TippingPoint Best Practice Guide. RADIUS PEAP Configuration for IPS Devices and Cisco ACS. Version:

Similar documents
TippingPoint Intrusion Prevention System Release Notes

How to configure SecureW2

UNIBOX. An Intelligent Network Controller. Knowledge Base: Billing Module

SUPPORT MATRIX. Comtrade OMi Management Pack for Citrix

HP D6000 Disk Enclosure Direct Connect Cabling Guide

Modem Command Guidelines HP Notebook Series

Virtual Recovery Assistant user s guide

Security Management System Release Notes

Worldox Integration with Canon imageformula DR-C225 Scanner. Version 1.0

Wired Dot1x Version 1.05 Configuration Guide

HYCU SCOM Management Pack for F5 BIG-IP

HP 4120 IP Phone. User Guide

HP Velocity User Guide for Thin Clients

Configuring Embedded LDAP Authentication

HP ProLiant Storage Server iscsi Feature Pack

HP UFT Connection Agent

Wireless Data Privacy Configuration Guide. HP ProCurve Secure Access 700wl Series.

SUPPORT MATRIX. HYCU OMi Management Pack for Citrix

HP Video Over Ethernet. User Guide

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Guest Management Software Administrator Guide. Installation and Getting Started Guide Administrator Guide

Modem and Networking compaq notebook series

HP ALM Client MSI Generator

SecureW2 Client for Windows Administrator Guide. Version 2.2

Certificate-based authentication for data security

External Devices. User Guide

External Devices User Guide

Secure Access Configuration Guide For Wireless Clients

Partner Information. Integration Overview. Remote Access Integration Architecture

v7.0 Intelligent Management Center MySQL 5.5 Installation and Configuration Guide (for Windows)

External Devices User Guide

hp digital home networking phoneline USB network adapter hn210p quick start guide

HP VSR1000 Virtual Services Router

HPE ALM Client MSI Generator

HP 10500/ G Unified Wired-WLAN Module

HP 6125 Blade Switch Series

WIDS Technology White Paper

Legal and notice information

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

LAB: Configuring LEAP. Learning Objectives

Configuring Security Mitigation Settings for Security Bulletin HPSBPI03569 Protecting Solution Installation Settings

Deployment Guide. ICA Proxy for Citrix Receiver with SMS Authentication. Access Gateway Enterprise Edition XenApp XenDesktop

Replacing the Battery HP t5730 and t5735 Thin Clients

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

SPNEGO SINGLE SIGN-ON USING SECURE LOGIN SERVER X.509 CLIENT CERTIFICATES

HPE Security ArcSight SmartConnectors. Format Preserving Encryption Environment Setup Guide

Authenticating Cisco VCS accounts using LDAP

HP 6125 Blade Switch Series

Achieve Patch Currency for Microsoft SQL Server Clustered Environments Using HP DMA

Cisco Expressway Authenticating Accounts Using LDAP

Copyright 2015 YEALINK NETWORK TECHNOLOGY CO., LTD.

Computer Setup (F10) Utility Guide HP Compaq d220 and d230 Microtower

About the HP 830 Series PoE+ Unified Wired-WLAN Switch and HP 10500/ G Unified Wired-WLAN Module

HP Intelligent Management Center SOM Administrator Guide

External Media Cards User Guide

SQL Server Installation and Configuration Guide. Abstract

Models HP Security Management System XL Appliance with 500-IPS System License

IDE Connector Customizer Readme

Release Notes: ProCurve Identity Driven Manager Version 2.0, Update 2

Managing External Identity Sources

Release Notes: ProCurve Mobility Manager Version 1.0, Update 1

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Release Notes: Version PK.1.4 Software

MCSA Guide to Networking with Windows Server 2016, Exam

HP ALM. Software Version: patch 2. Business Views Microsoft Excel Add-in User Guide

HYCU SCOM Management Pack for Nutanix

Symantec Managed PKI. Integration Guide for ActiveSync

HP Service Health Reporter

External Devices User Guide

About the Configuration Guides for HP Unified

HP OfficeJet 200 Mobile Printer series. Bluetooth Setup Guide

Skynax. Remote Assist Console. User Guide

WLAN high availability

Installation and Configuration Guide

Patrice M. Anderson Instructional Designer

Computer Setup (F10) Utility Guide HP Elite 7000 MT Series PCs

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Release Notes: Version Operating System

HPE Security ArcSight Connectors

Wall-Mounting your HP TouchSmart. User Guide

HP StorageWorks 4000/6000/8000 Enterprise Virtual Array connectivity for Sun Solaris installation and reference guide

HP Fortify Scanning Plugin for Xcode

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Configuring SSL. SSL Overview CHAPTER

Configure 802.1x - PEAP with FreeRadius and WLC 8.3

Zebra Setup Utility, Zebra Mobile Printer, Cisco ACS, Cisco Access Point, EAP-FAST, WPA-EAP-FAST

HP Enterprise Integration module for SAP applications

Configuring RAID with HP Z Turbo Drives

HP AutoPass License Server

HP MSM Series. Setup Guide

Standardize Microsoft SQL Server Cluster Provisioning Using HP DMA

HYCU SCOM Management Pack for F5 BIG-IP

Manual Instructions for SAP Note CRA: Configuration for the CRA report

Software Feature Index for the ProCurve Switch 3500yl/5400zl/6200yl Series

Release Notes: ProCurve Network Immunity Manager Version 1.0, Update 3

Phone Agent Solidus ecare USER GUIDE

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

HP LF Printing Knowledge Center

HP Intelligent Management Center v7.1 MySQL 5.6 Installation and Configuration Guide (Windows)

Transcription:

TippingPoint Best Practice Guide RADIUS PEAP Configuration for IPS Devices and Cisco ACS Version: 16.1.1

