TwoFactor Authentication Service

Jason Testart, Computer Science Computing Facility

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Authentication Nomenclature

Two-Factor Authentication Strong Authentication One-time password (OTP) Token-based authentication “RSA” and “SecurID” GINA

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Why TwoFactor authentication?

Thin clients Hacked workstations Lack of encrypted connection Shared accounts are bad

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Hardware Tokens

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Some History

SecurID system purchased in 1996 by DP Needed for access to OGF DCS and MFCF: ssuw on xhiered Unix MFCF/CSCF assumed control of SecurID service

from IST in 2004 after OGF upgrade

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

ACE Servers

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

CRYPTO-Shield by CryptoCard

Less expensive Tokens don’t expire Ability to import from ACE server Good Linux support Now supports the Blackberry Canadian company

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Got root?

CRYPTO-Server does RADIUS Sudo is PAM enabled Pam-radius module works on Solaris, Linux, OS X Instead of ssuw, use “sudo –s”

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Switches and Firewalls

Firewall

FreeRADIUS server

CRYPTO-Server

Firewall provides userid+password to FreeRADIUS server

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Switches and Firewalls

Firewall

FreeRADIUS server

CRYPTO-Server

FreeRADIUS provides, via PAM,userid+password to CRYPTO-Server

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Switches and Firewalls

Firewall

FreeRADIUS server

CRYPTO-Server

CRYPTO-Server accepts or rejects authentication request.

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Switches and Firewalls

Firewall

FreeRADIUS server

CRYPTO-Server

If the CRYPTO-Server acceptedthe authentication, then the FreeRADIUS server looks-up theuser in its users file and returnsa “success” to the firewall alongwith the defined attributes for theuser.

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Active Directory

Use a new domain for just Administrators CRYPTO-Logon agent on each domain member

(replaces the GINA) CRYPTO-Logon DC service on each domain

controller Place users of new domain in universal group(s) Give universal group(s) elevated privileges to other

domains in the forest

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Active Directory Architecture

CRYPTO-Server

AD Forestcscf.uwaterloo.ca

cscf.uwaterloo.ca cs.uwaterloo.ca

sysadmins.cscf.uwaterloo.ca

student.cs.uwaterloo.ca

superusers.uwdomain.uwaterloo.ca

uwdomain.uwaterloo.ca

Hosts in the“sysadmins” and “superusers” domains authenticate against the CRYPTO-Server.

AD Forestuwforest.uwaterloo.ca

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Hardware

Total of 6 hosts needed 2 for CRYPTO-Server (master and replica) 4 for Windows domain (3 DCs, 1 TS) All hosts are virtual 3 in MC, 3 in DC (BCP) Have capacity for 6 more virtual machines Everything is behind the Netscreens

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Challenges/Limitations

OS X functionality is limited in how we use it Limited integration with SSO plans Enforcing compliance

WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***

Thanks for your time!

For more information, please visit:

https://www.cs.uwaterloo.ca/twiki/view/CF/TwoFactor

Any Questions?