OneSpan Authentication Server in a RADIUS environment
OneSpan Authentication Server can be used in a RADIUS environment in a number of ways, depending on your company's requirements.
In the RADIUS protocol, attributes are used for authorization and configuration of the remote access session in many cases. OneSpan Authentication Server can return authorization attributes from the user account. Alternatively, a separate RADIUS server can provide these attributes instead.
In many cases, a RADIUS client may be a dial-up network access server (NAS), firewall/VPN appliance, wireless access point (WAP), or another device that uses the RADIUS protocol for user authentication. Some software applications can also use RADIUS for authentication, and can therefore also act as RADIUS clients.
OneSpan Authentication Server supports authentication over a wireless connection, using the RADIUS protocol (see Wireless RADIUS).
The scenarios described in the following can be implemented with these supported password protocols:
- PAP
- CHAP
- MS-CHAP
- MS-CHAP v2
When integrating OneSpan Authentication Server into a RADIUS environment to provide authentication services, authenticator deployment should be done in accordance with only the following described scenarios. Deviating from these advised scenarios may result in security vulnerabilities (e.g. brute-force attacks).
Standalone: RADIUS attributes from user account
In this scenario, OneSpan Authentication Server retrieves RADIUS attributes from the user account and returns them with an Accept message to the RADIUS client.
This scenario can be implemented with the following supported password protocols:
- PAP
- CHAP
- MS-CHAP
- MS-CHAP v2
Figure: Standalone: RADIUS attributes from user account
Standalone: No RADIUS attributes required
This scenario is identical to Standalone: RADIUS attributes from user account, except that it does not use RADIUS attributes to authenticate users.
Figure: Standalone: No RADIUS attributes required
Wireless RADIUS
Using this method, the user only enters the OTP (and PIN if required). OneSpan Authentication Server has to learn the static password for the user. As such, when the user gives the correct OTP, OneSpan Authentication Server can send the static password to the RADIUS server.
The Wireless RADIUS method can be used if one of the supported protocols is used (see Supported RADIUS protocols).
Figure: OneSpan Authentication Server with Wireless RADIUS
Proxy target: RADIUS server acts as proxy
In this scenario, a RADIUS server acts as a proxy for authentication, effectively delegating the authentication process to OneSpan Authentication Server. The RADIUS server provides the authorization attributes after OneSpan Authentication Server has accepted the user credentials.
A RADIUS server can forward authentication to OneSpan Authentication Server if:
- The RADIUS server supports the proxying of authentication while returning attributes itself.
- The RADIUS server can forward authentication request using one of the supported password protocols (see Supported password protocols).
- The RADIUS server supports an access-challenge response from OneSpan Authentication Server if required. The access-challenge mechanism is used for challenge/response and Virtual Mobile Authenticator, although it is still possible to use Virtual Mobile Authenticator without that mechanism.
If the RADIUS server is capable, this scenario allows OneSpan Authentication Server to operate in an environment that uses certificate-based EAP protocols such as PEAP and EAP-TTLS. To make this work, the RADIUS server decrypts the user credentials into a simpler protocol before forwarding the request to OneSpan Authentication Server.
Figure: OneSpan Authentication Server with RADIUS server acting as a proxy
Intermediary: RADIUS server as back-end server
After validating the OTP, OneSpan Authentication Server forwards requests to a RADIUS server to retrieve authorization attributes. It is necessary to provide a static password to the RADIUS server to achieve this.
There are two methods of implementing this scenario:
Login via OTP only
Using this method, the user only enters the OTP (and PIN if required). OneSpan Authentication Server has to learn the static password for the user. This allows OneSpan Authentication Server to send the static password to the RADIUS server when the user provides the correct OTP.
Figure: RADIUS server as back-end server (Users log on with OTP only)
This method can be used if:
- One of the supported password protocols is used (see Supported password protocols).
- The static passwords can be 'learnt' by OneSpan Authentication Server.
If the PAP authentication protocol is used, OneSpan Authentication Server can learn the static passwords automatically. The user then has to perform at least one logon with the static password. If the RADIUS server accepts the password, OneSpan Authentication Server can learn it.
However, if one of the other password protocols is used, this process is not possible. In that case, there are a few other ways in which the passwords can be learnt, through administrative data entry or using the OneSpan User Websites.
Logon via password and OTP
Using this method, the user enters a static password and OTP at each logon. OneSpan Authentication Server validates the OTP. If the OTP is valid, OneSpan Authentication Server forwards the static password to the RADIUS server.
Figure: RADIUS server as back-end server (Users log on with password and OTP)
This method can be used if the PAP authentication protocol is used only, because OneSpan Authentication Server uses both CHAP and MS-CHAP to hash the password and OTP together inseparably.