Copyright Statement Copyright 2016 Trend Micro. Trend Micro Incorporated ( Trend Micro ) makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Trend Micro shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Trend Micro. The information is provided as is without warranty of any kind and is subject to change without notice. The only warranties for Trend Micro products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Trend Micro shall not be liable for technical or editorial errors or omissions contained herein. Page 2 of 12 Version 16.1.1

Table Of Contents TABLE OF CONTENTS 1. Introduction...4 2. Description...4 3. Configure the RADIUS server...5 3.1. Install the certificates on the RADIUS server...6 Installing Root and Intermediate certificates... 6 Installing Leaf-level certificates... 8 4. RADIUS server configuration using the SMS... 10 5. RADIUS server configuration using the LSM... 11 Page 3 of 12 Version 16.1.1

1. Introduction This document describes how to configure a Remote Authentication Dial-In User Service (RADIUS) server (for this deployment, a Cisco Secure ACS RADIUS server) and the HP TippingPoint Intrusion Protection System (IPS) device (via SMS or LSM) using PEAP/EAP- MSCHAPv2 authentication for the X.509 certificate chains. 2. Description The IPS device supports three types of RADIUS authentication: PAP EAP-MD5-Challenge PEAP/EAP-MSCHAPv2 For successful authentication to take place using the PEAP/EAP-MSCHAPv2 protocol, the IPS device must verify (during the RADIUS-PEAP handshake) that the RADIUS server's certificate matches a root certificate on its local certificate store. To enable authentication, you must configure the entire certificate chain (Root, Intermediate, and Leaf-level) on the RADIUS server, but configure only the Root certificate on the IPS device. The IPS device can then look in its certificate store for the corresponding root CA used by the RADIUS server during the handshake. When the IPS device recognizes the root CA, the RADIUS server sends the remainder of the certificate chain to the IPS and the authentication process is completed. Page 4 of 12 Version 16.1.1

3. Configure the RADIUS server A RADIUS server can receive its certificate from either the certificate authority (CA) of your organization or from a public CA. This sample deployment uses the following certificate chain on a Cisco Secure ACS RADIUS server: Root CA hp-tpt-ca.pem (DaRoot) Intermediate CA hp-tpt-ca-int.pem (Zintermediate) Leaf-level Server hp-tpt-server1.pem (server1.hp-tpt.com) Note: Certificate files have different extensions (.pem,.crt,.cer) to show different formats used to store them. You can convert them from one format to another using free online tools. Page 5 of 12 Version 16.1.1

3.1. Install the certificates on the RADIUS server Note: Three certificates need to be installed on the RADIUS server; Root, Intermediate and Leaf-Level Installing Root and Intermediate certificates 1. On the left menu pane, select Users and Identify Stores and then click on Certificate Authorities. The right pane shows the list of current certificate authority s configured on the server. 2. Click Add. The Certificate File to Import screen is displayed 3. Click Browse and locate the Trusted CA certificate file 4. Click Submit. Page 6 of 12 Version 16.1.1

You are returned Certificates Authorities screen. 5. Repeat the steps 1 thru 4 above for the other certificate. Once completed, the Certificates Authorities screen will list both the Root CA and the Intermediate CA certificates you added. Page 7 of 12 Version 16.1.1

Installing Leaf-level certificates 1. To add the Leaf-level certificate, select System Administration > Configuration > Local Server Certificates and click Local Certificates. 2. The right pane lists all the local certificates available on the device. 3. Click Add. 4. In the Step 1: Import Server Certificate page, select the Import Server Certificate option and click Next. Page 8 of 12 Version 16.1.1

5. In the Step 2: Import Server Certificate page, specify the following information to identify the certificate to import: Location of the server Certificate file Location of the server Private Key file Private Key Password of the certificate 6. Select EAP as the protocol. 7. Click Finish. The Local Certificates screen lists the entire certificate chain that you have configured on the RADIUS server. Page 9 of 12 Version 16.1.1

4. RADIUS server configuration using the SMS 1. Use your SMS appliance to manage the HP TippingPoint security device that you want connected to the RADIUS server. 2. Right-click on the device and select Edit > Device Configuration. The Device Configuration dialog is displayed. 3. Click Authentication Preferences. 4. Select RADIUS as Authentication Source for the remote authentication. 5. Click Edit for the entry you want to configure. The RADIUS Server Configuration dialog is displayed. 6. Use the remaining steps and the following figure to configure the RADIUS server. Specify the RADIUS server's IP address, port, authentication protocol, and secret. b. Click Import to import the Root CA certificate only. c. Click OK to save the configuration before testing it. d. Return to the RADIUS Server Configuration dialog and specify the user name and password for the server. Page 10 of 12 Version 16.1.1

e. Click Test. A popup message will confirm whether a successful connection to the server was established. 5. RADIUS server configuration using the LSM 1. Log in to the LSM as a user with device administrator privileges. 2. In the left pane, expand the Authentication menu and click X.509 Certificates. 3. On the X.509 Certificates page, browse to the location of the Root CA certificate (hp-tptca.pem) that was configured on the Cisco ACS server and click Import. The certificate is displayed in the Current Certificate Authorities panel. Page 11 of 12 Version 16.1.1

4. From the left pane, select System > Remote Servers. 5. On the Remote server s page, select RADIUS Remote Authentication and click Edit for the RADIUS server entry you want to configure. The Edit Primary RADIUS Server dialog box is displayed. 6. Specify the RADIUS server by supplying the same identifying information you configured previously. 7. When using the LSM to configure the RADIUS server, you do not need to apply your changes before testing the connection. 8. Click Test. A message is generated indicating whether a connection was successful or not. 9. If the connection was successful, click Apply to save your configuration. Page 12 of 12 Version 16.1.1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback