authentication using PhenixID MFA server.

Post by Anton » 17 Aug 2017, 15:45

This How-to applies to:
  • Clavister Security Gateway 12.x. and MFA 2.x
Table of contents:
•Objectives with this article.
•Configuring SSL-VPN and L2TP/IPsec in the NGFW.
•Configuring the MFA server.
•Testing the login.

Objectives with this article:
This article assumes that you have a basic understanding on how to configure PhenixIDs MFA server.
This article will also assume that you have a working Active Directory.

In this article we will discuss how to use two factor authentication to grant access to both L2TP/IPsec and SSL-VPN with the help of PhenixIDs MFA server. RADIUS access challenge is not supported for both L2TP/IPsec and SSL-VPN so the password and one time password has to be entered in the same field by the user.

That means that we have to split the password and One Time Password based on index when the request comes to the MFA server.

Example:
“Password123456” is entered by the user and we know that the OTP is 6 digits long so we need to split the string into two pieces, password and 123456.

Configuring the next generation firewall:
If we start with L2TP/IPsec, the configuration is the same as in viewtopic.php?f=8&t=4491 only difference is that we have to use RADIUS as authentication source instead of Local. And we also need to tell the NGFW where the RADIUS server is. One thing that we need to think of is that PAP has to be used in the communication between the NGFW and the MFA server.

Let’s start with the RADIUS server which can be found under Policies -> User Authentication -> User Directories -> RADIUS
RADIUS.png
RADIUS.png (16.24 KiB) Viewed 2777 times

1. The IP where the MFA server is located.
2. The port that the MFA server listens on.
3. The Shared Secret to be used in the communication between the NGFW and the MFA server.

Now we need to change the Authentication rule to use RADIUS as authentication source:
userauth.png
userauth.png (14.06 KiB) Viewed 2777 times


Under the Authentication Options Tab chose the previously configured RADIUS server:
userauth2.png
userauth2.png (14.61 KiB) Viewed 2777 times

After that we need to disable CHAP, MS-CHAP and MS-CHAP v2 under the Agent Options Tab:
userauth3.png
userauth3.png (17.07 KiB) Viewed 2777 times

That the only thing we need to change in our configuration to enable the possibility to have Two factor Authentication.
The same thing goes for the SSL-VPN the only thing we need to change is the Authentication Source to RADIUS on our Authentication rule. (The standard configuration for SSL-VPN can be found in our administration guide for 12.00.00 on chapter 10.7).

Configuring the MFA server:
The configuration for the MFA server is the same as in another forum post of ours: viewtopic.php?f=8&t=6364
The only difference is that we don’t need to send back any groups in order for this to work. And we do not need to add the Vendor specific attributes. If you want to send back groups to the NGFW, then the configuration is exactly the same.

You will need one Pipe and the following Valves in order for this to work in this order:
MFA.png
MFA.png (14.21 KiB) Viewed 2777 times
The configuration is as follows:

LDAPSearchValve:

Code: Select all

{
	"connection_ref": "dea60e51-228c-4ce4-a1af-7613e32fefd0",
	"base_dn": "CN=Users,DC=antonlab,DC=se",
	"scope": "SUB",
	"size_limit": "0",
	"filter_template": "samAccountName={{request.User-Name}}"
}
PropertySplitByIndexValve:

Code: Select all

{
	"source": "{{request.User-Password}}",
	"destination_attribute_one": "password",
	"destination_attribute_two": "otp",
	"position": "-6"
}
LDAPBindValve:

Code: Select all

{
	"connection_ref": "dea60e51-228c-4ce4-a1af-7613e32fefd0",
	"password_param_name": "{{attributes.password}}",
}
TokenValidationValve:

Code: Select all

{
	"otp_length": "6",
	"hotp_lookahead": "10",
	"provided_otp_param_name": "{{attributes.otp}}"
}
Remember that you need to change the “connection_ref” on both LDAPSearchValve and LDAPBindValve to reflect your configuration.

Testing the login on Windows 10:
Now to test the login we start with the L2TP/IPsec first of we need to add the L2TP/IPsec VPN. To setup the new L2TP/IPsec network connection in Windows 10, in Settings press Network & Internet -> VPN -> Add a VPN connection, then enter the information for the L2TP/IPsec connection.
l2tp.png
l2tp.png (25.7 KiB) Viewed 2777 times
VPN provider
Choose “Windows (built in)”.

Connection name
Give the VPN connection a name.

Server name or address
Type in the hostname or IP of the Clavister Security Gateway you are connecting to. The IP Shown in the picture is the IP of our WAN interface, i.e Wan_IP.

VPN type
Since we want to set up a L2TP/IPsec connection we choose “L2TP/IPsec with pre-shared key”.

Type of sign-in info
Since we want to authenticate with the local users we created, choose Username and password.

Username (optional)
Here you enter the Username of the user you want to connect as, this is optional.

Password (optional)
This has to be leaved blank since we want the user to enter their password and OTP when they login.

Next we have to specify that PAP has to be used when connecting, otherwise the user will not be able to login. Go to Control Panel\Network and Internet\Network Connections and right click the L2TP/IPsec interface and chose “Properties”. After that go to the Security tab and change the following:
l2tp2.png
l2tp2.png (57.28 KiB) Viewed 2777 times


Next we can try to connect to the L2TP/IPsec tunnel, click connect:
l2tp3.png
l2tp3.png (4.87 KiB) Viewed 2777 times

You will then be asked to enter your credentials:
l2tp4.png
l2tp4.png (7.91 KiB) Viewed 2777 times
In the password field you will need to enter the password and OTP in that order. The Password and OTP will later be split into two attributes on the MFA server.

Connecting with SSL VPN Client:
The SSL VPN Client requires less configuration, the user just has to download the client from the portal and login. Here the user has to do the same, they need to write the password and the OTP in that order on the same filed.
ssl.png
ssl.png (12.49 KiB) Viewed 2777 times

Post Reply