AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Permit 1-factor Network Access to a Server Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Cached (Offline) Workstation logon with YubiKeys Cached (Offline) Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
2FA for File Shares Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Troubleshooting
CLOSE

Wireless 802.1x Authentication

AuthLite supports 802.1x authentication through its NPS RADIUS  plug-in.

You might not actually want to do this, because the wireless connection will probably need to re-authenticate every time your connection drops or changes access points. This means it would re-send the old OTP (which is expired).  The end result would be you would need to repeatedly enter credentials.  So, it may be preferable to permit password-only wireless authentication.

Prerequisites

  • We do not provide extra client-end software to add 802.1x support to legacy workstations. It is assumed that your client machines are capable of performing wireless authentication, such as is possible with Windows 7. Alternately, you could use a third party solution such as NetMotion Mobility XE.

  • It is assumed your Access Point is capable of supporting authentication with RADIUS with PEAP/MS-CHAPv2.1 We use DD-WRT in our validation testing.

  • Microsoft NPS as a RADIUS server.

  • Windows 7 client machine whose Trusted Root certificate store trusts the certificate your NPS server is using.

  • Users you wish to authenticate are Active Directory users. AuthLite will use AD for the password portion of the authentication.

Configuration

  • Start without AuthLite. Get 802.1x wireless authentication working between your client workstations, the access point, and the NPS server. You should be able to type your username and password into the wireless authentication prompt on your workstation, and be authenticated and connected to the wireless network. Before you can add AuthLite, you need the basic setup to be working.

  • Additional Windows 7 client settings to work with AuthLite:

  • In the Security tab of the network, deselect "Remember my credentials" (OTPs will only be valid one time!).

  • In PEAP settings, select EAP-MSCHAPv2 for the authentication method and configure it NOT to use the Windows credentials automatically (we want to enter OTPs).

  • In Security->Advanced, select "user" authentication.

  • AuthLite configuration settings:

  • Make sure you have your AuthLite users reflected in one of your AuthLite User Groups

  • Enable the IAS/NPS plug-in

  • Restart the AuthLite and NPS services

Testing

After users are in an AuthLite User Group and the NPS plugin  is active, those users will no longer be allowed to authenticate with just username and password.  Instead,type in your username followed by a dash “-” followed by the OTP.  Then enter the password as normal, and you should get authenticated to the network.

1The security of industry standard 802.1x wireless authentication is not affected by the 2012 breaking of the MS-CHAPv2 protocol because the entire tunnel is independently encrypted by PEAP first.