Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

Transcription

1 Implementing CRYPTOCard Authentication for Whale Communications e-gap Remote Access SSL VPN Copyright 2005 CRYPTOCard Corporation All Rights Reserved

2 Copyright Copyright 2005, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp. Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Corp. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Technical Support information CRYPTOCard works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard Channel Partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly, telephone or If you prefer, send an to support@cryptocard.com. To inquire about obtaining a support contract, refer to our Support" Web page for the latest contact information at Comments If you have comments or suggestions you would like to make regarding this document, please send an to support@cryptocard.com. Publication History Date Version Changes Rev.1.0 Initial Release CRYPTOCard Authentication for Whale Communications e-gap SSL VPN i

3 Table of Contents IMPLEMENTING CRYPTOCARD AUTHENTICATION...I FOR...I WHALE COMMUNICATIONS...I E-GAP REMOTE ACCESS SSL VPN...I IMPLEMENTATION AND APPLICATION SUMMARY...III CRYPTOCARD AUTHENTICATION FOR E-GAP SSL VPN... 1 Overview... 1 Prerequisites... 2 WHALE COMMUNICATIONS E-GAP SSL VPN CONFIGURATION... 2 Step 1 - Configuring a Radius Authentication Server... 2 Step 2 RADIUS Protocol Access Control List... 3 Step 3 Adding e-gap to the RADIUS Protocol Access Control List... 3 CONNECTING WITH THE E-GAP SSL VPN... 5 New PIN Mode... 6 Stored on Server, User-changeable PIN example... 6 Stored on Server, Server-changeable PIN example... 7 TROUBLESHOOTING... 9 Troubleshooting authentication failures... 9 CRYPTO-Server Log Files CRYPTOCard Authentication for Whale Communications e-gap SSL VPN ii

4 Implementation and Application Summary Compatibility and Interoperability: Whale Communications e-gap Remote Access SSL VPN Systems Protected: Whale Communications e-gap Remote Access SSL VPN CRYPTOCard Dependencies: CRYPTO-Server 6.x RADIUS Client Browser Dependencies: Internet Explorer 5+ Mozilla Firefox 1+ Network Architecture: SSL VPN Remote Access Supported CRYPTOCard Token Types: CRYPTOCard Tokens: RB-1, KT-1, ST-1, SC-1, UB-1 Encryption Level: DES, 3DES, AES128, AES192, AES256 PIN Modes Token based: fixed, user changeable, numeric, alphanumeric* Server based: fixed, user changeable, server changeable. Passcode: Supported SecurID Token Types: SecurID : SD-200, SD-520, SD-600, SD- 5100, SD-6100 Encryption Level: DES PIN Modes Server based: fixed, user changeable, server changeable, numeric, alphanumeric Passcode: Length: 6,8 numeric Types: numeric Length: 6,7,8 Types: numeric, alphanumeric, base64* (*depending upon token series) CRYPTOCard Authentication for Whale Communications e-gap SSL VPN iii

5 CRYPTOCard Authentication for e-gap SSL VPN Overview Whale Communications e-gap SSL VPN is used to create encrypted tunnels between remoteand mobile users, providing access to corporate networks. The e-gap SSL VPN secures browser-based access to applications such as , portals, and other applications based upon authentication information such as a username and password. CRYPTOCard authentication replaces static passwords with strong two-factor authentication to prevent the use of lost, stolen, shared, or easily guessed passwords, to establish a tunnel and gain access to protected resources. CRYPTOCard provides authentication using the RADIUS protocol. The end-user launches a web browser and navigates to the e-gap login page. Then using their logon name and a passcode from their CRYPTOCard software, hardware, or smart card token, the end-user establishes a connection to the internal network. The e-gap SSL VPN passes the authentication information to the CRYPTO-Server (via RADIUS). The CRYPTO-Server verifies the username and password, and an Access-Accept message is sent to the e-gap SSL VPN, allowing the user to access the protected network and resources. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 1

