The F5 Firepass VPN Appliance is highly scalable SSL-VPN solution. According to F5, a single FirePass box can handle 2,000 concurrent users and they can be clustered to support up to 20,000 concurrent session. More than 20,000 sessions requires integration with BigIP. A single WiKID server (running on a low-end 1.4 ghz, IDE-based server) can handle up to 50 two-factor authentications per second, so even in peak login times, the WiKID server isn't breaking a sweat.
This document details how to configure a FirePass VPN appliance to pass one-time passwords to the WiKID server via Radius. If this is a new FirePass VPN setup, test logging in without a WiKID one-time password before adding in two-factor authentication. It will make troubleshooting easier.
Adding RADIUS Authentication Support to the Firepass box:
- Log into the FirePass Administrator Console via the https interface.
- Click Users, then Groups, then Master Groups, and then click the Create New Group.
- Enter a name for this group such as WiKID Users.
- From the Users in Group list, select the setting for your configuration such as External.
- From the Authentication method list, choose RADIUS.
- Leave the Copy settings from list at the Do not copy option. Click the Create button to open up the Master Group configuration screen.
- From there, click the Authentication tab.
- In the Primary Radius Server section, in the Server box, type the IP address of the WiKID server.
- In the Port box, enter the RADIUS port number 1812.
- Enter and then confirm the shared secret.
Now, we'll add the second factor: WiKID.
- Log into the WiKID server and click on the Domains Tab
- Click on Create a New Domain
- Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create".
- Click Network Clients tab and on "Create a new Network Client".
- Enter the information requested. For the IP Address, use the IP address of your Firepass VPN appliance. Select Radius and the domain you just created. Click "Add" when you're finished.
- On the next page, enter the shared secret you entered on the Firepass server. You do not have to enter any information under "Return Attributes".
- Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.
That should be it for setting up the FirePass for two-factor authentication. Now, let's test the system by setting up user manually:
- Start the WiKID token client
- Select "New Domain" and enter the 12 digit domain identifier you set up on the WiKID server
- Enter your desired PIN. You will get a registration code back from the WiKID server.
- Login to the WiKID Admin server again and click on the Users tab, then "Manually Validate a User"
- Click on your registration code (it should be the only one) and enter your desired username - it should be a username the Firepass will accept.
- Your username is now valid. Now start up the browser and try to login with a WiKID one-time password.
If it doesn't work, check the WiKID server logs. When a one-time password is requested, you will see "Passcode Request Successful" in the logs. After that you should see "Successful Online Passcode Validation". If you don't see anything after the "Passcode Request Successful", then the one-time password validation is not getting to the WiKID server from the FirePass. Be sure to run "stop"/"start" on the WiKID server. Once you have tested the system, take a look at how to roll out two-factor authentication to all your users.
The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to download and test the Enterprise version.
FirePass(tm) is a trademark of F5 Inc. WiKID(tm) is a trademark of WiKID Systems, Inc.