Supported Validation Modes

VIP Enterprise Gateway supports several modes of validation for authenticating the password that is used for the first-factor authentication and the security code.
The VIP Enterprise Gateway Validation server is a RADIUS-based authentication service for interfacing with the enterprise network infrastructure. VIP Enterprise Gateway uses RADIUS PAP as the authentication protocol. The password that is used for the first-factor authentication and the security code must be combined in various formats. These formats are combined to provide the following validation modes of authentication:
User ID - Security Code
This validation mode is commonly used in many third-party application integrations where the first-factor authentication is validated by the application. Typically, the user interface of the application provides one field for entering the second-factor validation code and a separate field for entering the first-factor password. You might use this validation mode in some of the following scenarios:
  • If your enterprise applications implement stacked authentication schemes. In such schemes, the authentication that is validated in one authentication provider is passed on to the next authentication scheme for additional factor validation.
  • If your applications have integrated a primary authentication scheme to their session management. For example, many Microsoft applications provide session access only after a successful Active Directory validation.
  • If your enterprise application is not authenticating to an LDAP server and so you cannot configure any other supported validation mode. In such cases, the security code validation must be carried out independent of the first factor authentication.
You must have a thorough understanding of the following items to implement this authentication mode:
  • An understanding of the application authentication stack.
  • An understanding of how the user name and the security code fields are extracted and passed on to the Validation server.
    If this mode is supported in VIP third-party application integration plug-ins, the plug-in typically takes care of the extraction of the user name and the security code from the original RADIUS authentication request.
Note the following special conditions for this mode:
  • This Validation server can only be used for second-factor authentication. First-factor authentication must be performed separately by the application.
  • During Business Continuity mode, this Validation server accepts any security code without validating it. If used in isolation, this lack of validation can lead to a significant security compromise.
  • This Validation server can be used without configuring a user store. However, when you are authenticating to an LDAP system for first factor authentication, you may be using a different authentication user name than the user name registered with VIP. This is typical with Microsoft applications. In such cases, you may use the Use
    LDAP User Name for VIP Authentication Service Validation
    option, which mandates that at least one LDAP user store is configured with the VIP Enterprise Gateway server.
User ID - LDAP Password - Security Code
This validation mode is typically used in scenarios where the first-factor password and the second-factor security code are entered in the same field because of interface restrictions. Also, this configuration is ideal for authentication where the application allows only one RADIUS authentication server to be configured without any stacked authentication. Upon receiving the RADIUS request the Validation server splits the password that is received into the LDAP password and the security code. The Validation server validates the LDAP password against the user store and the security code against the VIP Authentication Service. A user store must be configured for this kind of integration. Most organizations with VPNs use this mode of authentication.
User ID - Access PIN - Security Code
This validation mode is similar to the User ID - LDAP Password - Security Code mode. This validation mode is useful for organizations with the following remote access use cases:
  • You want to implement another first-factor credential for VPN other than the LDAP/AD password.
  • Some of the users of your services may not have an entry in the organization’s LDAP.
In this validation mode, the concatenated Access PIN and the Security Code are sent to the VIP Enterprise Gateway server. The VIP Enterprise Gateway server forwards the access PIN and the security code to the VIP Authentication Service for validation. On a successful validation in the VIP Authentication Service, the user is provided access to the resource.
Note the following special conditions for this mode:
  • This Validation server can be configured without configuring an LDAP user store with VIP Enterprise Gateway.
  • The user cannot be authenticated using an enterprise LDAP user name.
  • In Business Continuity mode, all validation requests are rejected.