locked
UAG DirectAccess - OTP RRS feed

  • Question

  • I have a DirectAccess solution with OTP (RSA token) running on 2 virtual servers with 2008 R2 and UAG SP2. The UAG Array is load balanced through BIG-IP. The OTP CA is configured with powershell script via UAG Wizard, and I have verified that the CA-templates has been configured correctly. When a computer is connected over DirectAccess and goes into lock-mode, the user is asked for OTP creds when logging on again. But even if the user ignores the OTP pop-up, full access is given to the internal network. There are no errors in the UAG logs, so what can be causing this behavior?

    Monday, November 19, 2012 2:57 PM

Answers

  • Think we figured this out. When the user establish the intranet ipsec-tunnel, the certificate has a lifetime of 8 hours. When the client go into lock-mode and the user unlocks, the user-certificate is deleted ok. But the ipsec-tunnel consisting of "main mode" SA and "quick mode" SA, each has a lifetime of 60 minutes, so even if the certificate is deleted the tunnel is still valid until "quick mode" SA tries to renew the session against "main mode" SA. So even though the user has to authenticate with OTP to establish a new tunnel, he/she can continue to use the first tunnel until the SA`s expire.

    Wednesday, January 9, 2013 10:33 AM

All replies

  • How many servers do you have in the Management Servers config? any server ticked in here will be fully accessible even without the OTP credentials being supplied. as this is using the maintenance tunnel rather than the intranet tunnel. best thing would be to have a domain controller that does nothing else (no file services etc) as the only management server.
    • Proposed as answer by Craig-Taylor Wednesday, January 2, 2013 12:49 PM
    Sunday, December 30, 2012 9:15 AM
  • Think we figured this out. When the user establish the intranet ipsec-tunnel, the certificate has a lifetime of 8 hours. When the client go into lock-mode and the user unlocks, the user-certificate is deleted ok. But the ipsec-tunnel consisting of "main mode" SA and "quick mode" SA, each has a lifetime of 60 minutes, so even if the certificate is deleted the tunnel is still valid until "quick mode" SA tries to renew the session against "main mode" SA. So even though the user has to authenticate with OTP to establish a new tunnel, he/she can continue to use the first tunnel until the SA`s expire.

    Wednesday, January 9, 2013 10:33 AM