First, set the Aventail box to support Radius and point it to the WiKID Strong authentication server:
- From the Aventail ASAP Management Console clict the hyperlink for Authentication Realms under System Configuration.
- Select New under Realms
- Input WiKID or two-factor as the name for the realm and add a description. Click the button labeled New next to the field titled Authentication Server to create a RADIUS server.
- Select RADIUS under the Directory type/protocol section and Token/SecurID or username/password under the Credential type section.
- Now, configure the RADIUS server: click on the circular icon with the arrow to show the Advanced options.
- For Primary RADIUS Server, enter the IP address of the WiKID server
- For Shared Secret, enter a shared secret
- Under the Advanced options, For custom password prompt, type "Enter WiKID passcode">
- Click the button labeled Save to continue
- Save the RADIUS server configuration. You should be returned to the Configure Realm page, click the Next button, then click Finish.
Now, we'll add the second factor: WiKID.
- Log into the WiKID server and click on the Domains Tab
- Click on Create a New Domain
- Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create".
- Click Network Clients tab and on "Create a new Network Client".
- Enter the information requested. For the IP Address, use the IP address of your Aventail VPN appliance. Select Radius and the domain you just created. Click "Add" when you're finished.
- On the next page, enter the shared secret you entered on the Aventail server. You do not have to enter any information under "Return Attributes".
- Important: From the WiKID terminal or via SSH, you will need to run "stop" and then "start" to load the new configuration into the WiKID Radius server.
That should be it for setting up the Aventail for two-factor authentication. Now, let's test the system by setting up user manually:
- Start the WiKID token client
- Select "New Domain" and enter the 12 digit domain identifier you set up on the WiKID server
- Enter your desired PIN. You will get a registration code back from the WiKID server.
- Login to the WiKID Admin server again and click on the Users tab, then "Manually Validate a User"
- Click on your registration code (it should be the only one) and enter your desired username - it should be a username the Aventail will accept.
- Your username is now valid. Now start up the browser and try to login with a WiKID one-time password.
If it doesn't work, check the WiKID server logs. When a one-time password is requested, you will see "Passcode Request Successful" in the logs. After that you should see "Successful Online Passcode Validation". If you don't see anything after the "Passcode Request Successful", then the one-time password validation is not getting to the WiKID server from the Aventail server. Be sure to run "stop"/"start" on the WiKID server. Once you have tested the system, take a look at how to roll out two-factor authentication to all your users
This same process should work for all VPN systems that support Radius, such as Whale Communications, Juniper and many, many other