Is it possible to configure BEYONDTRUST RADIUS security Provider for 2-factor authentication for over-the-Internet users and 1-factor for local LAN users?
The RADIUS request object includes an attribute (31) from the requester which includes their calling-station-ID which is the IP address – both IPv4 and IPv6 are supported. The IP address is then passed through by the Remote Support appliance to the RADIUS security provider which determines the action. The image below is a snapshot from the BeyondTrust Verify administration console, notice the arrow indicates trusted networks. Our understanding is that other RADIUS servers support the same form of MFA determination.
BEYONDTRUST PAM 15.3.1+ and ERS 15.2.1+ (released in Nov. 2015) added new fields to BeyondTrust RADIUS security provider Access-Request packet attributes:- Framed-IP-Address – sent if the client is connecting from an IPv4 address
– Framed-IPv6-Address – sent if the client is connecting from an IPv6 address
– Calling-Station-Id – contains the client’s IPv4 or IPv6 address
So, to configure 2-factor authentication for over-the-Internet users and 1-factor for local LAN users, the RADIUS server would need to check the Calling-Station-Id of all authentication requests coming from your BeyondTrust appliance and then make a decision if to require 1- or 2-factor authentication base upon that IP. It would be easier to implement this when the BeyondTrust appliance uses an internal non-routable IP. In this case, all over-the-Internet authentication requests will come to the BeyondTrust appliance from the firewall and you can configure your RADIUS server to require 2-factor authentication for all packets containing the firewall IP in the Calling-Station-Id field.
This article is an answer from BEYONDTRUST Technical Support Team concerning a MICRODYN technical request
Powered by BetterDocs