After everything is configured, the system will work like this: The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access. Note that this process is only for authentication, session management is still handled by the SSH gateway or any other remote access service you are using.
First we will enable Windows Server 2008 Network Policy Server (NPS)
Add the "Network Policy and Access Services" role to your domain controller.
Enable these role services during installation:
* Network Policy Server
* Routing & Remote Access Services
* Remote Access Service
Next we add a new RADIUS Client - The SSH Gateway in this case.
From Administrative Tools select Network Policy Server
Right click on Radius Clients and Select New
Add a name, the ip address of your remote access server (RAS, VPN, etc) and create a shared secret. You will enter the same shared secret on the WiKID server.
Add a new Radius Server - The WiKID Strong Authentication Server
Right click on Remote RADIUS servers and name the group, something like "WiKID".
Click the Add button to add a new radius server in the group.
Enter the IP address of the WiKID server on the first tab. On the second tab, enter the shared secret. That should be all you need to change.
Creating a Network Policy
Now that we've created the radius client and radius server (WiKID), we need a new Network Policy that tells IAS which users to proxy to WiKID.
Enter a name and leave Type of network access server as Unspecified or choose your remote access system.
Click on the Conditions tab. I added a condition for all requests from my server's IP address.
Click on the Settings Page. Click on Authentication and Select the button for "Forward requests to the following remote RADIUS server group for authentication. Choose WiKID.
Configuring the WiKID Strong Authentication Server.