User Authentication

The AAA Server accepts multiple user authentication methods.

Primary Authentication Methods

• Challenge/Response
• One-Time Password
• One-Time Password + PIN (available for ActivID Mini Token)
• Soft Tokens (Mobile)
• X509 Certificate (EAP-TLS)
• Static Password
• LDAP Password
• SMS Password (plus an Activation Code)
• Pass-Through Authentication (other RADIUS server)

Backup/Secondary Authentication Methods

If the user is unable to use the primary authentication method (credentials are lost, forgotten or stolen), then the user can authenticate using the backup methods:

• Static Password
• LDAP Password
• Temporary Password
• SMS Password (plus an Activation Code)

Authentication Flow

The end-user's logon experience varies according to the type of authentication method. The following sections explain the authentication flow when the user logs on with an ActivID device or Soft Token, or an SMS-based One -Time Password (OTP).

Using an ActivID Device or Soft Token

A successful AAA Server authentication proceeds as follows:

1. From a Network Access Server, Firewall, Virtual Private Network, Web Server, or Wireless LAN Access Point, the User ID and password are sent as an authentication request to the AAA Server using RADIUS, TACACS+, or IEEE 802.1x protocols.
2. When the AAA Server receives the request, it looks up the serial number of the user's authentication device (in the LDAP directory). If the user's account is disabled or expired in the LDAP directory, then the authentication request is rejected.
3. AAA Server retrieves from its database the necessary information (for example, secret keys, session counters) associated with the device.
4. AAA Server validates the dynamic password and sends an accept or reject response (allow/deny access).

Using an SMS Password

A successful AAA Server SMS authentication is a two-step process:

• Step 1 - User Requests an OTP from the AAA Server
• Step 2 - User Re-Authenticates with OTP Received on Mobile Phone

Step 1 - User Requests an OTP from the AAA Server

In the system or application logon form, the user authenticates with their username and an Activation Code (also called PIN). This attempt requests that an OTP be sent to their cellular/mobile telephone.

 

1. The user enters their username and, as the passcode, the Activation Code/PIN:

   AAA Server verifies that:

   • The Activation code/PIN matches that defined for the user.
   • The user is authorized to use an SMS Password as a primary authentication method - the user's cellular/mobile telephone must be defined in the LDAP attribute configured in the SMS Gateway settings (by default, this is 'mobile').
2. On successful verification, AAA Server generates an OTP.
3. AAA Server sends the OTP via SMS to the user's cellular/mobile telephone (using the defined SMS Gateway).

Step 2 - User Re-Authenticates with OTP Received on Mobile Phone

In the system or application logon form, the user re-authenticates with their username and the OTP they received on their cellular/mobile telephone.

 

1. The user receives the OTP in an SMS message.
2. The user authenticates with their username and, as the passcode, the OTP.
3. The username and OTP package is sent to the AAA Server for verification.
4. AAA Server validates the OTP.
5. The AAA Server sends the authentication response back to the system or application (allow/deny access).

On successful verification of the OTP, the user is allowed access to the resource.