DualShield for Implementation Guide (Version 5.2) Copyright 2011 Deepnet Security Limited Copyright 2011, Deepnet Security. All Rights Reserved. Page 1
Trademarks DualShield Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 2
Table of Contents 1. Overview... 4 2. Preparation... 5 3. Configuration... 6 4. Authentication... 12 5. On-Demand Password... 13 5.1 Challenge & Response...13 5.2 Test Authentication...15 5.3 DualShield UAG Agent...16 5.4 Test Authentication...20 Copyright 2011, Deepnet Security. All Rights Reserved. Page 3
1. Overview This implementation guide describes how to protect with two-factor authentication with the DualShield unified authentication platform. supports external authentication servers including Active Directory and RADIUS, and it also supports chained authentication. By leveraging those features in UAG, we can implement a two-factor authentication in UAG system in which the first factor will be the user s static password and second factor will be a one-time password. The user s static password will be authenticated by the customer s Active Directory server (domain controller) and the user s one-time password will be authenticated by the DualShield authentication server via RADIUS. DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: DualShield Radius Server DualShield Authentication Server Copyright 2011, Deepnet Security. All Rights Reserved. Page 4
2. Preparation Prior to configuring UAG for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers, please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in UAG. The document below provides detailed instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide As an example in this document, we are going to going to add two-factor authentication to an OWA portal. Assuming that the OWA portal is already setup and operating. If you are new to UAG, please refer to the article below for instruction of publishing OWA on a UAG portal: http://technet.microsoft.com/en-us/library/ee921443.aspx Copyright 2011, Deepnet Security. All Rights Reserved. Page 5
3. Configuration The first stage is to add two authentication servers: Active Directory and DualShield Radius server to your UAG. 1. In the main menu, select Admin Authentication and Authorization Servers 2. Click Add 3. Select Active Directory as the Server Type Enter the Server Name Click Define to define your domain controller Configure the Base DN Specify the access user and its password Click OK to save it Copyright 2011, Deepnet Security. All Rights Reserved. Page 6
4. Click Add again 5. Select RADIUS as the Server Type Enter the Server Name, e.g. DualShield Set the IP address and port number of the DualShield RADIUS server If you have installed a second DualShield Radius server then enter this as the alternate Enter the shared Secret Key Leave Support challengeresponse mode unchecked. We will cover this option later Click Save to save Copyright 2011, Deepnet Security. All Rights Reserved. Page 7
Now, we have added two authentication servers The second stage is to add chained authentication to the truck that you wish to enable two-factor authentication. 1. Select an existing truck that you wish to configure, in this example OWA under HTTP connections. 2. Click the Configure button in the Trunk Configuration section 3. Click the "Authentication Tab 4. Click the Add button and select AD first, then select DualShield Copyright 2011, Deepnet Security. All Rights Reserved. Page 8
5. a chained authentication with AD as the first and DualShield as the second server is now added Tick Require users to authenticate at session logon Select Require users to authenticate to each server, and tick Authenticate to each server with the same user name Finally, click the Activate Configuration icon on the toolbar to save and activate the changes. The third stage is to configure the DualShield server to add UAG as a Radius client and to create a Radius application with a logon procedure. Create a new logon procedure 1. Login to the DualShield management console 2. In the main menu, select Authentication Logon Procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the Type 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select One-Time Password as the authenticator Copyright 2011, Deepnet Security. All Rights Reserved. Page 9
9. Click Save Create a new application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save Add UAG as a Radius client 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar Copyright 2011, Deepnet Security. All Rights Reserved. Page 10
3. Select the application that was created in the previous steps 4. Enter UAG s IP in the IP address 5. Enter the Shared Secret and make sure it is identical to the shared secret defined in the Radius server settings in the UAG. 6. Click Save We have now completed all necessary stages and steps in setting up two-factor authentication in UAG with DualShield. In our example, we have added a chained authentication to a OWA portal with two authentication factors, AD static password and DualShield one-time password. Let us proceed to testing the authentication. Copyright 2011, Deepnet Security. All Rights Reserved. Page 11
4. Authentication Launch your web browser and connect to the OWA portal. User will now be asked to provide both AD Password and DualShield Password. The DualShield password is defined the logon procedure in your DualShield server. In our example, we defined One-Time Password in the logon procedure. Which means that users will be able to use any one-time password token supported by the DualShield to authenticate to the OWA portal. You can also add the On-Demand Password to the list of authenticator in your logon procedure. Your users will now be able to use Deepnet T-Pass as well to authenticate to OWA. Copyright 2011, Deepnet Security. All Rights Reserved. Page 12
