Implementation Guide for Funk Steel-Belted RADIUS

Transcription

1 Implementation Guide for Funk Steel-Belted RADIUS Copyright 2006 CRYPTOCard Inc. All Rights Reserved

2 Copyright Copyright 2006, CRYPTOCard Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp. Trademarks CRYPTOCard, CRYPTO-Server, and CRYPTO-Logon are either registered trademarks or trademarks of CRYPTOCard Corp. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. This complimentary support service is available from your first evaluation system download. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly: International Voice: North America Toll Free: support@cryptocard.com For information about obtaining a support contract, see our Support Web page at Publication History Date May 16, 2005 November 9, 2005 Changes Creation Global edit Copyright 2006 CRYPTOCard Inc. All Rights Reserved 2

3 Text Conventions The following text conventions are used in this document: Courier text: denotes something you see on-screen (e.g. a dialog window title or field, a configurable Key, an exact filename) or something you enter verbatim on-screen (e.g. a command). <Italicized, bracketed text>: denotes a variable that requires an appropriate value to be entered. For example, if you see <IP_address>, you might enter Bold text: denotes a path. If the path uses a pipe ( ) character (e.g. A B C D), the path does not lead to a directory, folder, or file, but rather represents GUI/application menu options. If the path uses the backslash (\) or forward slash (/) character, the path leads to a directory, folder, or file. Copyright 2006 CRYPTOCard Inc. All Rights Reserved 3

4 Table of Contents Copyright... 2 Trademarks... 2 Additional Information, Assistance, or Comments... 2 Publication History... 2 Text Conventions IMPLEMENTATION AND APPLICATION OVERVIEW CONFIGURING FUNK SBR CRYPTO-SERVER CONFIGURATION CONFIGURING CRYPTO-SERVER TO USE DIFFERENT RADIUS PORTS TROUBLESHOOTING CRYPTO-Server Log Files Copyright 2006 CRYPTOCard Inc. All Rights Reserved 4

5 1 Implementation and Application Overview Funk Steel-Belted RADIUS (SBR) server may be used with CRYPTO-Server by configuring the RADIUS proxy facility. This permits Funk SBR to proxy authenticate to CRYPTO-Server using RADIUS. This means that the CRYPTO-Server may run on the same machine as /funk SBR or on a separate machine, and that the CRYPTO-Server must be listening for RADIUS communication. The following information is required during configuration: IP Address of the Funk SBR server IP Address of the CRYPTO-Server Port number used by CRYPTO-Server for RADIUS communication RADIUS Shared Secret Copyright 2006 CRYPTOCard Inc. All Rights Reserved 5

6 2 Configuring Funk SBR 1. Start the SBR Administrator. 2. Select the Servers radio button, if it is not selected by default. Select Local or Remote as appropriate, and click Connect to connect to the SBR server. 3. Select the Proxy radio button. This is where you configure the Funk SBR server to forward users authentication requests to CRYPTO-Server. a. In the Forward to field, enter the hostname of the CRYPTO-Server. b. In the IP address field, enter the IP address of the CRYPTO-Server. c. If you are not using the default RADIUS authentication and accounting ports (UDP ports 1812 and 1813, respectively), enter the ports that you want to use. If the Funk SBR server and CRYPTO-Server are installed on the same server, the CRYPTO-Server RADIUS protocol must be manually configured to use an available port. This is because, by default, Funk SBR locks ports 1812, 1813, 1645, and 1646 for its RADIUS server. d. Click on Edit authentication shared secret and enter the shared secret in the Enter shared secret field. Click Set. e. If you are using a different shared secret for accounting, check the Use different shared secret for accounting box. Then click Edit accounting shared secret and enter the shared secret in the Enter shared secret field. Click Set. f. Check the Include in authentication list box. g. Click Save. Copyright 2006 CRYPTOCard Inc. All Rights Reserved 6

7 4. Select the Configuration radio button. a. Under Authentication methods (in order), select proxy: <your CRYPTOCard server> and click Activate. Use the Up arrow button to move it to the top of the list. b. Highlight the other methods in the list and Deactivate them. c. Click Save. Copyright 2006 CRYPTOCard Inc. All Rights Reserved 7

