CRYPTOCard Migration Agent for CRYPTO-MAS Version 1.0 2009 CRYPTOCard Corp. All rights reserved. http://www.cryptocard.com
Trademarks CRYPTOCard and the CRYPTOCard logo are registered trademarks of CRYPTOCard Corp. in the Canada and/or other countries. All other goods and/or services mentioned are trademarks of their respective companies. License agreement This software and the associated documentation are proprietary and confidential to CRYPTOCard, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by CRYPTOCard. Note on encryption technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Contact Information CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Go to the CRYPTOCard corporate web site for regional Customer Support telephone and fax numbers: http://www.cryptocard.com CRYPTOCard Migration Agent for CRYPTO-MAS i
Publication History Date Changes 2009.09.04 Draft release 2009.09.15 Initial release to accompany Field Trials 2009.09.24 Minor changes to initial draft 2009.09.25 Minor changes for Launch Release CRYPTOCard Migration Agent for CRYPTO-MAS ii
Table of Contents CRYPTOCARD MIGRATION AGENT OVERVIEW...1 Installation...3 Installing IAS and NPS...3 INSTALLATION OF THE CRYPTOCARD MIGRATION AGENT FOR IAS...4 CONFIGURE IAS TO USE THE CRYPTOCARD MIGRATION AGENT...5 Configure Microsoft IAS for RADIUS Client(s)...5 Create a Remote RADIUS Server Group...6 Create a Remote Access Policy...8 Create a Connection Request Policy...9 INSTALLATION OF THE CRYPTOCARD MIGRATION AGENT FOR NPS...11 CONFIGURE NPS TO USE THE CRYPTOCARD MIGRATION AGENT...12 Configure Microsoft NPS for RADIUS Client(s)...12 Create a Remote RADIUS Server Group...13 Creating a Connection Request Policy...15 TROUBLESHOOTING THE CRYPTOCARD MIGRATION AGENT FOR IAS / NPS...18 IAS / NPS logs...18 CRYPTOCard Migration Agent Logging Level...20 CRYPTOCard Migration Agent for CRYPTO-MAS iii
CRYPTOCard Migration Agent Overview This document presents an overview of the CRYPTOCard Migration Agent and necessary steps to configure RADIUS proxy authentication. In this document we will show you: What the CRYPTOCard Migration Agent is and how it works How to implement the Agent within your network Steps to take to re-configure your existing Authentication server Steps to take to add CRYPTO-MAs to your network How to diagnose potential installation problems The CRYPTOCard Migration Agent is a freely distributed application which allows ANY RADIUS based device or application to communicate with both an existing Authentication server and CRYPTOCard s Passwords-as-a-Service solution CRYPTO-MAS within the same access network. The purpose of the Agent is to provide a low-investment, controlled and interruption free migration from a 3 rd party authentication server, such as RSA Authentication Manager, to CRYPTO-MAS. It allows both authentication solutions to work in parallel so that CRYPTO-MAS can gradually replace the existing authentication server as the primary server reducing the need for a wholesale change of existing tokens, instead allowing for the replacement of tokens when either faulty or at the end of the license period. The CRYPTOCard Migration Agent leverages RADIUS components of IAS on Windows Server 2003 or NPS on a Windows Server 2008. The agent intercepts RADIUS requests from the access device/application and handles all of the authentication processes with the existing authentication server and CRYPTO-MAS. To enable the CRYPTOCard Migration Agent to accept RADIUS authentication requests you must: Have either the Windows IAS or NPS Windows component installed within your network Install the CRYPTOCard Migration Agent on the machine that is hosting IAS or NPS. Enable RADIUS authentication on the existing server your service provider will help you achieve this. All servers are likely to have this capability, but it may not be enabled as some vendors recommend the use of proprietary protocols. RADIUS is an industry standard protocol and if a change is required it will not result in the loss of critical authentication functionality. In the diagram below, we can see the existing authentication server continues as the primary authentication server, while CRYPTO-MAS is added to the network to act as the secondary authentication server. CRYPTOCard Migration Agent for CRYPTO-MAS 1
