Let us assume Reltic Data, Inc. wants to implement multi-factor authentication for its VPN (Virtual Private Network) connection to secure the Corporate network that is accessed from their employees who are in a remote location.
This section explains the prerequisites, flow of actions, and step-by-step configuration details to achieve this.
This example refers to the following user profiles:
Thomas: An administrator of Reltic Data, Inc.
Mark Jones: An employee of Reltic Data, Inc.
Thomas, an administrator wants to enforce Multi-factor authentication with the LDAP Password and Smartphone methods for OpenVPN to secure the corporate network. After multi-factor authentication is implemented, employees need to authenticate to both methods successfully to access the network through VPN.
Thomas must perform the following tasks to implement multi-factor authentication for OpenVPN:
To understand the sequential flow of configuration in the Advanced Authentication Administration portal, see Configuration Flow in Advanced Authentication for RADIUS Server Event.
For information about how an end user enrolls the configured methods and authenticates to VPN client using Advanced Authentication, see End User Tasks.
Ensure that you meet the following prerequisites:
An LDAP repository for Reltic Data, Inc is configured and the repository contains the information of all users.
This example uses Active Directory Domain Services as an LDAP repository.
A group named Employees is created in Active Directory Domain Services.
The Advanced Authentication server is installed. For more information, see Installing Advanced Authentication.
A VPN client is installed on all employees' system.
This example uses OpenVPN as the VPN client.
Follow these guidelines to begin implementing multi-factor authentication for any event:
Identify the authentication methods that you want to configure.
Determine the order of methods in the chain. The methods are displayed to the end user in the order that you have configured.
Determine the policy that must be configured for the identified method.
Identify the user group for which you want to enforce this authentication chain.
The following diagram illustrates the sequential flow of actions required for securing the Open VPN client with multi-factor authentication:
In Advanced Authentication, add Active Directory of Reltic Data, Inc. as a repository from where the user details are fetched for validation.
Perform the following steps to add Active Directory of Reltic Data, Inc. to Advanced Authentication:
Clickon the Advanced Authentication Administration portal.
Select(Active Directory Domain Services) from the .
Specify a container for the users in. When you select the option, Advanced Authentication performs a search for the users in each child node. You can change the search scope by selecting the option.
Specify a user account inand specify the password of the user in .
Ensure that the user's password has no expiry.
You can specify a container for the groups in. When you select the option, Advanced Authentication performs a search for the groups in each child node. You can change the search scope by selecting the option.
Selectto find LDAP servers automatically. Specify and (optional) and click .
When the DNS discovery is done, the DNS servers list is updated every three hours.
NOTE:If an LDAP server is unavailable for 2.5 seconds, Advanced Authentication excludes it from the LDAP requests for a period of 3 minutes.
Perform the following steps to create a chain with LDAP Password and Smartphone methods:
Click> in the Advanced Authentication Administration portal.
Specify the following details:
A name for the chain.
NOTE:Ensure to remember the name of the chain for further use.
A name that is provided to end user for selecting a chain.
For example, you configure a chain named SMS containing LDAP Password and SMS methods. A user can specify <username> sms and the user is required to use SMS as the chain. This is helpful in scenarios when the primary chain is not available.
Set to ON to enable the chain.
Select the LDAP Password and Smartphone methods to add to the chain.
Roles and Groups
Specify Employees. This enforces all users of this group to use this authentication chain for accessing the corporate network through VPN.
Continue with Configure Public External URLs Policy.
The external URL manages the following activities for the Smartphone method:
A push notification that is sent to the NetIQ Advanced Authentication app.
User responses from the NetIQ Advanced Authentication app.
Perform the following steps to configure the external URL:
Click> on the Advanced Authentication Administration portal.
Clickand specify the URL in .
Ensure that the Public URL is accessible from users' smartphone.
Continue with Assign Chain to RADIUS Server Event.
Perform the following steps to assign the chain to RADIUS Server event and configure details of the Open VPN server with a secret:
Clicknext to the event.
Ensure thatis set to .
Select the chains that you have created in Create a Chain.
Clickto add and assign a RADIUS Client to the event:
Specify the IP address of the OpenVPN server in.
Specify the OpenVPN server name in.
Specify the OpenVPN server secret and confirm the secret.
NOTE:Ensure to make a note of this secret for future reference.
Ensure that theis set to .
Continue with Configure the OpenVPN Server.
Perform the following steps to configure the OpenVPN server and enable the server to connect with Advanced Authentication server:
Open the OpenVPN Access server site.
Add an IP address of the Advanced Authentication server and specify the secret that is set while configuring the RADIUS Server event in the Advanced Authentication Administration portal.
You must specify the <repository name>\<username> or only <username> if you have set the following configurations:
You have selected a chain from the Used section in the RADIUS Server settings for connecting to OpenVPN.
You have set the default repository name in> options of the Advanced Authentication appliance.
Mark, as an employee, must perform the following actions to access the corporate network of Reltic Data network through OpenVPN:
NOTE:The LDAP Password method enrolls automatically and users cannot remove it.
For more information, see LDAP Password.
Mark must ensure to install the NetIQ Auth application on his smartphone to enroll the Smartphone method.
For more information about downloading and installing the NetIQ Auth application, see Installing NetIQ Advanced Authentication App.
During the enrollment, Mark must scan a QR code that creates an authenticator on his mobile app. When Mark initiates the authentication, a push notification is sent to the app. Accept the request and get authenticated.
To enroll the Smartphone method with a QR code, perform the following steps:
Click the Smartphone icon under thesection of the Self-Service portal.
(Optional) Specify a comment related to the Smartphone authenticator.
(Optional) Select the required category from.
A QR code is displayed.
Scan the QR code with the NetIQ Auth app. To do this, perform the following steps:
Open the NetIQ Auth app.
Specify a PIN if applicable.
Click the(plus) icon in the screen.
The camera of your smartphone is launched.
Scan the QR code with the camera.
A message Authenticator "Smartphone" added is displayed.
Specify the user name and an optional comment in the app.
The smartphone authenticator is created.
If Mark does not enroll the Smartphone method within few minutes, an error message Enroll failed: Enroll timeout is displayed. He can refresh the browser and try enrolling again.
HINT:If you users are unable to scan the QR code with the NetIQ Auth app, they can do the following:
Zoom the page to 125-150% and scan the zoomed QR code.
Ensure that nothing overlaps the QR code (mouse cursor, text).
For more information, see Smartphone.
Launch the OpenVPN client.
The Login dialog is displayed.
Open the NetIQ Auth app in the mobile phone.
Specify PIN or touch the enrolled finger that you registered for the app.
Tapin the screen to accept the authentication request.
A message Accepted is displayed and Mark authenticates to OpenVPN successfully.