Test Radius Challenge Response in NTRadPing If you got Cisco or CheckPoint VPN Equipment, it is very natural to use its Challenge Response authentication mode with DualShield Radius server to achieve two factor authentication It involves two stages of authentication, e.g first a username and password then username and one-time password User Experience (CheckPoint example) The user starts his SecureClient and is prompted for his username and static password If the credential is correct, he then is prompted a with a second dialog box for his one-time code If the user got an on-demand password token, at this stage he will be sent an OTP through the specified message channel Otherwise, he can press his hardware token to generate an OTP code The user then enters his one-time password code, if this is correct he is authenticated User Experience (NTRadPing example) In some circumstances (e.g troubleshooting), you want to simply check if DualShield Radius Server is working under Challenge-Response mode, you can use NTRadPing Please check the official document for DualShield VPN implementation Basically you need to create a radius logon procedure with two logon steps Step 1: Type your static password in the Password field (fill the other necessary fields), then click “Send” button If you give a correct password, you should expect a response “Access-Challenge” Step 2: Look at the attribute dump in first step, there is a line State=DASCR_415752_1 That is the challenge code generated by DualShield (DASCR = Deepnet Authentication Server Challenge Response) You need to add this attribute as an additional RADIUS attribute in this step Then input the one time password in the password field Click the “Send” button again, you are expected to see the response “AccessAccept” You may be confused with the option “Challenge & Response” in the Logon Step We didn’t use it in our example What does it means? What if we check on this option? Well, you need a token which supports CR mode Normally, MobileID token has this feature For instance, in Android version, you can alter the mode among the tree OTP, Sign and Challenge Select Challenge mode, it asks you input a challenge code, which is one you get from step (DASCR_415752_1 in the above example), then you get an OTP Mathematically, OTP is a function of challenge code, y=f(x)  ... Experience (NTRadPing example) In some circumstances (e.g troubleshooting), you want to simply check if DualShield Radius Server is working under Challenge- Response mode, you can use NTRadPing Please... Server Challenge Response) You need to add this attribute as an additional RADIUS attribute in this step Then input the one time password in the password field Click the “Send” button again, you... MobileID token has this feature For instance, in Android version, you can alter the mode among the tree OTP, Sign and Challenge Select Challenge mode, it asks you input a challenge code, which is one