Figure 1 CRYPTOCard Migration Agent With the CRYPTOCard Migration Agent acting as an intermediate authentication server, the authenticated connection sequence would be as follows: 1. RADIUS requests received by Microsoft IAS/NPS from devices such as VPNs, Firewalls and other RADIUS Clients such as web applications are passed to the CRYPTOCard Migration Agent. The CRYPTOCard Migration Agent forwards the RADIUS authentication request to its Primary RADIUS Server entry (e.g.: RSA, VASCO, Aladdin, et al). 2. If the user credentials are valid an Access-Accept is send back to the Agent, which then forwards this to the access device, the user then gains access to the network resource. 3. If the user credentials are invalid an Access-Reject is returned and the CRYPTOCard Migration Agent forwards the RADIUS authentication request to its Secondary RADIUS Server entry (i.e.: CRYPTO- MAS). 4. If the users credentials are valid an Access-Accept is sent back and the user gains access to the network resource. An Access-Reject from CRYPTO-MAS will mean no access for the user. RADIUS Client configuration guides for a wide range of VPN, firewall and other network access devices or web based applications are available in the Support section of http://www.cryptocard.com/. It is good practice to test an end-to-end RADIUS authentication using static passwords before installing the Agent. This simple step eliminates the possibility of RADIUS configuration errors, which will result in the Agent not receiving data from IAS/NPS. CRYPTOCard Migration Agent for CRYPTO-MAS 2
Installation Installation of the application requires three simple steps: 1. First of all you will need to download the Migration Agent. This will either have been sent to you by your Service Provider or you will need to download it from one of the links below CRYPTOCard RADIUS Proxy.exe for 32 bit servers http://download.cryptocard.com/packages/radius_proxy/cryptocard_radius_proxy.exe CRYPTOCard RADIUS Proxy x64.exe for 64 bit servers http://download.cryptocard.com/packages/radius_proxy/cryptocard_radius_proxy_x64.exe 2. You will then need to configure the Microsoft IAS/NPS application and install the CRYPTOCard Agent: Installation and configuration instructions for use with Microsoft IAS begin with on page 4. Installation and configuration instructions for use with Microsoft NPS begin with on page 11. 3. You will need to configure your existing Authentication server to accept RADIUS requests from the CRYPTOCard Migration enabled IAS/NPS agent. Installing IAS and NPS On Windows 2003, the Microsoft Internet Authentication Service can be installed from Add/Remove Programs, Add/Remove Windows Components, Networking Services, Internet Authentication Service. On Windows 2008, the Microsoft Network Policy Server can be installed from Administrative Tools, Server Manager, Roles, Add Roles, Network Policy and Access Services. CRYPTOCard Migration Agent for CRYPTO-MAS 3
Installation of the CRYPTOCard Migration Agent for IAS 1. Log on to the server on which IAS has been installed. 2. Locate and run the Installer: CRYPTOCard RADIUS Proxy.exe for 32 bit servers. or CRYPTOCard RADIUS Proxy x64.exe for 64 bit servers. 3. Accept the license agreement to continue with the installation. 4. Enter the hostname or IP address, Port and Shared Secret of the Primary RADIUS Server. (Note: If the Primary Server is unavailable, authentication requests will be forwarded to the Secondary RADIUS server) Enter the hostname or IP address, Port and Shared Secret of the Secondary RADIUS Server. If you do not have a Secondary RADIUS Server leave the Secondary RADIUS Server fields blank. Click Next. CRYPTOCard Migration Agent for CRYPTO-MAS 4
Configure IAS to use the CRYPTOCard Migration Agent Configuring IAS to use the CRYPTOCard Migration Agent requires four steps: Configure Microsoft IAS for RADIUS Client(s). Create a remote RADIUS Server Group. Create a Remote Access Policy. Create a Connection Request Policy. Configure Microsoft IAS for RADIUS Client(s) 1. Open the Internet Authentication Service Console 2. Select RADIUS Clients 3. Right click client and select New RADIUS Client 4. Enter Friendly name of your remote client/device (i.e. SSL VPN Authentication) 5. Enter the IP address of the client (i.e. VPN Device) 6. Click Next CRYPTOCard Migration Agent for CRYPTO-MAS 5
7. Select Client-Vendor of RADIUS Standard 8. Enter Shared secret. This must match the shared secret on the client/device 9. Enter Confirm shared secret 10. Click Finish to add client Create a Remote RADIUS Server Group 1. Open the Internet Authentication Service Console 2. Expand Connection Request Processing 3. Right click on Remote RADIUS Server Groups and select New RADIUS Server Group A Wizard should pop up. Click Next to dismiss welcome dialogue. 4. Select Custom then enter a friendly Group name of CRYPTO-MAS RADIUS Authentication Servers. Click Next CRYPTOCard Migration Agent for CRYPTO-MAS 6
5. Select Add 6. Select the Address tab. In Server: enter auth.cryptocard.com 7. Select Authentication/Accounting In Authentication Port: enter 1812 In Shared Secret field: enter the value that was submitted to CRYPTOCard when your network device was activated Click OK 8. Select Add 9. Select the Address tab. In Server: enter auth2.cryptocard.com 10. Select Authentication/Accounting In Authentication Port: enter 1812 In Shared Secret field: enter the value that was submitted to CRYPTOCard when your network device was activated Click OK 11. Select Load Balancing In Priority Enter 2 Click OK then Next CRYPTOCard Migration Agent for CRYPTO-MAS 7
