Two-factor authentication for Cisco Meraki Client VPN using Token2 TOTPRadius

Two-factor authentication for systems without two-factor authentication support

We continue to talk about our product - TOTPRadius, this time focusing on a relatively new feature, namely LDAP integration.

There are many systems that support two-factor authentication out of the box. In most cases, this is achieved by the ability to connect a second authentication source via LDAP or Radius protocols. An example of such a system is Citrix Netscaler, where you can connect a primary source via LDAP and the second through Radius (or both can be via LDAP). With such products, TOTPRadius integrates very well, and even provides an API for self-registration of the second factor.

But there are, unfortunately, products that do not support more than one authentication source. We give an example of a product that is used by one of our clients. The client sent us a feature request, which we successfully implemented, since we realized that there are a lot of such products and this function, in our opinion, can be quite popular.

This is a Client VPN firewall of the Cisco Meraki MX series. According to the documentation , Meraki Client VPN supports both LDAP and Radius as authentication sources, but not simultaneously; you can customize one or the other. For two-factor authentication, Cisco proposes to use third-party solutions, and our TOTPRadius version 0.2.2 may well be one such solution.
')

How it works?

The idea is quite simple: RADIUS is used as the authorization protocol and the user enters a username and password consisting of an Active Directory password and a six-digit one-time password (OTP) to log in. TOTPRadius divides the password into two parts, and first checks the one-time password, and if it is correct, it tries to connect to the AD server using a username and password (without OTP); the order is exactly this - this is done in order to minimize the risk of blocking an account in Active Directory (lockout).

Self Registration

TOTPRadius can be used wherever the RADIUS protocol is supported. Unfortunately, however, self-registration is not possible everywhere; but at the moment there is an integration package with Citrix Netscaler, where this process is as friendly as possible from the point of view of a regular user. For Meraki Client VPN, we offer a less elegant, but nevertheless, quite workable method using CMAK . The principle of this is that when you first connect to a VPN, a web page is launched, where the user can log in (using the AD password) and register his own second factor (for example, using Google Authenticator , Token2 Mobile OTP or any other TOTP-enabled application). To do this, users must be allowed to connect the first n times without the second factor (this is configured in the General settings section).

Cisco Meraki CVPN is not the only product where TOTPRadius can help with the implementation of two-factor authentication, we gave it only as an example.