1) Presently, the two ways Pragma Fortress supports 2FA is 1) via smartcards containing x.509 certificates or 2) using public/private keys with a passcode. Both work in essentially the same way, the public key is presented along with a signed response. If using smartcards, the signing operation requires a PIN which is set up when the smartcard is configured; if using public/private keys, the signing operation requires the user to enter the passphrase which locks the private key. If we find there is demand for Google OTP, we certainly have no problems with implementing it. OTP uses a mathematical progression in which both the server and the authenticator share the initial constants.
2) When you initialize a smartcard, a PIN usually configured. Additionally you can reset the PIN to different values by using the Microsoft certutil or an application provided by the smartcard vendor. The PINs are not generated fresh like in the OTP case, they are configured to the card by the user or administrator.
3) Standard AAA servers (like RADIUS) cannot accommodate a PIN (or 2fA). In the cisco 2fa scenario, authentication happens on the cisco device itself and afterwards, the AAA server is contacted to perform the Access and Accounting roles. Products like ISE or TACACS+ allow you to selectively pick which roles the AAA server performs, which makes them preferred for this setup. If you are using RADIUS the same process applies, but the backing database store (activie directory if using NPS) needs to have the passwords for the accounts used fixed to a hard coded value (‘cisco’ in the case of cisco). This is because RADIUS still needs to perform authentication (even though the device has already authenticated) and doesn’t have the needed password for the users account. Brocades implication handles the RADIUS AAA server case a little better. After authentication is performed to the device, the switch will then go to the AAA server for access and accounting, but will prompt for the password to allow RADIUS to authenticate (essentially, 3 factor).
4) Pragma Fortress requires an x.509 certificate to be placed on the smartcard if using smartcards for authentication.
Pragma Systems Technical Support
13809 Research Blvd, #675
Austin, TX 78750