• All Files

    Multi-Factor Authentication Mechanisms

    本节介绍了支持的各种多因素身份验证(MFA)机制通过。For more information on通过身份验证,请参阅第1页的“ VIA支持的身份验证方法”

    这following table displays the MFA methods:

    表格1:Multi-Factor Authentication Mechanisms Supported by通过
    Authentication Mechanism 身份验证设备 视窗 Linux 安卓 iOS MacOS

    TPM中的虚拟数字徽章

    TPM证书

    Yes

    - -

    - -

    - -

    - -

    Security Token

    RSA SecureID token

    Yes

    Yes

    Yes

    Mobile authentication

    二人

    Yes

    Yes

    Yes

    Yes

    Yes

    PKI-智能卡(基于引脚)

    Smart Card

    Yes

    Yes

    关闭使用虚拟数字徽章的身份验证

    通过supports authentication using a Virtual Digital Badge (VDB) certificate stored in the Trusted Platform Module (TPM) of a windows device.

    关闭Authentication using an RSA SecurID Token

    RSA SecurID is a hardware and software-based authentication mechanism that generates unique authentication (token) codes at a specified interval using an RSA SecurID token. Security tokens can be used for IKEv1 XAUTH.

    此类身份验证的先决条件是:

    访问RSA Securid服务器

    Access to an RSA SecurID device (token)

    用户已注册并与RSA Securid令牌相关联

    为每个用户提供了在RSA SecureID服务器上配置的用户名。

    When enrolling with RSA SecurID, users must create a PIN to authenticate and connect通过
    关闭配置通过with an RSA SecurID Token

    To configure and connect通过with security token authentication:

    1.将身份验证服务器映射到RSA SecureID服务器:

    一种。 在里面托管网络node hierarchy of yourMobility Master, 导航Configuration > Authentication > L3 Authentication Navigate toConfiguration > Security > Authentication > L3 Authentication在里面controllerWebUI.

    b.Expand通过身份验证在下面L3身份验证列表。

    c.选择Server Group下方的条目通过authentication profile.

    d.选择RSA SecureID server from theServer Groupdrop-down list.

    e. ClickSave. C lick Apply and Save Configuration to save your changes.

    f.Select等待更改

    g.在里面等待更改window, select the check box and click部署更改

    2.Run a AAA test to ensure RADIUS authentication is working:

    一种。 在里面Mobility Masternode hierarchy, select aMobility Masterand navigate toDiagnostics > AAA Server Test Navigate toDiagnostics > Ping > AAA Test Server Test在里面controllerWebUI.

    b.选择RADIUS server from the服务器名称drop-down list.

    c.Set the authentication method toPAP

    d.Enter your username and password.

    e.ClickBegin Test

    3.Open通过and download the VPN connection profile:

    一种。SelectClick to download VPN profilefrom the home screen. TheDownload VPN Profile出现屏幕。

    b.Enter the server URL and your login credentials. UnderUsername, enter the username configured on the RSA server. UnderPassword, enter your PIN followed by the unique token code displayed on the RSA token (no spaces).

    c.ClickDownload

    d.在里面Web身份验证配置文件list, select the authentication profile for which you have assigned the RSA SecureID server as the authentication server.

    4.Connect通过通过单击VPN连接状态戒指通过home screen. When prompted, enter your username and password:

    一种。UnderUsername, enter the username configured on the RSA server.

    b.UnderPassword, enter your PIN followed by the unique token code displayed on the RSA token (no spaces).

    c.ClickProceed。这通过connection is established.

    这token code used to download the profile should not be the same code used to connect通过。Since a new token code is generated during each specified interval, allow the token code to change on the RSA SecureID device before entering the code to connect通过
    关闭Authentication using Duo

    移动设备上的身份验证由名为Duo的应用程序支持。移动设备身份验证可用于IKEV1 XAUTH和IKEV2 EAP-MSCHAPV2。

    Prerequisites

    用户已注册并在二人组注册

    二人application is installed on a device with the same mobile number that the user has registered

    配置通过using Duo

    To configure and connect通过with mobile device authentication:

    1.Install the authentication proxy and connect it toAD(IKE-V1-PAP)/NPS(IKE-V1-PAP&IKE-V2-EAP-MSCHAPV2)(https://duo.com/docs/radius)。For example, if the proxy is10.17.12.53, and the port is2000,示例文件中C:\Program Files (x86)\Duo Security Authentication Proxy\conf\authproxy file,如下:

