PhoneFactor and RADIUS
First off, thanks to everyone for taking an interest in PhoneFactor. The response has been fantastic so far. One consequence is that I’ve been answering a lot of questions about integration of PhoneFactor into various environments. I’m going to post some pretty technical information here in an attempt to answer one recurrent question.
Let me give some background on how PhoneFactor works with RADIUS, with a view toward clarifying some of these integration questions.
First, it’s important to realize that the PhoneFactor agent supports two different kinds of RADIUS configurations:
- Windows Authentication mode
- RADIUS Proxy mode
In Windows Authentication mode, the PhoneFactor Agent works like a full RADIUS server, and can take authentication requests from any standard RADIUS client. It authenticates these requests against the Windows password database (or against Active Directory, if it’s available), and if that authentication is successful, it places the confirmation call. You can think of this mode as a drop-in replacement for Microsoft IAS, if that means anything to you.
In RADIUS Proxy mode, the PhoneFactor Agent passes all RADIUS requests it gets to the actual RADIUS server that’s already present on the network. If that server returns a successful authentication to the PhoneFactor Agent, it then places the confirmation phone call. This mode is designed to integrate into an existing RADIUS authentication infrastructure.
One subtlety in configuration #2 (RADIUS Proxy) that isn’t clear enough in the documentation is the case where you want to run both the PhoneFactor Agent and the original RADIUS server on the same computer. In this case, you have to take special care to make sure that the listening ports don’t conflict.
(Tangent: for interesting historical reasons, RADIUS servers actually tend to listen on four ports at a time. The original port picked for authentication requests was 1645, and the designers of the protocol thought that accounting should be on a separate port, which became 1646. Later on, it was pointed out that 1645/6 were already assigned to another protocol, so new ports were picked – 1812/13. By then, too much equipment had shipped with 1645 hard-coded, so today most servers listen on both paris. What a mess.)
If you want to run both the PhoneFactor Agent and another RADIUS server on the same computer, you have two options.
First, you can configure the PhoneFactor agent to listen on one of the well-known port pairs, and the real RADIUS server to listen on the other. You then reconfigure the RADIUS clients (VPN servers, etc.) to point to the PhoneFactor Agent’s port, and you configure the PhoneFactor Agent to point to the original server’s port. This works well if you can modify the configuration of the original server, or if the original server was only listening on one port pair.
The second option is to configure the PhoneFactor agent to listen on a non-standard port. In that case, you point your RADIUS clients to the non-standard port that the PhoneFactor Agent is listening on, and you point the Agent to one of the ports that the original server is listening on.
In any case, you have to be careful to get RADIUS secrets and client IP addresses straight between all of the communicating parties. In practice, this usually means creating a RADIUS client entry on the original server for the PhoneFactor Agent. Some servers are reluctant to listen on 127.0.0.1, so you might need to use a non-loopback IP address on your server.
The error reporting for this case is not particularly great in the 1.0.x versions of the PhoneFactor Agent, and it’s one of the things that will be markedly improved when we ship 1.1. I’m also trying to pull together a few HOWTO’s about these configurations, so if you have any special requests for specific configurations, let me know.
Happy PhoneFactoring!
-Steve
Is there any way my linksys wr54rt be a server
I’m not sure if it can do RADIUS or not; if it can act as a RADIUS server, then yes. Or did you mean you want to use it as a VPN client?