8 3 CRYPTO-Server Configuration It may be necessary to configure the CRYPTO-Server to accept RADIUS communication from the Funk SBR server host. 1. Open the CRYPTO-Console and connect to the CRYPTO-Server. Select Server System Configuration. 2. Select the RADIUSProtocol Entity and look at the Value corresponding to the NAS.2 Key. The Value of this Key defines which RADIUS clients are allowed to connect to the CRYPTO-Server and the shared secret they must use. By default, the CRYPTO-Server is configured to listen for RADIUS protocol requests from any host on the same subnet, using a shared secret of testing123. If a client is not within the NAS.2 IP address range it must be added. You can define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. Right-click on the RADIUSProtocol Entity and select New Key-Value. The syntax of a NAS.x Key Value is: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> <First IP>: is the first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: is the last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: only applies in cases where the NAS.# key is for one host. It is required for performing reverse lookup. <Shared Secret>: is a string used to encrypt the password being sent between the CRYPTO-Server and the RADIUS client. You will need to enter the exact same string into the RADIUS client. The <Shared Secret> string can be any combination of numbers and uppercase and lowercase letters. <Perform Reverse Lookup?>: is an added security feature of the CRYPTO-Server that verifies the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the <Hostname> set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client and ignores the request (also known as a man in the middle attack). <Authentication Protocols>: Currently, PAP and MSCHAPv2 are the available authentication protocols for RADIUS clients. These are entered as PAPCHAP and MSCHAP, respectively. Copyright 2006 CRYPTOCard Inc. All Rights Reserved 8

9 4 Configuring CRYPTO-Server To Use Different RADIUS Ports If Funk SBR server and CRYPTO-Server are installed on the same server, the CRYPTO- Server RADIUS protocol must be manually configured to use an available port. This is because, by default, Funk SBR uses ports 1812, 1813, 1645, and 1646 for its RADIUS server. 1. Open the CRYPTO-Console and connect to the CRYPTO-Server. Select Server System Configuration. 2. Select the RADIUSProtocol Entity and look at the Value corresponding to the Host Key. Edit the Value of this Key to specify available ports for RADIUS authentication and RADIUS accounting. By default, the RADIUS protocol is configured to listen on UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting. 3. Apply the change and restart the CRYPTO-Protocol service/daemon. 4. Check the RADIUSProtocol.dbg log to verify that the CRYPTO-Server RADIUS server is listening on the new ports specified in step 2. Copyright 2006 CRYPTOCard Inc. All Rights Reserved 9

10 5 Troubleshooting If users repeatedly fail CRYPTOCard authentication, some possible causes are: The Funk SBR system has not been configured as a valid NAS for the RADIUS protocol. From Server System Configuration, add a NAS entry for the Funk SBR server to the RADIUSProtocol Entity. Apply the change and restart the CRYPTO-Protocol Server service. The remote user s token has become out-of-sync with CRYPTO-Server. Test the token from the CRYPTO-Console and provide the 8-digit challenge to the remote user. Have the remote user resynchronize his token using the challenge provided. Alternatively, increase the value for the CRYPTO-Server look-ahead by editing the Token Entity s MaxForward Key. The remote user has a hardware token configured for the PIN to be stored on the server. Ensure that the remote user is entering his PIN plus the passcode from the token. Alternatively, reset the PIN for the remote user via the CRYPTO-Console. The remote user s token has become locked. For software and Smart card tokens, reissue the token to the remote user. For hardware tokens with the PIN stored on the server, re-enable the token by changing its state from Locked to Active. There is a Shared Secret key mismatch between the Funk SBR server and the CRYPTO- Server. Verify this value on both platforms. If authentication requests do not reach the CRYPTO-Server, some possible causes are: A firewall exists between the Funk SBR server and CRYPTO-Server. Ensure that the RADIUS ports (e.g. UDP 1812 and 1813) that are configured for communication between the Funk SBR server and CRYPTO-Server are open on the firewall to allow RADIUS traffic. The RADIUS ports configured on the Funk SBR server for communication with the CRYPTO-Server are incorrect. Verify the RADIUS ports being used by the CRYPTO- Server. CRYPTO-Server Log Files To aid in troubleshooting authentication issues, review the information in the RADIUSProtocol.dbg and cryptocard.log files. A higher level of debugging information can be displayed in the RADIUSProtocol.dbg file by selecting the RADIUSProtocol Entity and enabling the DebugLog.Enabled Key (by setting the Value to true). Apply the change and restart the CRYPTO-Protocol service. For CRYPTO-Server installed on Windows, the default log file location is: \CRYPTOCard\CRYPTO-Server\log Copyright 2006 CRYPTOCard Inc. All Rights Reserved 10

11 For CRYPTO-Server installed on SuSE Enterprise 9 or Red Hat Enterprise 3.0 or 4.0, the default log file location is: /usr/local/cryptocard/cryptoserver/log For CRYPTO-Server installed on Mac OSX 10.3 or 10.4, the default log file location is: /Applications/CRYPTO-Server/log Copyright 2006 CRYPTOCard Inc. All Rights Reserved 11