6 Prerequisites Whale Communications e-gap SSL VPN is installed & configured. Verify that the Whale Communications e-gap SSL VPN authentication works using static passwords before commencing installation and testing with CRYPTOCard. CRYPTO-Server 6.x is installed. Note that if CRYPTO-Server 6.x is installed and configured to use a JDBC ( non LDAP ) database, then the CRYPTO-Server user name must be identical to the user name currently employed by the end-user. If a firewall exists between the Whale Communications e-gap SSL VPN and CRYPTO- Server 6.x, it must allow RADIUS traffic on UDP ports 1812 ( RADIUS authentication ) and 1813 ( RADIUS accounting ). CRYPTO-Server 6.x uses ports 1812 / 1813 by default for RADIUS. A NAS.x entry in the Radius Protocol entity on CRYPTO-Server must exist which includes the Whale Communications e-gap SSL VPN. Whale Communications e-gap SSL VPN Configuration The Whale Communications e-gap SSL VPN can normally be configured in a matter of minutes, however proper preparation to ensure all prerequisites are met is essential. Step 1 - Configuring a Radius Authentication Server CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 2

7 Confirm use of Filter-ID Radius attribute to pass back group information to e-gap for authorization purposes. Note that challenge-response must be enabled in order for our new PIN mode to function. Step 2 RADIUS Protocol Access Control List The Whale Communications e-gap SSL VPN uses the RADIUS Protocol to communicate with the CRYPTO-Server. The RADIUS Protocol contains an access control list that specifies RADIUS enabled clients are allowed to authenticate against the CRYPTO-Server. You must verify that all RADIUS enabled clients are within the RADIUSProtocol access control list. Open the CRYPTO-Console and connect to the CRYPTO-Server. Select the Server menu, System Configuration. In the Entity column, select RadiusProtocol. Look at the value corresponding to the Key NAS.2. The value of this key defines which RADIUS enabled clients are allowed to authenticate against the CRYPTO-Server. By default, the CRYPTO-Server is configured to listen for RADIUS Protocol authentication requests over UDP port 1812, from any host on the same subnet. Step 3 Adding e-gap to the RADIUS Protocol Access Control List If the e-gap system is not within a RadiusProtocol NAS entry range it must be added. It is possible to define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. In System Configuration, right click on the RadiusProtocol Entity and select New Key- Value. The syntax of the data for a NAS entry is as follows: CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 3

8 Key: Value: NAS.# <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> First IP Address The first IP address of the RADIUS client(s) configured in this NAS.# key. Last IP Address Hostname: RADIUS Shared Secret Key Perform Reverse Lookup The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the First and Last IP Address will be the same. Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. A string used to encrypt the password being sent between the CRYPTO- Server and the RADIUS client (i.e. the e-gap SSL VPN ). The Shared Secret string can be any combination of numbers and uppercase and lowercase letters. An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by crosschecking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO- Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely. Authentication Protocols Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP,MSCHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently CRYPTOCard only supports the PAP and MSCHAPv2 authentication protocols for RADIUS clients. Here is an example of a NAS entry called NAS.3, which will accept RADIUS client requests from IP Address to The CRYPTO-Protocol Service\daemon must be restarted once all NAS entries have been entered. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 4

9 Connecting with the e-gap SSL VPN Once the e-gap SSL VPN and CRYPTO-Server have been configured correctly, the end-user should be able to open a web browser and authenticate to the e-gap SSL VPN using a passcode from their CRYPTOCard token. First the end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. In the example below, the end-user bob has provided his user name and a passcode from his CRYPTOCard token. Once the CRYPTO-Server has validated the passcode provided, an access-accept reply is sent back to the e-gap SSL VPN, and the user has established their authenticated VPN connection. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 5