5. On-Demand Password If you enable On-Demand Password in DualShield, then your users will be able to use Deepnet T-Pass as their authentication method. A typical question with On-Demand password is how can users request to have their password delivered in real time? Using the configuration that we have set up in above steps, users can t request to have their password delivered in real time. Users will need to have a password pre-delivered before they can logon. The system administrator can push out on-demand passwords to users, or users can use the self-service console to obtain an on-demand password. Once a user has successfully logged in, the DualShield server will then automatically send out a new password to be used by the user at next logon. Fortunately, there are two alternative solutions that will enable users to request ondemand password in real time at logon. The first solution is to utilise Radius challenge & response which is supposed by UAG. The second solution is to install the DualShield UAG Agent. 5.1 Challenge & Response To implement this real-time delivery solution by leveraging Radius challenge & response, we need to make the following changes. 1. In UAG, change the DualShield RADIUS server settings Enable the option Support challenge-response mode Copyright 2011, Deepnet Security. All Rights Reserved. Page 13
2. Configure the Trunk settings Switch the order of the AD and DualShield so that DualShield is the first server and AD is the second server 3. Click Activate Configuration icon on the toolbar to save and activate changes. 4. In DualShield, change the logon procedure to make it two steps The first step is Static Password The second step is On- Demand Password Optional, you can also add On-Time Password in the second step Copyright 2011, Deepnet Security. All Rights Reserved. Page 14
5.2 Test Authentication Now, when users attempt to logon to the OWA portal Users will be asked to provide DualShield Password and AD Password. Users must enter their static password in both the DualShield Password and AD Password field. Click Logon. If the credentials provided are correct, the DualShield server will automatically generate an on-demand one-time password and deliver it to the user in the defined delivery channel (email, SMS etc). On the next screen, the OWA portal will ask the user to enter a one-time password. Copyright 2011, Deepnet Security. All Rights Reserved. Page 15
5.3 DualShield UAG Agent DualShield UAG Agent is a simple plugin that enables users to request on-demand password at logon. Essentially, it adds 4 clickable icons on the UAG s logon page: In install the DualShield UAG Agent, follow steps below. 1. Follow instructions in the "Microsoft TMG - Implementation Guide", section 5.1 to 5.4, to publish the DualShield Provisioning Service (DPS) web site. 2. Copy all files in the "scripts" folder in DualShieldUAG-1.1.zip to: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\scripts 3. Copy all files in the "images" folder in DualShieldUAG.1.1.zip to: Copyright 2011, Deepnet Security. All Rights Reserved. Page 16
C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\images 4. Copy all files in the "css" folder in DualShieldUAG.1.1.zip to: C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\css 5. Open the file below in a text editor C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\scripts\jquery.dps.js Replace the URL in the first line which reads: var DPS_Host = 'http://mail.deepnettest32.com:8072'; with the real URL of your DPS. 6. Open the file below in a text editor C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\{Trunk Name}\Login.asp In which, {Trunk Name} is the name of the trunk that you wish to add the DualShield UAG agent, e.g. OWA C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\OWA\Login.asp Locate the following line of text in the file: <LINK rel="stylesheet" type="text/css" href="<%=application(g_site_name&g_secure&template_css)%>"> Insert the following line of text underneath the above line: <LINK rel="stylesheet" type="text/css" href="/internalsite/css/dualshield.css"> Copyright 2011, Deepnet Security. All Rights Reserved. Page 17
Append the following lines of text to the end of the file: <script language="javascript" src="/internalsite/scripts/jquery.1.7.min.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.json.2.3.min.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.blockui.js" type="text/javascript"></script> <script language="javascript" src="/internalsite/scripts/jquery.dps.js" type="text/javascript"></script> Save the file. 7. Configue the Truck settings, in the "URL Set" tab add the following rules: Name: Action: Url: Paramerts: Methods: Name: Action: Url: Paramerts: Methods: InternalSite_Rule100 Accept /internalsite/scripts/jquery.*\.js Reject GET InternalSite_Rule101 Accept /internalsite/css/dualshield.css Reject GET Copyright 2011, Deepnet Security. All Rights Reserved. Page 18
8. Save and activate the changes 9. In the DualShield Management Console, make sure that the logon procedure is one step only and it contains On-Demand Password Copyright 2011, Deepnet Security. All Rights Reserved. Page 19
10. In the DualShield Management Console, make sure that the Provisioning Server is connected to the application: 5.4 Test Authentication Now, when users attempt to logon to the portal To request an on-demand password, users will firstly enter their User Name and AD Password, and then click one of the delivery icons (e.g. the Email icon). If the credentials provided are correct, DPS server will generate an on-demand one-time password ( Passcode ) and deliver it to the user in the defined delivery channel (e.g. email). --- END --- Copyright 2011, Deepnet Security. All Rights Reserved. Page 20