WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Similar documents
Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Checkpoint VPN-1 NG/FP3

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

Implementation Guide for Funk Steel-Belted RADIUS

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

ISA 2006 and OWA 2003 Implementation Guide

Citrix Access Gateway Implementation Guide

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

Integration Guide. LoginTC

Implementation Guide for protecting. SonicWall Security Appliances. with. BlackShield ID

Remote Support Security Provider Integration: RADIUS Server

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Security Provider Integration RADIUS Server

CRYPTOCard Migration Agent for CRYPTO-MAS

Ericom PowerTerm WebConnect

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

Barracuda Networks NG Firewall 7.0.0

Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server

Barracuda SSL VPN Integration

Barracuda Networks SSL VPN

MCSA Guide to Networking with Windows Server 2016, Exam

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

Integration Guide. SafeNet Authentication Service (SAS)

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

How to Configure Authentication and Access Control (AAA)

VMware View (Horizon)

NetIQ Advanced Authentication Framework - Extensible Authentication Protocol Server. Administrator's Guide. Version 5.1.0

Accessing Positive Networks on an ipad/iphone

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

Two factor authentication for WatchGuard XTM and Firebox IPSec

HPE IMC UAM 802.1X Access Control and RSA Authentication Configuration Examples

Cisco 802.1x Wireless using PEAP Quick Reference Guide

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

E mail Setup Guide for Microsoft Outlook 2002, 2003 & 2007

Stonesoft Integration

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Procedure to Connect NIC VPN in Windows for ebiz

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

Lab Configuring and Verifying Extended ACLs Topology

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

RSA Two Factor Authentication. Feature Description

CRYPTOCard BlackBerry Token Implementation Guide

SC-1 Smart Card Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Configuration of Microsoft SQL Server Express

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

HOB Remote Desktop VPN

Chapter 10 - Configure ASA Basic Settings and Firewall using ASDM

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

RSA Ready Implementation Guide for

Security Setup CHAPTER

Two factor authentication for WatchGuard XTM and Firebox Alternative

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

MyFloridaNet-2 (MFN-2) Remote Access VPN Reference Guide

SETUP FOR OUTLOOK (Updated October, 2018)

Adding your IMAP Mail Account in Outlook 2013 on Windows

Authlogics Forefront TMG and UAG Agent Integration Guide

RSA SecurID Implementation

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Oracle 10g. Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

802.1x Radius Setup Guide Working AirLive AP with Win X Radius Server

isco Cisco Secure ACS for Windows Frequently Asked Quest

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Apple Computer, Inc. ios

Cisco IOS Firewall Authentication Proxy

Best Practices Guidelines

MyFloridaNet-2 (MFN-2) Customer Portal/ Password Management/ VPN Reference Guide

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Table of Contents 1 Cisco AnyConnect...1

Wireless LAN Controller Web Authentication Configuration Example

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Establishing two-factor authentication with Juniper SSL VPN and HOTPin authentication server from Celestix Networks

Host Access Management and Security Server Administrative Console Users Guide. August 2016

Integration Guide. SecureAuth

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Cisco Aironet 350 (DS) AP IOS Software

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

SafeNet Authentication Service Cisco AnyConnect Agent. Configuration Guide

RADIUS for Multiple UDP Ports

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

Two factor authentication for Cisco ASA SSL VPN

Protected EAP (PEAP) Application Note

VMware Horizon View Deployment

Hosted Microsoft Exchange Client Setup & Guide Book

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Radius, LDAP, Radius used in Authenticating Users

Transcription:

WatchGuard Firebox and MUVPN Quick Start Guide Copyright 2004 2005 CRYPTOCard Corporation All Rights Reserved 2005.04.15 http://www.cryptocard.com

Table of Contents 1. PURPOSE...1 1.1 Prerequisites... 1 2. CRYPTO-SERVER CONFIGURATION...1 2.1 RadiusProtocol NAS.# keys... 2 2.2 Verifying the CRYPTO-Server RADIUS Protocol Settings... 3 3. CONFIGURING FIREBOX TO USE CRYPTOCARD AUTHENTICATION...4 3.1 MUVPN with CRYPTOCard... 4 3.1.1 Performing a MUVPN Connection... 5 3.2 Adding CRYPTOCard Authentication to a Service... 6 3.2.1 Group-Based Protection... 6 4. AUTHENTICATED LOGON...7 5. TROUBLESHOOTING TIPS...8 Copyright 2004 2005 CRYPTOCard Corporation All Rights Reserved 2005.04.15 http://www.cryptocard.com

1. Purpose The intent of this document is to present the necessary steps to configure the WatchGuard Firebox and MUVPN to use CRYPTOCard authentication. 1.1 Prerequisites In order to successfully be able to authenticate end-users using CRYPTO-Server, the following items must be properly installed and configured: WatchGuard Firebox installed and configured CRYPTO-Server acting as a RADIUS server, or Cisco Secure ACS (version 3.1 or higher), Funk Steel-Belted Radius (version 2.27 or higher) or Microsoft IAS 2003, configured to work with the CRYPTO-Server An initialized CRYPTOCard token assigned to a valid CRYPTOCard user An End-user client able to connect to the Firebox 2. CRYPTO-Server Configuration If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that it is configured to accept RADIUS communications from the WatchGuard Firewall. Connect to the CRYPTO-Server using the Console, and choose Server -> System Configuration & Status from the menu. For assistance contact support@cryptocard.com 1

