Architecture for the TwoFactor Authentication Service

The TwoFactor service makes use of technology developed by CRYPTOCard (, using their KT-1 tokens. KT-1 tokens are similar to SecurID tokens except the KT-1 tokens don't expire (just replace the batteries) and don't suffer from timing issues. The code on the KT-1 token doesn't change automatically, you instead push a button.

The authentication service itself is provided by two servers running Linux and the CRYPTO-Server software. One server is the "master" and the other is a replica. Management of the service is done via a Linux or Windows desktop computer running the CRYPTO-Console software and a KT-1 token initializer device hooked-up via USB. Use of the service is accomplished either via the installation of an agent or by using RADIUS. There is an agent for Windows domain controllers. On *nix and Darwin, we use the pam-radius module.

Please note that this is an authentication service, not an authorization service. Management of authorization is best done by the clients of the service (eg. a sudoers file on a Linux host, or a "Domain Admins" group in an Active Directory domain/forest).


Server Information

All servers used by the TwoFactor authentication service are VMware Server virtual machines hosted by a set of six SunFire x2100 servers. Three to the physical servers are located in DC 3558, the other three are housed in MC 3015. The host operating system is Ubuntu 6.06 Server (amd64).

watiknow.cscf (Linux) - Houses the master CRYPTO-Server that provides the core of the TwoFactor authentication service. This host also houses a freeRadius server that acts as the primary authorization server for CSCF switches and firewalls.

watihave.cscf (Linux) - Houses the replica CRYPTO-Server that provides the core of the TwoFactor authentication service. This host also houses a freeRadius server that acts as a backup authorization server for CSCF switches and firewalls.

tenera, julia, exusta (Windows 2003 Server) - Domain controllers for the Active Directory domain. All authentication in this domain is done via watiknow.cscf and watihave.cscf.

borealis (Windows 2003 Server) - Terminal Server in the domain for CSCF staff to login and perform administration tasks within the AD forest.

Server Locations

Host Location Virtual Machines
vmhost202.cscf DC 3558 watiknow.cscf, test server
vmhost208.cscf MC 3015 watihave.cscf, test server
vmhost210.cscf MC 3015 exusta, tenera
vmhost212.cscf MC 3015 borealis, julia

-- JasonTestart - 31 May 2007

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng TwoFactor.png r4 r3 r2 r1 manage 104.2 K 2006-05-04 - 09:24 JasonTestart  
Edit | Attach | Watch | Print version | History: r16 < r15 < r14 < r13 < r12 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r16 - 2007-05-31 - JasonTestart
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback