VPN Authentication (separate db?)

Discussion:

(too old to reply)

Justin Knipstein

2007-12-07 23:55:01 UTC

Hello All,

We are currently trying to configure 2 factor authentication utilizing
radius/ad. Currently Username and pass are authenticated by IAS via an AD
group check. We would like a 2nd factor to come from the EmployeeID field in
AD. If this is not possible, is there a way to have IAS check an internal
database of username and employee id ported from AD?

Thank you.

Nick Owen

2007-12-10 01:23:02 UTC

Permalink

On Dec 7, 6:55 pm, Justin Knipstein

Post by Justin Knipstein
Hello All,
We are currently trying to configure 2factor authenticationutilizing
radius/ad. Currently Username and pass are authenticated by IAS via an AD
group check. We would like a 2nd factor to come from the EmployeeID field in
AD. If this is not possible, is there a way to have IAS check an internal
database of username and employee id ported from AD?
Thank you.

IIRC, becase the IAS service (Radius) is domain integrated, user
database used is Active Directory, and if you specificy that IAS proxy
the one-time passcode in the custom remote access policy for the VPN
users, IAS will automatically deny a user if they are not active in
AD. I could be wrong about this, though, I'm not 100%, but it should
be simple to test.

HTH,

Nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

Justin K.

2007-12-10 05:29:00 UTC

Permalink

You are correct as we do have single factor working with just U: P:. I want
to add a second level in that also authenticates the EmployeeId field.

Can IAS check a database of information ported from AD? Can it interface
with AD AND a database or is it one or the other?

Post by Nick Owen
IIRC, becase the IAS service (Radius) is domain integrated, user
database used is Active Directory, and if you specificy that IAS proxy
the one-time passcode in the custom remote access policy for the VPN
users, IAS will automatically deny a user if they are not active in
AD. I could be wrong about this, though, I'm not 100%, but it should
be simple to test.
HTH,
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

S. Pidgorny <MVP>

2007-12-10 07:49:11 UTC

Permalink

Justin,

No, IAS cannot do that.

Other RADIUS servers probably can but this concept is a mistake. Employee ID
is not a second factor of authentication, as you call it in the original
posting. Moreover, it's not really a secret in most organisations.

You need to look at identity management system in your organisation. If your
concern is that people without employee ID will access the network, then you
need to keep your HR database in sync with your AD. Take effort to put the
IDs into AD (I think employeeID is a standard LDAP attribute and is the most
appropriate); implement a process tht will do this synchronisation
periodically (or a trigger in the HR database); _disable_ all _people_ (not
service, not computer) accounts that don't have employeeID set.

That will cover remote and local access. Use group membership for remote
access control.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Justin K.
You are correct as we do have single factor working with just U: P:. I want
to add a second level in that also authenticates the EmployeeId field.
Can IAS check a database of information ported from AD? Can it interface
with AD AND a database or is it one or the other?

Justin K.

2007-12-10 15:55:01 UTC

Permalink

We already have HR DB synching with AD and the EmployeeID is one of the synch
fields.
My question was that if AD could not authenticate Username, Password AND
EmployeeID, could IAS pull from a separate database Username & EmployeeID?

I was getting ready to open an email support case with Microsoft when I
found this link. http://support.microsoft.com/kb/193127/en-us. Is this not
what I am looking for? It may not be as the config on the IAS side does not
seem to match with the current version of IAS. (There is no Authentication
Providers tab anywhere to be found in IAS)

Post by S. Pidgorny <MVP>
Justin,
No, IAS cannot do that.
Other RADIUS servers probably can but this concept is a mistake. Employee ID
is not a second factor of authentication, as you call it in the original
posting. Moreover, it's not really a secret in most organisations.
You need to look at identity management system in your organisation. If your
concern is that people without employee ID will access the network, then you
need to keep your HR database in sync with your AD. Take effort to put the
IDs into AD (I think employeeID is a standard LDAP attribute and is the most
appropriate); implement a process tht will do this synchronisation
periodically (or a trigger in the HR database); _disable_ all _people_ (not
service, not computer) accounts that don't have employeeID set.
That will cover remote and local access. Use group membership for remote
access control.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *

S. Pidgorny <MVP>

2007-12-11 08:27:44 UTC

Permalink

No. That article is for IAS 1.0 and MCIS, which is long discontinued.