In the Entity column choose RadiusProtocol. Next look at the Value corresponding to the key NAS.2. The value of this key defines which RADIUS clients are allowed to connect to the CRYPTO- Server, and the shared secret they must use. 2.1 RadiusProtocol NAS.# keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of testing123. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: <First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. For assistance contact support@cryptocard.com 2

<Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. <Shared Secret>: A string used to encrypt the password being sent between the CRYPTO- Server and the RADIUS client (i.e. the Firebox). You will need to enter the exact same string into the WatchGuard configuration in Section 3 (see below). The <Shared Secret> string can be any combination of numbers, and uppercase and lowercase letters. <Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely. <Authentication Protocols>: There are many different authentication protocols that can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients. NOTE: After changing or adding a NAS.# entry, click the Apply button. 2.2 Verifying the CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log1 on the CRYPTO-Server will include information about its RADIUS configuration. Each time the Protocol Server starts, the following information is logged: Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099 RADIUS Receiver Started: listening on port 1812 UDP. 1 See section 5 Troubleshooting Tips for the location of the RADIUSProtocol.dbg file For assistance contact support@cryptocard.com 3

RADIUS Receiver Started: listening on port 1813 UDP. This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed. 3. Configuring Firebox to use CRYPTOCard Authentication How you configure the Firebox depends on what type of Firebox authentication you want to direct to the CRYPTO-Server. If you want MUVPN connections to be authenticated by the CRYPTO-Server follow the instructions in section 3.1. To authenticate Firebox Groups using the CRYPTO-Server, follow the instructions in section 3.2. 3.1 MUVPN with CRYPTOCard WatchGuard MUVPN (Mobile User Virtual Private Networking) clients are able to use CRYPTOCard tokens to authenticate their VPN connection. The Firebox currently allows MUVPN clients to authenticate to a RADIUS server, such as the CRYPTO-Server, or another RADIUS server configured to work with the CRYPTO-Server. From the Firebox Policy Manager, Select Setup Authentication Servers Select the RADIUS Server tab Enter the necessary information to allow the WatchGuard Firebox to connect to the CRYPTO-Server. Click OK. Follow the WatchGuard instructions for setting up MUVPN as usual, but choose RADIUS as the authentication server. Follow the instructions in section 3.2.1 on setting authorizations on the CRYPTO-Server, so that the desired CRYPTOCard users return a RADIUS Filter-ID matching the name of the MUVPN group. For assistance contact support@cryptocard.com 4

3.1.1 Performing a MUVPN Connection Now that the MUVPN profile has been created, it may be distributed to the client systems to allow clients to form a VPN connection to the Firebox. If using CRYPTOCard software, smart card, or USB dongle tokens: When the MUVPN client prompts for a username and password, launch the CRYPTOCard Authenticator, click on Generate Password, enter the token PIN, and enter the CRYPTOCard username and onetime password into the MUVPN prompt. If using CRYPTOCard hardware tokens (RB, KT, or SecurID): When the MUVPN prompts the end-user for a username and password, enter the CRYPTOCard username and one-time password 2 into the MUVPN prompt. 2 In some cases this may include a PIN and the response from the users token For assistance contact support@cryptocard.com 5

3.2 Adding CRYPTOCard Authentication to a Service To protect a service/port with CRYPTOCard authentication, select the rule for that service/port and choose the incoming our outgoing tab, depending on the rule. Then select Add Other From the dropdown, choose SecurID User or Group. In the Value field, enter a CRYPTOCard username or a groupname. 3.2.1 Group-Based Protection Instead of adding each individual user to a service on the Firebox, you can protect a service based on group membership. Then each CRYPTOCard user who is a member of that group will automatically be incorporated into that Firebox service rule. The group name set on the Firebox in the steps above does not correspond literally to a group name on the CRYPTO-Server, but rather to an authorization property set for a token, user or container of users on the CRYPTO-Server. To add an authorization on the CRYPTO-Server, from the Console, right-click on the token, user, or container that you wish to add an authorization to, and choose Set Authorization Properties For assistance contact support@cryptocard.com 6

From the Authorization Properties window, choose Add, and enter the configuration for a RADIUS Filter-ID property. The value of the Filter-ID property must exactly match the Group name you configured on the Firebox. 4. Authenticated Logon In order to authenticate, users must connect to the Firebox using a Java-enabled Web browser to this URL: http://[firebox IP here]:4100 This loads a Java applet with prompts for a username, and response. Enter a CRYPTOCard username, and a response, and click Submit For assistance contact support@cryptocard.com 7

The user is then authenticated, and as long as the applet window remains open, the user will be able to access the protected services from that same computer. 5. Troubleshooting Tips Use the Firebox Traffic Monitor to monitor the authentication process, as it may give indications as to where the authentication is failing. The CRYPTO-Server stores a log of all RADIUS traffic in C:\Program Files\CRYPTOCard\CRYPTO-Server\bin\RADIUSProtocol.dbg Messages in this log may help pinpoint the source of the problem. If you are using a Third Party RADIUS server, please refer to its troubleshooting documentation. If you encounter a problem that cannot be solved using the tips above, contact support@cryptocard.com or call us at (800) 307-7042 or +1-613-599-2441 Monday through Friday 8:30 am to 5:00 pm EST. For assistance contact support@cryptocard.com 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback