TwoFactor Authentication Service
Jason Testart, Computer Science Computing Facility
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Authentication Nomenclature
Two-Factor Authentication Strong Authentication One-time password (OTP) Token-based authentication “RSA” and “SecurID” GINA
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Why TwoFactor authentication?
Thin clients Hacked workstations Lack of encrypted connection Shared accounts are bad
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Hardware Tokens
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Some History
SecurID system purchased in 1996 by DP Needed for access to OGF DCS and MFCF: ssuw on xhiered Unix MFCF/CSCF assumed control of SecurID service
from IST in 2004 after OGF upgrade
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
ACE Servers
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
CRYPTO-Shield by CryptoCard
Less expensive Tokens don’t expire Ability to import from ACE server Good Linux support Now supports the Blackberry Canadian company
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Got root?
CRYPTO-Server does RADIUS Sudo is PAM enabled Pam-radius module works on Solaris, Linux, OS X Instead of ssuw, use “sudo –s”
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Switches and Firewalls
Firewall
FreeRADIUS server
CRYPTO-Server
Firewall provides userid+password to FreeRADIUS server
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Switches and Firewalls
Firewall
FreeRADIUS server
CRYPTO-Server
FreeRADIUS provides, via PAM,userid+password to CRYPTO-Server
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Switches and Firewalls
Firewall
FreeRADIUS server
CRYPTO-Server
CRYPTO-Server accepts or rejects authentication request.
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Switches and Firewalls
Firewall
FreeRADIUS server
CRYPTO-Server
If the CRYPTO-Server acceptedthe authentication, then the FreeRADIUS server looks-up theuser in its users file and returnsa “success” to the firewall alongwith the defined attributes for theuser.
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Active Directory
Use a new domain for just Administrators CRYPTO-Logon agent on each domain member
(replaces the GINA) CRYPTO-Logon DC service on each domain
controller Place users of new domain in universal group(s) Give universal group(s) elevated privileges to other
domains in the forest
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Active Directory Architecture
CRYPTO-Server
AD Forestcscf.uwaterloo.ca
cscf.uwaterloo.ca cs.uwaterloo.ca
sysadmins.cscf.uwaterloo.ca
student.cs.uwaterloo.ca
superusers.uwdomain.uwaterloo.ca
uwdomain.uwaterloo.ca
Hosts in the“sysadmins” and “superusers” domains authenticate against the CRYPTO-Server.
AD Forestuwforest.uwaterloo.ca
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Hardware
Total of 6 hosts needed 2 for CRYPTO-Server (master and replica) 4 for Windows domain (3 DCs, 1 TS) All hosts are virtual 3 in MC, 3 in DC (BCP) Have capacity for 6 more virtual machines Everything is behind the Netscreens
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Challenges/Limitations
OS X functionality is limited in how we use it Limited integration with SSO plans Enforcing compliance
WatITis 2006 | December 6, 2006 | ***TwoFactor Authentication Service***
Thanks for your time!
For more information, please visit:
https://www.cs.uwaterloo.ca/twiki/view/CF/TwoFactor
Any Questions?
