Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Two Factor - Dual Factor vs Two Factor Authentication

Dual Factor

Dual Factor Authentication allows users to authenticate twice, using the same factor for authentication.

You can accomplish Dual Factor Authentication by setting the Authentication Protocol to RADIUS and LDAP  within the Single Sign On (SSO) domain configuration. As a prerequisite, an LDAP Endpoint must be configured and the individual IP address of your LoadMaster interface must be configured as a RADIUS client with a Shared Secret.



Next, navigate back to Manage SSO and select the RADIUS and LDAP Client Side Configuration. Populate the LDAP Endpoint, RADIUS Server(s), Shared Secret, Domain/Realm, and the Logon Format expected by both your RADIUS and LDAP environments.



Once created, you’ll need to apply your SSO to your VS or SubVS. Ensure you select Form Based as your Client Authentication Mode, populate the Allowed Virtual Hosts with the host name of the site that’s being contacted and the Allowed Virtual Directories field with the directories that should be allowed to connect. It’s also important to ensure that the SSO Image Set is configured to use the Dual Factor Authentication form. 



When the form is presented, there are two username and passcode/password fields. The Remote Credentials are for RADIUS Authentication, while the Internal Credentials are for LDAP. This is reflected in the SSO domain configuration in the Phase 1 RADIUS and Phase 2 LDAP fields.


Two Factor

Two Factor Authentication forces a client to enter a PIN/Token of some sort, usually provided by SMS, Google Authenticator, or an RSA, fob for example. In this case two different factors are used. 


There are two ways of accomplishing two factor authentication, 

1. RSA-SecurID or RSA-SecurID and LDAP: Once you authenticate against your RSA server, and a response is received, you are presented with a second logon screen. There you can enter your PIN, and the LoadMaster simultaneously contacts LDAP. 

As a prerequisite, you should create an LDAP Endpoint and complete the steps in the Generate an Authentication Agent Entry to the Generate a Node Secret File sections in our RSA Authentication document.

2. RADIUS: For two factor authentication to work with RADIUS, your RADIUS server must be configured to send a Challenge Response. You are presented with a second logon screen.



Next, create the SSO Domain for two factor authentication. Select the appropriate endpoint from the LDAP Endpoint drop-down list. Populate the RSA-SecurID Server(s) field and import the RSA Authentication Manager Config File. Import the RSA Node Secret File. The Decryption Password must be set to import the file. Finally populate the Domain/Realm, and Logon Format(s).


Once created, you must apply your SSO Domain to the Virtual Service or SubVS. Ensure you select Form Based as your Client Authentication Mode. Populate the Allowed Virtual Hosts with the hostname of the site that is being contacted and the Allowed Virtual Directories field with the directories allowed to connect.


When configuring the ESP Options for two-factor authentication you will select the Exchange or Blank SSO Image Set. You may also create your own custom image set. For more information on creating the custom image set refer to the following article. Custom Image Set



 Once the Virtual Service is requested, the form above displays.



The next form prompts the user for their PIN/Token number. Once the PIN/Token is accepted, the user is authenticated successfully.



Was this article helpful?
0 out of 0 found this helpful