Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

How to implement two factor authentication with Windows Server 2008 NPS

Secure remote access solutions with Network Policy Server

Article comments

Increasingly, whether due to regulatory requirements or a basic recognition that static passwords just don't provide adequate security, organisations are implementing some form of strong authentication. Like all new efforts, before you start you want to be reasonably assured that you will succeed.

In this tutorial we will document how to add two-factor authentication to various Microsoft remote access solutions through the Windows Server 2008 Network Policy Server. For two-factor authentication, we will be using the WiKID Strong Authentication Server - Enterprise Edition. WiKID is a dual-sourced, software-based two-factor authentication system. While the document is product specific, the process is typically the same no matter the products.

Assume that you have a mixed OS environment with some Windows, some Linux/Unix. You have a new requirement for two-factor authentication to meet PCI requirements. You intend to protect all key systems, which are mostly linux and you are going to lock down your remote desktop with two-factor authentication too (though we will only discuss the SSH here). The plan is to create an SSH gateway server that is locked down with two-factor authentication. Admins can then jump from the gateway box to other servers using public key authentication.

SSH offers a highly secure channel for remote administration of servers. However, since you face an audit for PCI, you have become aware of some potential authentication related short-comings that may cause headaches in an audit. For example:

  • There is no way to control which users have public key authorisation
  • There is no way to enforce passphrase complexity (or even be sure that one is being used)
  • There is no way to expire a public key

Additionally, your intention is to add two-factor authentication to other services, such as RDP and a VPN. There is great benefit in having a single two-factor authentication service for all those services and SSH keys will not work for other services.

An overview

After everything is configured, the system will work like this: The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access.

Note that this process is only for authentication, session management is still handled by the SSH gateway or any other remote access service you are using.

First we will enable Windows Server 2008 Network Policy Server (NPS)

Add the "Network Policy and Access Services" role to your domain controller.

Enable these role services during installation:

  • Network Policy Server
  • Routing & Remote Access Services
  • Remote Access Service
  • Routing

Next we add a new RADIUS Client - The SSH Gateway in this case.

From Administrative Tools select Network Policy Server.

Right click on Radius Clients and Select New.

Add a name, the IP address of your remote access server (RAS, VPN, etc) and create a shared secret. You will enter the same shared secret on the WiKID server.

Click OK.


Share:

More from Techworld

More relevant IT news

Comments




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *