MFA for VPN with Centrify — Compatibility at its Best

As Senior Director of IT for Centrify, I sometimes enjoy early access to new features of our products. We use the full suite for our own identity management needs, and after over a year of experience with the platform I can truly say that I am impressed both by the rich set of current features and by management’s focus on core security principles in the product.

I was excited to hear that we would be enabling multi-factor authentication (MFA) for VPN connections. I had already looked at conventional solutions, and it was one of the last places in our network I wanted to enable a second authentication prompt. Our other IT systems tied neatly into our Centrify identities, so I was annoyed that I would have to manage a separate system for the second factor for VPN, when portal login, app access, and now even server logins (through the Centrify Server Suite) were able to leverage the additional factors I allowed in the platform.

MFA for VPN

What was even better for me was the method used to enable the second factor — the Centrify cloud connector server on my network would serve the RADIUS protocol as well. It simply and elegantly ties into both the identity platform and any remote access system which understands RADIUS, which is basically all of them. Since the RADIUS protocol has provisions for the authentication challenge built in already, most VPN clients including the older ones are already prepared to ask for a second factor if the server requires it.

I was still a little cautious when preparing for the release since I still have some clients using the original Cisco IPsec VPN client (pre-AnyConnect). Just in case the MFA feature somehow required a newer piece of functionality on the part of the client, I prepped additional changes for those clients and the allowed tunnels.

As it turned out, this prep work was unnecessary. As soon as I switched the authentication method for those tunnels to the Centrify cloud connector via RADUIS, authentication worked like a charm. The older clients acted just as before, but now correctly prompted for the second factor after the username and password were submitted. Even the Mac’s built-in Cisco VPN client prompted correctly. No endpoint changes at all for my entire network, and now we had MFA for all VPN connections. For user awareness, I only needed to send out an announcement about the feature enablement — no special training needed.

The setup was simple too, and where I expected it, with one twist. First, in the cloud connector settings in my Cloud Manager portal for the Centrify Identity Suite (CIS) now had a RADIUS setting pane where I could enable the protocol and set the port (or accept the industry-standard default). I could enable multiple cloud connectors for redundancy, and select just the ones I wanted. Next, in the Authentication section of the Cloud Manager settings I could add the RADIUS clients (my Cisco and PaloAlto devices), lock down access to those IP addresses, and configure the shared secret password so that only authorized remote-access devices could query the server.

The twist was where the actual second factor was enabled — in the policies. The policy tree now included a RADIUS section under User Security Policies where I could enable RADIUS authentication, require a challenge, and select which of the various factors supported by the platform to enable. This twist was genius, though; now I retained fine-grained control over which users and groups were prompted for MFA, and in fact which had remote access at all. Since CIS role membership can leverage Active Directory groups, I could still base remote access seamlessly off of that, but I could further segment some users to use one type of second factor (like an SMS message with a code) while others could use a different one (like their CIS security question).

By choosing the RADIUS protocol to extend the identity platform, Centrify had made my change management tasks easy:

  • CIS: Basic RADIUS service enabled on a connector and policy basis
  • Servers: One addition to the VPN server to enable RADUIS, directed at the cloud connector
  • Clients: NO CHANGE REQUIRED
  • Training: Simple – email announcement rather than detailed training

Kudos to the Centrify Engineering and Product Management teams on this new feature; enhancing security is rarely this simple or seamlessly compatible with the existing infrastructure. It checked MFA for VPN off my project list, with minimal change management for me and the IT Department.