10-20-2022 07:21 AM
Hello,
I'm interested in IT and I'm a beginner.
I read some documents on the internet
Could you please correct me to know if I have understood correctly?
When a customer connects with his login and password to his company's vpn using global protect.
Step 1) the Pointsharp server makes a request to the active directory to confirm the login and password
2) when the login and password are ok the Pointsharp server sends a token to the client
3) the client sends the token back to the Pointsharp server
4) the client is connected to the vpn
10-20-2022 09:51 AM - edited 10-20-2022 09:53 AM
Yes, that is correct, the token is a code. In a real quick read, it appears to be a standard time based OTP (not 100% sure, but the specification sheet talks about options for hardware tokens, OATH, GoogleAuth, MicrosoftAuth, etc.).
The way this works is that the client is initially given a special authentication seed when enrolled, which is unique to each user. The client Pointsharp application (or GoogleAuth/etc.) then calculates a token at any given point in time from the original seed. So from 12:04:00 to 12:04:59 today it calculates token "394 019". At 12:05:00 that changes to "823 317". Then at 12:06:00 it becomes "910 006"... etc. You need to respond to the Pointsharp server with the appropriate token at the appropriate time, either by hitting "Confirm" in the Pointsharp app (it submits the token in the background) or typing in the token generated by GoogleAuth/etc.
Pointsharp server -> client: what is your token?
Client calculates: Initial seed + current time = token
Client -> Pointsharp server: the token is 012 345
Pointsharp server calculates and compares: [012 345] <?> client seed + current time
With time based OTPs/OATH it is very important that both the server and the client maintain accurate time as the OTP token is only valid for a short period. Usually there is a grace period where the previous/next code in line will also work, but generally clocks need to be within 60-90 seconds of each other.
There are also other types OTP such a pre-generated lists and next-token-calculated-from-previous-token, but given that they talk about using standard OATH-compliant clients I don't believe these apply.
10-20-2022 08:52 AM
I have not heard of Pointsharp before, but it appears to be just another MFA server product, like DUO, Okta, or AzureMFA. Your description is mostly right, the basic flow is like:
10-20-2022 09:09 AM
Ok @Adrian_Jensen I d on't understand the token part
The token IS a code?
The Pointsharp server send the token on my mobile phone and when I click " confirm" on the Pointsharp application. I send the same token to the Pointsharp server?
Could you please explain me
10-20-2022 09:51 AM - edited 10-20-2022 09:53 AM
Yes, that is correct, the token is a code. In a real quick read, it appears to be a standard time based OTP (not 100% sure, but the specification sheet talks about options for hardware tokens, OATH, GoogleAuth, MicrosoftAuth, etc.).
The way this works is that the client is initially given a special authentication seed when enrolled, which is unique to each user. The client Pointsharp application (or GoogleAuth/etc.) then calculates a token at any given point in time from the original seed. So from 12:04:00 to 12:04:59 today it calculates token "394 019". At 12:05:00 that changes to "823 317". Then at 12:06:00 it becomes "910 006"... etc. You need to respond to the Pointsharp server with the appropriate token at the appropriate time, either by hitting "Confirm" in the Pointsharp app (it submits the token in the background) or typing in the token generated by GoogleAuth/etc.
Pointsharp server -> client: what is your token?
Client calculates: Initial seed + current time = token
Client -> Pointsharp server: the token is 012 345
Pointsharp server calculates and compares: [012 345] <?> client seed + current time
With time based OTPs/OATH it is very important that both the server and the client maintain accurate time as the OTP token is only valid for a short period. Usually there is a grace period where the previous/next code in line will also work, but generally clocks need to be within 60-90 seconds of each other.
There are also other types OTP such a pre-generated lists and next-token-calculated-from-previous-token, but given that they talk about using standard OATH-compliant clients I don't believe these apply.
10-20-2022 10:25 AM
thank you very much @Adrian_Jensen !!!! I understand all of your explanation !! You are thé best !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
