We assume that you have already installed Netgear SSL312 . This document provides information on how to enable the Radius interface on the Netgear to accept one-time passwords from the WiKID Strong Authentication System.
Configure the Netgear SSL312 for Radius
Start by adding a Radius server on the Netgear:
- Click Add Domain. An Add Domain window displays..
- From the Authentication Type pull-down menu, select a RADIUS domain. Choose Radius - PAP
- In the Domain Name field, enter a descriptive name for the authentication domain. This is the domain name users will select in order to log into the SSL VPN portal.
- In the Radius Server Address field, enter the IP address or domain name of the WiKID server.
- Enter the shared secret in the Secret Password field.
- From the Portal Layout Name drop-down menu, select the name of the layout. The default layout is SSL-VPN. You can define additional layouts in the Portal Layouts page.
- Click Apply to update the configuration. Once the domain has been added, the domain displays in the table on the Domains screen.
Add the Netgear SSL312 to the WiKID server
On the WiKID Server, be sure to enable Radius:
- Click on the 'Configuration' tab in the WiKIDAdmin web interface.
- Click on 'Enable Protocols'
- If Radius is not Enabled, click on it.
- You should be able to leave the settings as is and click 'Initialize'.
Next we add a specific network client for the Netgear SSL312:
- Click on the 'Network Client' Tab
- Click on 'Create New Network' Client
- Create a name such as "Netgear Two-factor VPN"
- Choose a WiKID domain to the network client
- Select 'Radius' as the protocol
- Click 'Add'
- On the next page, enter the Shared Secret created above. Leave the Return Attributes empty (unless you know what you're doing)
- Click 'Add NC'
- From a terminal window, stop and start the WiKID Strong Authentication Server. This will open up the firewall port to the new network client.
Configure Mutual HTTPS Authentication for Additional Security
The WiKID Strong Authentication System supports strong mutual authentication for SSL services such as the Netgear SSL312. Strong mutual HTTPS authentication will thwart network-based MITM attacks which are increasingly simple due to DNS problems and the prevalence of public WiFi networks.
To add mutual authentication for your Netgear users:
- Go to the WiKID domain page and edit the domain used for the Netgear.
- Enter the URL of the SSL312 portal in the "Registered URL" box.
- Click Update
When you click "Update", the WiKID server will grab the SSL certificate for the SSL312 and store it. When a user generates an one-time password for that domain, the hash and the registered URL will be delivered with the OTP. The token will go out over the user's connection to the registered URL and get and hash the SSL certificate. If the hashes match, the token presents the OTP, copies it to the clipboard and launches the default browser to the correct URL. Quite simple for the user! If they don't match, there is a MITM and an error is presented.
That is it. Now you should have properly configured two-factor authentication for your Netgear SSL312 VPN.