wiki:2faVPN
Last modified 11 months ago Last modified on 03/27/19 11:25:10

Two factor authentication provides Increased assurance for privileged VPN access to UA network. As of March 2017 two VPNs require Duo two-factor authentication:

swf-no-1.vpn.alaska.edu and
swf-ts-1.vpn.alaska.edu

You must request access to use VPN's through the UA Service Desk / incident ticket http://www.alaska.edu/oit/servicecatalog/#id=162

VPN authentication

VPNs use Duo's "Append Mode" to provide a second factor in addition to UA Password in the Password field. You enter your password, followed by a comma, then an indicator of your second factor. You can provide the second factor using DuoMobile Push, telephone call-back, one-time passcodes (OTPs), or YubiKey token.

DuoMobile for second factor

password,push             e.g., enTrenching?4flogged,push

pushes a login request to your smart phone with DuoMobile app enrolled for UA; review the request and tap "Approve" on the phone to complete login.

One-time Passcodes for second factor

password,OTPasscode      e.g., Licenser&6wiretapper,012345

where OTPasscode is a one-time passcode generated with DuoMobile, or generated by your hardware token (see use of YubiKey? section below for automated entry of OTPasscode).

You can also request that passcodes be sent to you via SMS to your enrolled mobile phone by appending "sms" to your password; please note that SMS is considered less secure than other methods using OTPasswords, and may be disallowed in the future.

password,sms      e.g., Licenser&6wiretapper,sms

Telephone call-back for second factor

password,phone#          e.g., BestialiZed^7picovolts,phone

will trigger a telephone call to the number that has been enrolled and attached to your Duo account; you will be asked to touch a key on the telephone key pad to complete authentication. If you have multiple phone numbers enrolled and attached to your Duo account, you can specify which to use by typing "phone1" or "phone2".

You can enroll telephone numbers in your Duo account if you are enrolled for use of Duo for SSO (see https://iam.alaska.edu/trac/wiki/mfa for Duo enrollment instructions).

Use YubiKey for 2FA with UA VPNs

  1. Obtain a YubiKey supporting OTP in form factor that works for you:

https://www.yubico.com/products/yubikey-hardware/

  1. Download the YubiKey Personalization Tool:

https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-personalization-tools/

  1. Configure your YubiKey for OTP in one of its two (virtual) slots* (generally shipped already programmed for OTP in slot 1) using the Duo guide:

https://duo.com/docs/yubikey

  1. Send the CSV string with digital serial no, 6 byte private id, 16 bit secret key (like this:)
    4475749, e7 fe 84 57 55 d4, 81 84 65 01 22 db e5 00 57 f9 68 92 7f 22 4b 6a
    

to IAM or Security, noting your UA Username, which is the Duo account to which the token will be attached.

  1. IAM or Security will upload the CSV string to import your token, and assign it to your ID at Duo
  1. When integrated (step 5), you can use the YubiKey to send the second factor passcode:

In the password field type your password followed by comma then touch your key*; that is,

password,

then touch your key, which enters a one-time passcode.


*Which of the YubiKey's two (virtual) slots is used is determined by the duration of your touch. The first slot is used to generate the output when the YubiKey button is touched between 0.3 to 1.5 seconds and released and the second slot is used if the button is touched between 2 to 5 seconds.