Jump to content

ESET Secure Auth 2.4


Go to solution Solved by MichalJ,

Recommended Posts

Hi

In the release notes for the new ESET Secure Auth server version 2.4 it says:

   Added: Hard token authentication without compound support

Does this mean users would be able to enter only the OTP generated from the hard token, versus the current "AD/Windows password + OTP" combination to login?

Wanted to verify before upgrading our server.

Thanks

Link to comment
Share on other sites

  • ESET Staff

Hello, in short: yes.

 

But, please make sure (with your VPN vendor) your VPN is able to validate the AD username and password by itself (not all VPNs supports this).

If everything is as it should be, user enters username and password and then is prompted for OTP.

Edited by MichalJ
Link to comment
Share on other sites

Hi
Thanks for your response.  We use the hard tokens for Cisco Anyconnect VPN Client to connect to a Cisco ASA.  And we also use it to connect to a Citrix Netscaler 11.0 to access our XenApp environment.  My understanding of the added feature was that under Radius Servers, Properties, Authentication Methods - under Mobile Application you have the choice to leave the Compound Authentication (passwordOTP) UNchecked.  Currently Hard Tokens does not have that choice to be UNchecked or turned off.  I'm hoping the new version has that additional setting for Compound to be disabled for the Hard Tokens.

Link to comment
Share on other sites

  • ESET Staff

Please make sure your VPN is able to validate AD username/password by itself. Attached is the screenshot of the setting. 

 

post-35-0-90698600-1464770518_thumb.png

Link to comment
Share on other sites

Thank you for the screenshot.  Will it work differently than the way the Mobile App currently works?  For the Mobile App, users are able to enter ADusername and the mobile OTP for the password for VPN.  For Citrix there is a username box and two password boxes.  For Mobile App users they enter ADusername, OTP, and ADpassword. For hard token user for Citrix they currently enter ADusername, ADpasswordOTP, then ADpassword.  I was hoping with the new version it would work exactly like the Mobile App currently does.  Sorry, trying to understand.

Link to comment
Share on other sites

  • ESET Staff
  • Solution

Hello,

The hardtoken without compound should work in the same way as mobile app OTPs without compound.

However when you will be using VPN which does not validate username and password by itself, then by using only hardtoken OTPs (not compound) you will be able to log in just with the OTP – this would not be considered as a two factor authentication.

With mobile apps, there is also PIN protection, which could  be theoretically consider as a second factor (emphasis on the “theoretically”), but hardtokens do not have PIN protection.

So with VPN that do not validate ADpassword we recommend using hardtokens with compound turned ON and for those which validate, you can use without compound option.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...