First, we will configure the Nortel Contivity VPN server for radius:
- Configure Radius Support:
- Login to the Nortel VPN Router Administration Console web interface.
- Enable Username and Password authentication under Services > IPSec > Radius
- Under Servers > Radius Authentication check "Enable Access to RADIUS Authentication"
- Check "Response Only" and "PAP" under the Server-Supported Authentication Options.
- In the RADIUS Servers section, check "Enabled", enter the IP address of the WiKID server, choose the private interface, leave the port as 1812, and enter and confirm the shared secret.
- Configure an IPSec Group for WiKID - this sets the pre-shared secret for IPSec
- Under Profile > Group > Add, add a new group (if desired)
- Enter a Group Name, such as WiKID, a Parent and select OK
- Under Profiles > Groups > Edit > IPSec > Authentication click Configure
- Enter a group ID and password - this is the shared secret for the IPSec tunnel, not the user's password.
- Select Username and password for the authentication type.
Now, we will configure the VPN Client using the Contivity Wizard.
- Start the Connection Wizard and select Create a new connection
- Give it a name
- Select Username and Password (do not select hardware or software token).
- Enter the Group ID and password for the WiKID user group.
- Enter the IP address or host name for the Nortel Contivity VPN
- Select to Not dial first - unless you want to.
- Click Finish.
Now we'll configure the WiKID side. On the WiKID Server, be sure to enable Radius:
- Click on the 'Configuration' tab in the WiKIDAdmin web interface.
- Click on 'Enable Protocols'
- If Radius is not Enabled, click on it.
- You should be able to leave the settings as is and click 'Initialize'.
Next we add a specific network client for the Nortel Contivity VPN:
- Click on the 'Network Client' Tab
- Click on 'Create New Network' Client
- Create a name such as "Nortel Two-factor VPN"
- Choose a WiKID domain to the network client
- Select 'Radius' as the protocol
- Click 'Add'
- On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
- Click 'Add NC'
- From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.
That is it. Now you should have properly configured two-factor authentication for your Nortel Contivity VPN Concetrator. You should now be able to generate an one-time password from a Windows, Linux , Mac, Android, Blackberry, J2ME or iPhone software tokens and get access to your VPN. When logging in, use the WiKID one-time password from your WiKID token client when prompted for a password.
Product names used within are trademarks of their respective owners.