3.1.10.2.24. radius2FASync

The Radius two-factor authentication Plugin is related to a Symantec system, which uses a second radius that acts as 2FA and is in charge of managing the process of obtaining this second factor. The plugin will be used to validate VPN connections with or without OTP, adding a double authentication factor to improve security.

The following fields must be configured to set up the plugin:

• Radius IP: IP to send radius authentication messages.

• Radius Port: Port to send radius authentication messages.

• Radius Secret: Shared secret to connect to RADIUS.

• Push Keyword: Keyword that will be sent to RADIUS to ask for push.

• Execution order: Determines the order in which sync plugins are executed, with higher priority assigned to lower numerical values (0 being the lowest priority). In situations where multiple plugins share the same execution order value, the execution order will follow an alphabetical arrangement.

The following diagram shows the plugin flow:

1. First, the plugin checks if there are no empty values in its configuration. If true, it will send a login request to that second radius that will manage the 2FA.

2. The plugin will wait for a response from the login request sent, and it may be rejected, timeout, or accepted. - In the case it is accepted, the VLAN configured in the policy used by the plugin will be assigned to the user’s device. - In the case that it is not accepted, the VLAN of access denied will be assigned.

3. During the execution process of the radius2FA plugin, an application is used for the user to validate the connection or enter the OTP. This is not processed by the plugin itself, since the radius configured for this 2FA process is in charge.