We have a requirement for 2-factor authentication for our internal WiFi SSID\'s.

Question

We have a requirement for 2-factor authentication for our internal WiFi SSID's. Currently we use PEAP w/ MS-CHAPv2 to pass windows creds through the AP to a RADIUS server (A Domain Controller running NPS). This has been recently been accused of not being 2-Factor authentication because it's only supplying 'something you know' in the form of your windows credentials..

However, on the NPS server they have to be a member of one of two groups in AD as well to be allowed on, so in my book that would be 'something you are'. Making it two-factor.. So is our current setup really two-factor or not. Thanks in advance!

Explanation / Answer

The notion of "two factor authentication" is not a strictly defined mathematical notion. However, usually, it relates to having two factors for authentication.

The second term is important: you are trying to authenticate a user, i.e. to make sure that the user is indeed at the other end of the line. Right now. When looking up the account membership in the AD server, you are not verifying whether the human user is there or not. Indeed, the user account is still a member of the groups even when the user is not there at all. Thus, verifying group membership is not authentication at all. Nothing in the AD will tell you: "yeah, you are talking to Bob right now". At best, the AD will tell you: "there exists a user known as Bob".

AD group memberships are not authentication. As such, they cannot be an authentication factor. What AD group memberships relate is authorization, a completely distinct concept.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.