EAP-TTLS Dual Authentication

TL;DR

Yes, EAP-TTLS can provide dual authentication by combining a username/password check with another factor (like TOTP or certificate-based authentication). This guide explains how to set it up.

Setting Up Dual Authentication with EAP-TTLS

1. Understand the Basics: EAP-TTTLS authenticates in two phases. First, it verifies the client’s identity (usually username/password). Second, it checks a server certificate. To add dual authentication, we’ll modify this second phase to require an additional check.
2. Choose Your Second Factor: Common options include:
   • Time-Based One-Time Password (TOTP): Using apps like Google Authenticator or Authy.
   • Certificate Authentication: Requiring a client certificate on the device.
   • SMS Verification: Sending a code to the user’s phone (less secure, but easier to implement).
3. Configure Your RADIUS Server: This is where the core logic resides. You’ll need a RADIUS server that supports EAP-TTTLS and can handle your chosen second factor. Popular options include FreeRADIUS, Microsoft NPS, or Cisco ISE.
4. Implement the Second Factor Check in RADIUS: The exact steps depend on your RADIUS server. Here’s an example using FreeRADIUS with TOTP (using a module like `rlm_python`):

   # /etc/freeradius/3.0/mods-available/python
   import time
   import hmac
   import hashlib
   
   def check_totp(username, password, secret):
     # Implement TOTP verification logic here.
     # This is a simplified example; use a proper library in production!
     time_step = int(time.time()) // 30
     hmac_obj = hmac.new(secret.encode(), str(time_step).encode(), hashlib.sha1)
     totp = hmac_obj.hexdigest()[:8]
     return totp == password
   
   if request.attributes['Auth-Type'] == 'EAP-TTTLS':
     username = request.attributes['username']
     password = request.attributes['password'] # This will be the TOTP code in our setup.
     secret = get_user_secret(username) # Function to retrieve secret from database/file
     if check_totp(username, password, secret):
       reply.status = 0
       return
     else:
       reply.status = 1
       reply.message = "Incorrect TOTP code"
   

5. Modify EAP-TTTLS Configuration: You need to tell the client (e.g., your Wi-Fi settings) to send the second factor information during authentication.
   • For TOTP: The username/password field sent by EAP-TTTLS will be used for both initial credentials and the TOTP code.
   • For Certificate Authentication: Ensure the client certificate is properly installed on the device and configured to be presented during authentication.
6. Test Thoroughly: Test with various scenarios:
   • Successful dual authentication.
   • Incorrect username/password.
   • Incorrect second factor.
   • Client certificate issues (if applicable).
7. Consider Security Best Practices:
   • Use strong secrets for TOTP and protect them securely.
   • Regularly rotate certificates.
   • Monitor RADIUS logs for suspicious activity.

Troubleshooting

If authentication fails, check the following:

• RADIUS Server Logs: Look for error messages related to EAP-TTTLS or your second factor module.
• Client Configuration: Verify that the client is configured correctly and sending the correct information.
• Time Synchronization: Ensure the RADIUS server and client are synchronized (especially important for TOTP).