6 Replies Latest reply on Aug 11, 2014 6:07 AM by markbenson

    2 Factor Authentication w/Symantec VIP Access

    twrangham Novice

      So, we were able to successfully get 2 Factor authentication to work for our users coming in externally. When trying to connect off LAN they are prompted for their username(same as Active Directory) and password(Active Directory password + VIP code). If they enter correctly they are then re-prompted for their username again (Active Directory) and password(AD).

       

      Is it too much to ask to shorten this to a single prompt? I know the configuration is fairly basic for setup but I don't think 2 factor should mean 2 prompts should it?

       

      Just a thought, and some wishful thinking.

        • 1. Re: 2 Factor Authentication w/Symantec VIP Access
          Linjo Champion
          User Moderators

          Did you check the box "Enforce 2-factor and Windows user name matching" in the advanced settings?

          Then you should not need to have 2 login-prompts.


          Here is a lot of good information about this subject:

          VMware View 5.1 RADIUS Authentication Setup

           

          // Linjo

          • 2. Re: 2 Factor Authentication w/Symantec VIP Access
            twrangham Novice

            Thanks for replying. Yes, while the "Enforce 2-factor and Windows user name matching" was not checked I dont think that setting really prevents the 2nd login-prompt. I assume its making sure the 1st 2-factor login prompt and the 2nd Windows login prompt have the same usernames. Since we are using Symantec VIP, the username ARE the same. It just sets the username for the 2nd prompt(Windows)

             

            It also looks like the setting that might prevent the 2nd login prompt is "Use the same username and password for RADIUS and Windows authentication". With this set currently it just throws a unknown user name or bad password message on the 2nd login screen because its not setup on the backend servers. I will check with the team that manages Symantec VIP product to see if this is an option.

            • 3. Re: 2 Factor Authentication w/Symantec VIP Access
              Linjo Champion
              User Moderators

              Yes of course you are right, copied the wrong string for some strange reason...

              I hope it got you moving in the right direction anyway! ;-)

               

              // Linjo

              • 4. Re: 2 Factor Authentication w/Symantec VIP Access
                markbenson Master
                VMware Employees

                twrangham wrote:

                 

                It also looks like the setting that might prevent the 2nd login prompt is "Use the same username and password for RADIUS and Windows authentication". ...

                 

                This option means that View Connection Server will use the RADIUS passcode as the AD password in cases where they are the same. In this case it avoids the second (AD password) prompt. In your case the RADIUS passcode and AD password are not the same as the former also contains the VIP code. If the RADIUS server is capable of passing the password back to View Connection Server (by truncating the right number of digits from the RADIUS passcode) then there would be a way, but I think this is unlikely.

                 

                Mark

                • 5. Re: 2 Factor Authentication w/Symantec VIP Access
                  twrangham Novice

                  Thanks for the information. While I am still confused as to how the RADIUS passcode being the same as an AD password would actually be 2 factor authentication, after contacting Symantec and getting this escalated... its not supported. The actual response was:

                   

                  "As Symantec VIP OTP is based on HMAC-SHA1 algorithm and support TOTP and HOTP and is different from MS password authentication method which doesn’t provide strong security, “Use the same username and password for RADIUS and Windows authentication” can’t be applied in this integration."

                   

                  Bummer. I think some enhancements in this area might be nice down the road to prevent user confusion.

                  • 6. Re: 2 Factor Authentication w/Symantec VIP Access
                    markbenson Master
                    VMware Employees

                    twrangham wrote:

                     

                    Thanks for the information. While I am still confused as to how the RADIUS passcode being the same as an AD password would actually be 2 factor authentication ...

                    It's for cases where the RADIUS vendor needs the AD password in order to trigger two-factor authentication. e.g. the user enters their AD password to start with and that triggers sending an SMS text message containing a code to their cellphone. The user enters this code and then can skip the next AD password prompt.

                     

                    It's two-factor because it is based on something they know (the password) and something they have (their cellphone) and is therefore stronger than just a password.

                     

                    Mark

                    1 person found this helpful