12. Remove the checkmark in Start the New Connection Policy Wizard when this wizard closes then select Finish Create a Remote Access Policy 1. Open the Internet Authentication Service Console 2. Select the Remote Access Policies 3. Select the first policy in the right hand pane, if one exists 4. Select Remote Access Policies again 5. Right click and select New Remote Access Policy A Wizard should pop up. Click Next to dismiss welcome dialogue. 6. Select Set up a custom policy 7. Enter a friendly policy name of Allow Authentication to RADIUS Servers. Click Next CRYPTOCard Migration Agent for CRYPTO-MAS 8
8. Click Add 9. Select NAS-Port-Type 10. Click Add 11. Select Ethernet, then click Add 12. Select Grant remote access permission 13. Click Next 14. Click Next to skip changing the profile 15. Click Finish to add the policy. Create a Connection Request Policy 1. Open the Internet Authentication Service Console 2. Expand Connection Request Processing 3. Select Connection Request Policies 4. Select the first policy in the right hand pane, if one exists. 5. Select Connection Request Policies again CRYPTOCard Migration Agent for CRYPTO-MAS 9
6. Right click and select New Connection request policy 7. A Wizard should pop up. Click Next 8. Select A custom policy 9. Enter a policy name of Allow all users to authenticate to RADIUS Server 10. Click Next 11. Click Add 12. Select Day-And-Time- Restriction 13. Click Add 14. Click Permitted 15. Click OK and then click Next. 16. Click Edit Profile 17. Click Forward Requests to the following remote RADIUS server group for authentication. In the dropdown select CRYPTO-MAS RADIUS Authentication Servers 18 Click OK 19. Click Next 20. Click Finish to add the policy. Note: These changes will not take effect until the IAS service has been restarted. CRYPTOCard Migration Agent for CRYPTO-MAS 10
Installation of the CRYPTOCard Migration Agent for NPS 1. Log on to the server on which NPS has been installed. 2. Locate and run the Installer: CRYPTOCard RADIUS Proxy.exe for 32 bit servers. or CRYPTOCard RADIUS Proxy x64.exe for 64 bit servers. 3. Accept the license agreement to continue with the installation. 4. Enter the hostname or IP address, Port and Shared Secret of the Primary RADIUS Server. (Note: If the Primary Server is unavailable, authentication requests will be forwarded to the Secondary RADIUS server) Enter the hostname or IP address, Port and Shared Secret of the Secondary RADIUS Server. If you do not have a Secondary RADIUS Server leave the Secondary RADIUS Server fields blank. Click Next. CRYPTOCard Migration Agent for CRYPTO-MAS 11
Configure NPS to use the CRYPTOCard Migration Agent Configuring NPS to use the CRYPTOCard Migration Agent requires three steps: Configure Microsoft IAS for RADIUS Client(s). Create a remote RADIUS Server Group. Create a Connection Request Policy. Configure Microsoft NPS for RADIUS Client(s) 1. Open the Network Policy Server Console 2. Select RADIUS Clients and Servers 3. Right click client and select New RADIUS Client 4. Ensure that the textbox for Enable this RADIUS Client is selected 5. Enter Friendly name of your remote client (i.e. SSL VPN Authentication) 6. Enter the IP Address of the remote client (e.g.vpn device) 7. Select Vendor name of RADIUS Standard 8. Select Client-Vendor of RADIUS Standard 9. Enter Shared secret. This must match the shared secret on the client. 10. Re-enter the shared secret in the Confirm shared secret 11. Click OK to add client CRYPTOCard Migration Agent for CRYPTO-MAS 12
Create a Remote RADIUS Server Group 1. Open the Network Policy Server Console 2. Expand RADIUS Clients and Servers 3. Right click on Remote RADIUS Server Groups and select New 4. Enter a Group name of CRYPTO-MAS RADIUS Authentication Servers then select Add 6. Select the Address tab. In Server: enter auth.cryptocard.com 7. Select Authentication/Accounting In Authentication Port: enter 1812 In Shared Secret field: enter the value that was submitted to CRYPTOCard when your network device was activated Click OK 8. Select Add CRYPTOCard Migration Agent for CRYPTO-MAS 13
9. Select the Address tab. In Server: enter auth2.cryptocard.com 10. Select Authentication/Accounting In Authentication Port: enter 1812 In Shared Secret field: enter the value that was submitted to CRYPTOCard when your network device was activated Click OK 11. Select Load Balancing In Priority Enter 2 Click OK. CRYPTOCard Migration Agent for CRYPTO-MAS 14
Creating a Connection Request Policy 1. Open the Network Policy Server Console 2. Expand Policies 3. Select Connection Request Policies 4. Right Click and select New 5. The New Connection Request Policy Wizard begins 6. When prompted enter a policy name of Allow all users to authenticate to Primary RADIUS Server 7. Under Type of network access server select Unspecified. 8. Click Next 9. Click Add from the Specify Condition dialog 10. Select Date and Time Restrictions 11. Click Add CRYPTOCard Migration Agent for CRYPTO-MAS 15
