Test Radius Challenge Response in NTRadPing If you got Cisco or CheckPoint VPN Equipment, it is very natural to use its Challenge Response authentication mode with DualShield Radius serv
Trang 1Test Radius Challenge Response in NTRadPing
If you got Cisco or CheckPoint VPN Equipment, it is very natural to use its
Challenge Response authentication mode with DualShield Radius server to achieve two factor authentication It involves two stages of authentication, e.g first a
username and password then username and one-time password
User Experience (CheckPoint example)
The user starts his SecureClient and is prompted for his username and static
password
If the credential is correct, he then is prompted a with a second dialog box for his one-time code If the user got an on-demand password token, at this stage he will
be sent an OTP through the specified message channel Otherwise, he can press his hardware token to generate an OTP code
Trang 2The user then enters his one-time password code, if this is correct he is
authenticated
User Experience (NTRadPing example)
In some circumstances (e.g troubleshooting), you want to simply check if
DualShield Radius Server is working under Challenge-Response mode, you can use
NTRadPing
Please check the official document for DualShield VPN implementation Basically you need to create a radius logon procedure with two logon steps
Trang 3Step 1:
Type your static password in the Password field (fill the other necessary fields), then click “Send” button If you give a correct password, you should expect a
response “Access-Challenge”
Step 2:
Look at the attribute dump in first step, there is a line
State=DASCR_415752_1
Trang 4That is the challenge code generated by DualShield (DASCR = Deepnet
Authentication Server Challenge Response)
You need to add this attribute as an additional RADIUS attribute in this step Then input the one time password in the password field
Click the “Send” button again, you are expected to see the response
“Access-Accept”
Trang 5You may be confused with the option “Challenge & Response” in the Logon Step
We didn’t use it in our example What does it means? What if we check on this option?
Trang 6Well, you need a token which supports CR mode Normally, MobileID token has this feature For instance, in Android version, you can alter the mode among the tree OTP, Sign and Challenge
Select Challenge mode, it asks you input a challenge code, which is one you get from step 1 (DASCR_415752_1 in the above example), then you get an OTP
Mathematically, OTP is a function of challenge code, y=f(x)