Hi I have purchased a license of Pragma fortress 5.0 with which I will use to test my development(not yet done) to support  two factor authentication with x509 on my server device. I have the following queries about 2 factor authentication with x509 digital certificate.

1) Is CAC Smart card reader mandatory for 2FA ? I understand that CAC smart card reader is physically connected via USB to the system where Pragma client is installed and Pragma fortress​​ prompts for the PIN when CAC reader is physically reset. Can't I use the PIN from a google authenticator OTP ? If yes there should be a way to provide the google OTP to Pragma fortress without a smart card reader.

2) If Google authenticator cannot be used, then what generates the PIN?  Does the CAC reader have the software to generate the random PIN? I understand it just allows insertion and detection of the smart card.

3) Does the x509 certificate have any field that is used as password to which the PIN is appended when sending authentication request to ​​the AAA server, or should the SSH server prefix it's own password to the PIN to send to the AAA server ?

4) Is it mandatory to have the x509 certificate on the smart card inserted into the CAC reader?​​ ​​

Thanks
Sreedhar​​​
​​

1)    Presently, the two ways Pragma Fortress supports 2FA is 1) via smartcards containing x.509 certificates or 2) using public/private keys with a passcode. Both work in essentially the same way, the public key is presented along with a signed response. If using smartcards, the signing operation requires a PIN which is set up when the smartcard is configured; if using public/private keys, the signing operation requires the user to enter the passphrase which locks the private key. If we find there is demand for Google OTP, we certainly have no problems with implementing it. OTP uses a mathematical progression in which both the server and the authenticator share the initial constants.

2)    When you initialize a smartcard, a PIN usually configured. Additionally you can reset the PIN to different values by using the Microsoft certutil or an application provided by the smartcard vendor. The PINs are not generated fresh like in the OTP case, they are configured to the card by the user or administrator.

3)    Standard AAA servers (like RADIUS) cannot accommodate a PIN (or 2fA). In the cisco 2fa scenario, authentication happens on the cisco device itself and afterwards, the AAA server is contacted to perform the Access and Accounting roles. Products like ISE or TACACS+ allow you to selectively pick which roles the AAA server performs, which makes them preferred for this setup. If you are using RADIUS the same process applies, but the backing database store (activie directory if using NPS) needs to have the passwords for the accounts used fixed to a hard coded value (‘cisco’ in the case of cisco). This is because RADIUS still needs to perform authentication (even though the device has already authenticated) and doesn’t have the needed password for the users account. Brocades implication handles the RADIUS AAA server case a little better. After authentication is performed to the device, the switch will then go to the AAA server for access and accounting, but will prompt for the password to allow RADIUS to authenticate (essentially, 3 factor). 

4)    Pragma Fortress requires an x.509 certificate to be placed on the smartcard if using smartcards for authentication.



Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750
http://www.pragmasys.com

+x

 

Technical Support Group (TSG) - 4/30/2018 6:07:59 PM

1)    Presently, the two ways Pragma Fortress supports 2FA is 1) via smartcards containing x.509 certificates or 2) using public/private keys with a passcode. Both work in essentially the same way, the public key is presented along with a signed response. If using smartcards, the signing operation requires a PIN which is set up when the smartcard is configured; if using public/private keys, the signing operation requires the user to enter the passphrase which locks the private key. If we find there is demand for Google OTP, we certainly have no problems with implementing it. OTP uses a mathematical progression in which both the server and the authenticator share the initial constants.

2)    When you initialize a smartcard, a PIN usually configured. Additionally you can reset the PIN to different values by using the Microsoft certutil or an application provided by the smartcard vendor. The PINs are not generated fresh like in the OTP case, they are configured to the card by the user or administrator.

3)    Standard AAA servers (like RADIUS) cannot accommodate a PIN (or 2fA). In the cisco 2fa scenario, authentication happens on the cisco device itself and afterwards, the AAA server is contacted to perform the Access and Accounting roles. Products like ISE or TACACS+ allow you to selectively pick which roles the AAA server performs, which makes them preferred for this setup. If you are using RADIUS the same process applies, but the backing database store (activie directory if using NPS) needs to have the passwords for the accounts used fixed to a hard coded value (‘cisco’ in the case of cisco). This is because RADIUS still needs to perform authentication (even though the device has already authenticated) and doesn’t have the needed password for the users account. Brocades implication handles the RADIUS AAA server case a little better. After authentication is performed to the device, the switch will then go to the AAA server for access and accounting, but will prompt for the password to allow RADIUS to authenticate (essentially, 3 factor). 

4)    Pragma Fortress requires an x.509 certificate to be placed on the smartcard if using smartcards for authentication.

Hi
Thanks for the reply.

​​ For question 3) I would like to know if Pragma provides a way to enter the static password also along with the PIN. RADIUS 2FA works in the way that password is appended with the PIN and sent to RADIUS server for authentication.​ Here user has the flexibility to change the password on the server. So he would provide the same from the SSH server(that talks to Pragma) which also runs the RADIUS client. If Pragma does not take password as input from user, then is the user expected to configure the password on the SSH server to be used for RADIUS authentication ?

For question 2) if PIN does not refresh like OTP, how does it get synchronized with the PAM(PLUGGABLE AUTHENTICATION MODULE) used by the SSH server that initiates 2FA with RADIUS? The google OTP gets synchronzied​​ to PAM, as PAM also computes PIN based on same algorithm.
​​

The Pragma Fortress SSH Server is a native windows implementation and windows doesn’t really have a native version of PAM. There is GINA which is PAM like, but more focused on interactive graphical logons. There are a couple of third party GINA plugins that support OTP but we haven’t tried them. That said, we use standard windows calls (LogonUser) to get a logon token when using password authentication, so, assuming they integrate with windows on that level, I don’t see why it wouldn’t work, but I can’t really provide any guidance on that front.

As to the second question. Two factor authentication typically means something you have and something you know. For a smartcard logon, you have the card and know the PIN. For password+OTP you know the password and have an authenticator. Smart card pins don’t need to get synchronized with the server. The pin just allows the card to perform the signing operation required by the authentication. It isn’t actually passed to the server. So long as the server has the public key, they can verify the signature.



Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750
http://www.pragmasys.com