- Password expiration email notification with PowerShell - Mon, Aug 26 2013
- WSUS basics and troubleshooting tips - Mon, Sep 24 2012
- FREE: SolarWinds Diagnostic Tool for the WSUS Agent - Fri, Jul 13 2012
PhoneFactor is free for up to 25 users and reasonably priced after that. The beauty of PhoneFactor is that it utilizes something users already have - a mobile phone - as a token rather than a proprietary device.
PhoneFactor Agent, the software behind the service, acts as a RADIUS server for authentication to network resources such as a VPN. When a user attempts authentication, he will still first be prompted for a user name and password. After he enters those details, the service will place a call to his phone and require the user to answer the call and press the “#” button. Once this is completed, the user is successfully authenticated.
In this tutorial we will install the Agent on Windows Server 2008 R2, integrate with Active Directory, link a few user accounts, and set up a RADIUS server.
You can download the PhoneFactor Agent after registering here. You will need a mobile phone to register since PhoneFactor utilizes their own system on their customer portal. Run the installer and launch the PhoneFactor Agent. You will be greeted by the Authentication Configuration Wizard, where you can:
- Enable replication between agents: Allows you to replicate data between multiple installations. Since we are only installing it on one server, do not check.
- Select Applications: You can apply PhoneFactor to a variety of applications, including Citrix, Outlook Web Access, and Remote Desktop. For our purposes, we will only choose VPN.
- VPN with Radius: Specify your VPN server IP address as well as a strong shared secret between the VPN server and PhoneFactor. Leave the default port options as-is.
- VPN Target: Since we want to authenticate against a Windows domain, we will choose Windows domain. However you can also use another RADIUS server (some firewalls have built-in RADIUS servers, so you can redirect back to the firewall).
Phonefactor Agent Configuration
Click Finish and let PhoneFactor do its magic. Once the setup is complete, you can begin using the Agent.
Locking down PhoneFactor
By default, PhoneFactor will allow any user who successfully authenticates against AD to sign in - if no user is defined (and no phone number is linked), it will just authenticate the user. In most cases, you would not want this to happen. Navigate to Company Setup and choose “Fail Authentication” when user is disabled.
We will also want to specify a default search domain for AD users. Choose the “Username Resolution” tab and specify a default search domain for the option “Use Windows security identifiers (SIDs) for matching usernames.”
Security identifiers (SIDs)
Finally, if your Active Directory user account setup is non-standard, you should navigate to Directory Integration and confirm in the “Filters” and “Attributes” tabs that the data fields you wish to use are the ones that PhoneFactor will use. Most administrators will not need to do this.
Now we can begin adding users to our PhoneFactor implementation. Because of our previous setup, only users who have been added to PhoneFactor with a phone number defined will be able to authenticate successfully against AD. After all, not all users will require remote access. Navigate to the Users section and click “Import from Active Directory.”
This powerful interface allows you to select users by OU or filter terms. You can import all users at once - which is not advisable - or specify which ones to import in a granular fashion. The users you have selected will appear in the window on the right. You will notice that by default, “Only New Users with Phone Numbers” are enabled. This is the behavior you want, since users without a phone number will authenticate using only their AD credentials. Once you are ready, click “Import.”
In many cases, you will not have defined phone numbers yet for your users in Active Directory. This is OK; you will just need to do so now for each authorized user. Double-click the user, then define a phone number and enable the user.
Phone number - Enable user
Finally, you will see your newly-enabled user in the users listing. Once you have defined all of your users, you will need to configure your VPN server to authenticate using RADIUS.
VPN Server Configuration with PhoneFactor RADIUS
Since there are so many VPN servers out there, we will focus on a few general tips for setting this up. You will typically need to provide:
- PhoneFactor Agent IP
- PhoneFactor Agent Ports: Typically, 1645,1812 for authentication and 1646,1813 for accounting. Make sure the firewall on your Agent server does not block this traffic
- Shared Secret: This is the secret you had defined in the wizard and it should be strong since it will serve as a barrier between your VPN server and the RADIUS server.
- Timeout: Make sure you set a fairly high timeout value; by default, most VPN servers do not give you a lot of time to authenticate because the RADIUS server is local to the network and does not take long to perform the lookup. However, since PhoneFactor takes about 3-5 seconds to place the call, and the user can take anywhere from 2-20 seconds to actually respond, I would recommend a timeout of at least 30 seconds.
That’s it! Though PhoneFactor offers more powerful features (especially in paid versions), you are already set up and ready to authenticate. For small businesses with fewer than 25 users, PhoneFactor is a free and easy to implement two-factor authentication solution. Give it a try today!