Finally no-pin mode support in ActivIdentity's 4TRESS AAA server

When doing strong authentication using OTP tokens, you always work following the principle: something you have + something you know = what will give access.

In SSL VPN setups, one of the most popular setups is two-stage authentication with the user's LDAP/Active Directory user account and a passcode generated from an OTP.

I got the question more than once: our users find it too difficult to remember their password and an extra pin-code. That together with the generation of the passcode (=tokencode + pin-code) makes it rather complex for a non-IT-oriented user to log in. The second question was then: but to respect strong authentication: can't we use the password as "something you know" and the tokencode as "something you have" ?

This is indeed possible and it depends on the kind of tokens you're using, well in fact, the AAA software which is managing these tokens. For example, ActivIdentity supports this since version 6.5 of its 4TRESS AAA radius server. Here you'll find a screenshot of the Mini Token PIN Policy setting:

vmware: access the serial console of your vm'ed appliance

VMware is a great tool to demo/test appliances, but what about the serial console ? You can have VMware redirect the datastream of an emulated serial port to a named pipe on the host OS. This named pipe can be redirected to a socket. This way you convert the serial data stream to an tcp/ip stream. This makes you able to use a regular telnet program to interface with the serial console of your vm'ed appliance.

In linux you can use socat(http://www.dest-unreach.org/socat/ - in debian you can do an apt-get install socat ;) to redirect this named pipe to a socket. In Windows there exists a tool: Named Pipe TCP Proxy Utility (http://shvechkov.tripod.com/nptp.html). Basically what you do is (the example below is done in linux (debian) but for windows the procedure is somehow the same):

1. You create a serial port in your vmware configuration with the following settings:
   
   - Use named pipe
   - This is the server
   - The other end is an application.
   
   You specify the location of your named pipe, for example: /tmp/vm-serial0
   
   
   
   
   
   
2. Fire up your appliance.
3. You'll see the /tmp/vm-serial0 named pipe created in the host OS.
   
4. Use socat to set up the socket listener :
   
   socat -d -d -d /tmp/serial0 tcp-listen:9998
   
   A listening socket will be created at localhost on port 9998. The -d parameters gives verbose logging.
   
   
   
   
   
   
   
5. Open a new terminal and do a telnet to localhost on port 9998:
   
   telnet localhost 9998
6. You're connected to the serial console of your vm'ed appliance.