12. Select Permitted and click OK 13. Click Next 14. In the next dialog select Forward requests to the following remote RADIUS Server group for authentication. In the dropdown select CRYPTO-MAS RADIUS Authentication Servers. 15. Select Next 16. 17. Select Next Click Finish to add the policy 18. Under Connection Request Policies, right click on Use Windows Authentication for all users and select Disable Note: These changes will not take effect until the Network Policy Server service has been restarted. CRYPTOCard Migration Agent for CRYPTO-MAS 16
Configuring your existing Authentication Server The final step of getting the CRYPTOCard Migration Agent working within your existing network is to configure your primary authentication server to communicate with the Agent. We recommend that you now configure your existing server and test the operation of the Agent prior to adding CRYPTO-MAS into your network. Your Service Provider will help you configure the existing server to communicate with the CRYPTOCard Migration Agent. The following information will be required to allow the agent to be set-up: Network devices must support the RADIUS Authentication Protocol. Please consult your third party documentation for compatibility. If a network device has been configured to perform a proprietary method of authentication, it must be reconfigured to RADIUS authentication (e.g.: RSA sometimes recommend the use of a nonstandard protocol). UDP Port 1812, 1813, 1645 and 1646 network traffic must be permitted between your network devices and the authentication servers. Various Third Party integration guides can be found in the Support Section of www.cryptocard.com. If an integration guide cannot be found for your device, please refer to the Third Party vendor documentation to enable RADIUS Authentication. Everything will now be set-up and tested so that any existing users are fully operational. Setting-up CRYPTO-MAS The next and final step is to add CRYPTO-MAS into the network. To do this we recommend you follow the very simple steps show in the How to Guide: Setting up your Account on CRYPTO-MAS. It might also be advisable to refer to the CRYPTO-MAS Administrators guide. This will explain how to get your account set-up, import the details of the users that you are migrating to CRYPTO-MAS and how to allocate tokens to those users. CRYPTOCard Migration Agent for CRYPTO-MAS 17
Troubleshooting the CRYPTOCard Migration Agent for IAS / NPS Your CRYPTOCard Migration Agent should now be installed and working with both your existing authentication server and with CRYPTO-MAS. However, if for any reasons you are having problems, then the following may help you isolate any issues. Naturally, your CRYPTOCard Service Provider will be on hand to help. IAS / NPS logs All information between network devices and the Microsoft IAS RADIUS server log into the Event Viewer under System. In the Microsoft NPS RADIUS Server, the information appears in the Event Viewer under Custom Views, Server Roles, Network Policy and Access Services. Below is an example of a successful IAS authentication request User jsmith was granted access. Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-Identifier = <not present> Client-Friendly-Name = 192.168.10.105 Client-IP-Address = 192.168.10.105 Calling-Station-Identifier = <not present> NAS-Port-Type = <not present> NAS-Port = <not present> Proxy-Policy-Name = Allow all users to authenticate to RADIUS Server Authentication-Provider = RADIUS Proxy Authentication-Server = auth.cryptocard.com Policy-Name = <undetermined> Authentication-Type = <undetermined> EAP-Type = <undetermined> CRYPTOCard Migration Agent for CRYPTO-MAS 18
Below is an example of a failed IAS authentication request User jsmith was denied access. Fully-Qualified-User-Name = <undetermined> NAS-IP-Address = <not present> NAS-Identifier = <not present> Called-Station-Identifier = <not present> Calling-Station-Identifier = <not present> Client-Friendly-Name = 192.168.10.105 Client-IP-Address = 192.168.10.105 NAS-Port-Type = <not present> NAS-Port = <not present> Proxy-Policy-Name = Allow all users to authenticate to RADIUS Server Authentication-Provider = RADIUS Proxy Authentication-Server = auth.cryptocard.com Policy-Name = <undetermined> Authentication-Type = <undetermined> EAP-Type = <undetermined> Reason-Code = 112 Reason = The remote RADIUS (Remote Authentication Dial-In User Service) server did not process the authentication request. CRYPTOCard Migration Agent for CRYPTO-MAS 19
CRYPTOCard Migration Agent Logging Level Logging Level Registry Key The loglevel can be changed in the HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\RadiusProxy\LogLevel registry key. For log levels, 1, 2 and 3, only the initial connection between the Agent and the Server and any failed connection attempts are logged. Log level 5 will place the log in debug mode. Log File Location The default location of the log file is: \Program Files\CRYPTOCard\RadiusProxy\Log\ Note: the IAS/NPS service must be restarted for changes to log settings to take effect. CRYPTOCard Migration Agent for CRYPTO-MAS 20