Wednesday 23 March 2011

Yubikey two factor auth for Netscreen Firewalls

NOTE: I have posted an updated version of this document with more detail HERE to cover version 3 of Radius on Premise.

I have also posted a thorough guide to setting up the Netscreen Firewall to use this type of authentication for VPN access HERE

I'm investigating using Yubikeys for dual factor authentication of VPN users on our Netscreen firewall (SSG-140).

Yubico make a very nice device for two factor auth called a Yubikey, a very small USB device as thin as a key which you can give to users to keep on their keyring (I've had one on my keyring for about a year now, hardly notice it and it has not got damaged at all). When they want to use it they plug it in and rest their finger on the sensor for a few seconds and it generates a one time password. I downloaded and imported the Radius on Premise VMWare image they provide (, imported using the VMWare Convertor. The guide they provide on that page (link next to download link for VMWare image) gives a good walkthrough of the setup process, I only had a couple of issues:
  • When importing users remember to use the correct format - I'd forgotten that the CN for a user account should be the users name not username:
    CN=Peter Simpson,OU=SBSUsers,OU=users,OU=MyBusiness,DC=example,DC=com

  • When you actually try to log in or test with radtest the username is case sensitive - MS Active Directory stores the case but ignores it and half my user accounts are lowercase, the other half are mixed case.
My current problem is that although the authentication works perfectly I'm not getting a IP address so the VPN is not going to work ( I guess the netscreen assumes any radius server will be able to provide IP addresses but the Yubico Radius on Premise appliance does not. Freeradius V2.0.4 (the version in ROP) does support DHCP but it is beta and requires recompiling from source. Luckily the vpn client I am using (Shrewsoft VPN) allows me to manually configure the VPN IP address, so I can get things working but the idea of manually setting an IP address for each user does not appeal. For now though it will work fine for testing, I just need to find a few test subjects...

No comments:

Post a Comment