What you're trying to do is pointless. Username and employeeId are not
secrets, so if anything you're going to achieve more complex server
infrastructure, less usability and less client compatibility.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Justin K.
We already have HR DB synching with AD and the EmployeeID is one of the synch
fields.
My question was that if AD could not authenticate Username, Password AND
EmployeeID, could IAS pull from a separate database Username & EmployeeID?
I was getting ready to open an email support case with Microsoft when I
found this link. http://support.microsoft.com/kb/193127/en-us. Is this not
what I am looking for? It may not be as the config on the IAS side does not
seem to match with the current version of IAS. (There is no Authentication
Providers tab anywhere to be found in IAS)

Justin K.

2007-12-12 16:34:02 UTC

Permalink

Thank You for your responses. Although out of the box IAS cannot interface a
Database, you can create a custom DLL to do so.

http://msdn2.microsoft.com/en-us/library/ms688288.aspx
http://msdn2.microsoft.com/en-us/library/ms688293.aspx
http://msdn2.microsoft.com/en-us/library/ms688464.aspx

Post by S. Pidgorny <MVP>
No. That article is for IAS 1.0 and MCIS, which is long discontinued.
What you're trying to do is pointless. Username and employeeId are not
secrets, so if anything you're going to achieve more complex server
infrastructure, less usability and less client compatibility.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *

S. Pidgorny <MVP>

2007-12-13 09:30:09 UTC

Permalink

Yes you can, and that doesn't contradict what I'm saying.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Justin K.
Thank You for your responses. Although out of the box IAS cannot interface a
Database, you can create a custom DLL to do so.
http://msdn2.microsoft.com/en-us/library/ms688288.aspx
http://msdn2.microsoft.com/en-us/library/ms688293.aspx
http://msdn2.microsoft.com/en-us/library/ms688464.aspx

Post by Justin K.
We already have HR DB synching with AD and the EmployeeID is one of the synch
fields.
My question was that if AD could not authenticate Username, Password AND
EmployeeID, could IAS pull from a separate database Username & EmployeeID?
I was getting ready to open an email support case with Microsoft when I
found this link. http://support.microsoft.com/kb/193127/en-us. Is this not
what I am looking for? It may not be as the config on the IAS side does not
seem to match with the current version of IAS. (There is no
Authentication
Providers tab anywhere to be found in IAS)

Post by S. Pidgorny <MVP>
Justin,
No, IAS cannot do that.
Other RADIUS servers probably can but this concept is a mistake.
Employee
ID
is not a second factor of authentication, as you call it in the original
posting. Moreover, it's not really a secret in most organisations.
You need to look at identity management system in your organisation.
If
your
concern is that people without employee ID will access the network,
then
you
need to keep your HR database in sync with your AD. Take effort to put the
IDs into AD (I think employeeID is a standard LDAP attribute and is
the
most
appropriate); implement a process tht will do this synchronisation
periodically (or a trigger in the HR database); _disable_ all _people_ (not
service, not computer) accounts that don't have employeeID set.
That will cover remote and local access. Use group membership for remote
access control.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Justin K.
You are correct as we do have single factor working with just U: P:.
I
want
to add a second level in that also authenticates the EmployeeId field.
Can IAS check a database of information ported from AD? Can it interface
with AD AND a database or is it one or the other?

jayv

2009-05-27 20:35:25 UTC

Permalink

Did you ever manage to do this? create a dll i mean to authenticate via
external SQL datasbase? If so i would VERY much love to see it. Thanks.

Continue reading on narkive:

Search results for 'VPN Authentication (separate db?)' (Questions and Answers)

replies

What's preventing TV over the internet?

started 2007-10-02 13:41:09 UTC

internet

replies

share proprietary database outside LAN?

started 2012-10-25 04:42:47 UTC

computer networking