    [ad_client]

    host=10.17.12.53

    service_account_username =管理员

    service_account_password=Aruba&123

    search_dn=DC=patilqa,DC=com

    [radius_server_auto]

    ikey=DI45H91IZH4BE1J1HUOK

    skey=WoqOi61AkCHo6W07p5tIyEy66lxYNtCz6oA5Eqgb

    api_host=api-515e66d1.duosecurity.com

    RADIUS_IP_1 = 10.17.14.3

    radius_secret_1=aruba123

    client=ad_client

    port=2000

    2.配置用作代理的半径服务器(如图所示step 1),并将其设置为正在使用的配置文件的身份验证服务器:

    一种。 在里面托管网络node hierarchy of yourMobility Master, 导航Configuration > Authentication > L3 Authentication Navigate toConfiguration > Security > Authentication > L3 Authentication在里面controllerWebUI.

    b.Expand通过身份验证在下面L3身份验证列表。

    c.选择Server Group以下条目通过authentication profile.

    d.从使用的RADIUS服务器中Server Groupdrop-down list.

    e. ClickSave. C lick Apply and Save Configuration to save your changes.

    f.Select等待更改

    g.在里面等待更改window, select the check box and click部署更改

    3.Run a AAA test to ensure RADIUS authentication is working:

    一种。 在里面Mobility Masternode hierarchy, select aMobility Masterand navigate toDiagnostics > AAA Server Test Navigate toDiagnostics > Ping > AAA Test Server Test在里面controllerWebUI.

    b.选择RADIUS server from the服务器名称drop-down list.

    c.Select an身份验证方法

    d.Enter your username and password.

    e.ClickBegin Test

    4.Open通过and download the VPN connection profile:

    一种。SelectClick to download VPN profilefrom the home screen. TheDownload VPN Profile出现屏幕。

    b.Enter the server URL and your login credentials.

    c.ClickDownload

    d.在里面Web身份验证配置文件list, select the authentication profile for which you set the authentication server as the Duo proxy. A登录请求消息发送到您的移动设备上的二人应用程序。

    e.打开消息,然后单击Approve

    5.Connect通过通过单击VPN连接状态戒指通过home screen. If XAUTH is enabled, enter your username and password when prompted.

    通过connection is established.

    关闭Authentication using a Smart Card

    Smart cards provide two-factor authentication for IKEv1 Cert, IKEv2 Cert, and IKEv2 EAP-TLS using a certificate and PIN number. Smart cards support a Smart Card Cryptographic Provider (SCCP for Windows or OpenSC for Linux) API in the operating system that causes the certificate embedded within the smart card to appear in the operating system’s certificate store automatically.

    智能卡设备包括:

    Smart card

    USB令牌

    Virtual SC

    TPM证书

    视窗

    配置和使用通过for smart card authentication in Windows devices:

    1.安装与智能卡有关的软件驱动程序。

    2.通过does not support certificate import to the smart card. Use the smart card utility to install certificates on the smart card.

    3.Open通过并下载基于证书的VPN连接配置文件。

    4.Click the VPN connection status ring on the通过home screen to connect通过。这Select a Certificate出现屏幕。

    5.从列表中选择证书。

    6.ClickProceed

    7.Enter your username and PIN number when prompted.

    一种。UnderUsername,输入在智能卡上配置的用户名。

    b.Under别针,输入智能卡销号。

    通过connection is established.

    If theAllow user to save passwords设置已在通过connection profile, users are not required to enter the PIN number during subsequent connections.

    Linux

    配置和使用通过对于Linux设备中的智能卡身份验证:

    1.安装与智能卡有关的软件驱动程序。

    2.通过does not support certificate import to the smart card. Use the smart card utility to install certificates on the smart card.

    3.发出以下命令:

    #cat /usr/share/via/via_config.xml

    。。。

    /usr/lib/ libeTPkcs11.so

    。。。

    < / via_config_profile>

    4.Open通过并下载基于证书的VPN连接配置文件。

    5.To select the certificate from your通过application:

    一种。Plug the card reader into your PC.

    b.Click the VPN connection status ring on the通过home screen to connect通过

    c.Navigate to the通过证书商店tab.

    d.SelectStorage作为token-1。出现可用证书的列表。

    e.选择证书,然后单击好的

    6.Enter the smart card PIN number when prompted toEnter the Storage别针

    通过connection is established.

    If theAllow user to save passwords设置已在通过connection profile, users are not required to enter the PIN number during subsequent connections.

    这则信息有帮助吗?

    /*]]>*/
    Baidu