10 New PIN Mode CRYPTOCard hardware tokens, the KT-1 Keychain token, and RB-1 Pin-pad token can be programmed with a Stored on Server PIN style. This style requires the end-user to prepend the PIN to the passcode displayed on the token. The combination of the PIN and passcode is used to authenticate the end-user. There are three options when selecting a Stored on Server PIN style Stored on Server, Fixed PIN: This PIN must be prepended to the passcode. The end-user cannot change the PIN. A CRYPTO-Server operator can change the PIN. Stored on Server, User-changeable PIN: Periodic PIN change will be forced by the CRYPTO-Server according to the PIN Change Period option. The end-user will determine the new PIN value. This PIN must be prepended to the passcode. Stored on Server, Server-changeable PIN: Periodic PIN change will be forced by the CRYPTO-Server according to the PIN Change Period option. The CRYPTO-Server will determine the new PIN value. This PIN must be prepended to the passcode. Stored on Server, User-changeable PIN example The end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. After the initial authentication, the CRYPTO-Server has enforced a PIN change and requires the end-user to provide a new PIN. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 6

11 If the new PIN provided by the end-user meets the minimum PIN requirements as configured on CRYPTO-Server, the end-user will then be allowed access to the network and applications. The end-user will need to use this new PIN until the next PIN change is enforced. Stored on Server, Server-changeable PIN example The end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. After the initial authentication, the CRYPTO-Server has enforced a PIN change and provides the new PIN to the end-user. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 7

12 In this example, the CRYPTO-Server has provided a new PIN of 7501 to the end-user. This new PIN is then used along with the next passcode from the token in order to authenticate and gain access to the network and applications. The end-user will need to use this new PIN until the next PIN change is enforced. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 8

13 Troubleshooting Troubleshooting authentication failures Symptom Users fail CRYPTOCard authentication Possible cause and resolution The Whale Communications e-gap SSL VPN system has not been configured as a valid NAS for the RADIUS Protocol. From System Configuration, add a NAS entry for the e- Gap SSL VPN to the RadiusProtocol entity. Apply the change and restart the CRYPTO- Protocol Server service /daemon. Remote users token has become out-of-sync with CRYPTO-Server 6.x. Attempt a test of the remote users token from the CRYPTO-Console and provide the 8 digit challenge to the remote user. Have the remote user resynchronize their token using the challenge provided. Alternatively, increase the value for the CRYPTO-Server look ahead by editing the MaxForward key found in the Token entity within System Configuration. Remote user with hardware token configured for the PIN to be stored on the server. Ensure that the remote user is entering their PIN plus the passcode from their token. Alternatively, reset the PIN for the remote user via CRYPTO-Console. Remote users token has become locked. For software and Smartcard tokens, re-issue the token to the remote user. For hardware tokens with the PIN stored on the server, re-enable the token by changing it s state from Locked to Active. The RADIUS shared secret key does not match between the e-gap SSL VPN and the CRYPTO-Server. Verify this value is exactly the same on both devices. Symptom Authentication requests do not reach CRYPTO-Server Possible cause and resolution A firewall exists between the e-gap SSL VPN system and CRYPTO-Server. Ensure that port 1812 UDP is open on the firewall to allow traffic for the RADIUS Protocol. The e-gap SSL VPN system has not been configured to use RADIUS authentication. Use the e-gap Administration tool to enable RADIUS authentication. The CRYPTO-Server and e-gap SSL VPN have been configured to use different ports for the RADIUS protocol. Verify the RADIUS port values in use by each system and ensure they are the same. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 9

14 CRYPTO-Server Log Files To aid in troubleshooting authentication problems, review the information in the CAPProtocol.dbg file and the cryptocard.log file. A higher level of debugging information can be displayed in the RadiusProtocol.dbg file by enabling the DebugLog.Enabled key in the RadiusProtocol entity. From CRYPTO-Console, select the Server menu, then System Configuration. In the RadiusProtocol entity choose the DebugLog.Enabled key and set it s value to true. Apply the change and restart the CRYPTO-Protocol service / daemon. For CRYPTO-Server installed on Windows, the default log file location is found under: \CRYPTOCard\CRYPTO-Server\log For CRYPTO-Server installed on SuSE Enterprise 9 or Red Hat Enterprise 3.0 or 4.0, the default log file location is found under: /usr/local/cryptocard/cryptoserver/log For CRYPTO-Server installed on Mac OSX 10.3 or 10.4, the default log file location is found under: /Applications/CRYPTO-Server/log CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 10