<Partner Name> <Partner Product> RSA SECURID ACCESS Standard Agent Implementation Guide Barracuda Networks.0 fal, RSA Partner Engineering Last Modified: 10/13/16
Solution Summary The Barracuda NG Firewall can perform authentication with RSA SecurID by using the native RSA SecurID Protocol. This is done by utilizing a native RSA SecurID client to send authentication requests to the SecurID server and then allowing or denying access to the NG Firewall unit based upon a success or failure message returned by the SecurID server. Among other features, the client supports prompting for PIN changes and displaying system-generated PINs. In order to implement this, all that needs to be configured on the Barracuda NG Firewall is an Authentication Scheme which uses the RSA-ACE module, and the RSA specific details such as the RSA Configuration File, server IP, etc. RSA Authentication Manager supported features <Partner Product Name and version> RSA SecurID Authentication via Native RSA SecurID UDP Protocol RSA SecurID Authentication via Native RSA SecurID TCP Protocol RSA SecurID Authentication via RADIUS Protocol RSA SecurID Authentication via IPv6 On-Demand Authentication via Native SecurID UDP Protocol On-Demand Authentication via Native SecurID TCP Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes -- 2 -
<Insert diagram of system architecture here> -- 3 -
RSA Authentication Manager Configuration Agent Host Configuration To facilitate communication between the Barracuda NG Firewall and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Barracuda NG Firewall and contains information about communication and encryption. RSA Authentication Manager 8.0 introduced a new TCP-based authentication protocol and corresponding agent API. RSA Authentication Manager 8.0 and newer also maintains support for the existing UDPbased authentication protocol and agents. The agent host records for TCP and UDP agents are configured similarly, but there are some important differences. Include the following information when configuring a UDP-based agent host record. Hostname IP addresses for network interfaces Important: The UDP-based authentication agent s hostname must resolve to the IP address specified. Include the following information when configuring a TCP-based agent host record. RSA agent name (in the hostname field) Important: The RSA agent name is specified in the rsa_api.properties file. Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Barracuda NG Firewall will occur. -- 4 -
Partner Product Configuration Before You Begin This section provides instructions for configuring the Barracuda NG Firewall with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Barracuda NG Firewall components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Barracuda NG Firewall Configuration In order to configure the Barracuda NG Firewall with RSA SecurID Authentication, download and install Barracuda NG Admin first. 1. Start NG Admin and log into the Barracuda NG Firewall. -- 5 -
2. Click the Config tab, and then click Full Config to open the Config Tree. 3. Select Box > Infrastructure Services > Authentication Service. -- 6 -
4. From the left menu, select RSA-ACE Authentication. Click the Lock button to be able to edit the configuration settings. 5. Select Yes from the Activate Scheme drop down list. 6. In RSA Configuration File, click the Ex/Import button and select Import from File. Select the RSA configuration file sdconf.rec that was generated by the RSA Security Console. 7. Enter the IP of the RSA Server in RSA Server IP and the IP of the Barracuda NG Firewall in DNS Resolved IP. 8. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation 9. Click Activate. -- 7 -
Configure the Barracuda Virtual Server The Barracuda NG Firewall can host several services, such as the HTTP Proxy, SSL VPN, VPN, URL Filter, or Virus Scanner services. These services are assigned to virtual servers. te: For a standalone Barracuda NG Firewall, a preconfigured virtual server named S1 is created by default. 1. Modify the First-IP to match the Listen IP address of the services. -- 8 -
Create VPN Service 2. Log into the Barracuda NG Admin. 3. Select Config > Full Config > Box > Virtual Servers > S1 > Assigned Services. 4. Right click Assigned Services and select Create Service. 5. Enter a Service Name 6. From the Software Module drop down list select VPN Service. -- 9 -
Configure RSA SecurID on a SSL VPN Service 1. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > SSL-VPN. 2. From the Enable SSL VPN list, select, yes. 3. In the Listen IPs table, add the listen IP address for the SSL VPN. 4. In the Service Identification section, select the certificate type to use. 5. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 6. Click Activate. -- 10 -
7. From the SSL-VPN left menu, select Authentication & Login. 8. Select Lock. 9. From the Authentication Scheme pull down select RSA SecurID. 10. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 11. Click Activate. Configure VPN Settings 1. Refer to the Barracuda document; How to Configure a Client to-site IPsec VPN; http://techlib.barracuda.com/display/bngv54/how+to+configure+a+client-to- Site+IPsec+VPN. 2. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > VPN Settings. -- 11 -
3. Click Lock. 4. Under the Setting tab, click Click here for Server Settings 5. In the Access Control Service section enter the IP Address for the VPN service. 6. In the Server Configuration window, enter the required certificate information in each field. 7. In the Issuer section, create a new certificate. 8. Click Ex/Import and select New/Edit Certificate. 9. Click OK. 10. In the Default Key section, create a new 1024 bit RSA key. 11. Click Ex/Import and select New 1024Bit RSA Key. 12. Click OK. -- 12 -
13. Click the Client Networks tab 13. Right click the table and select New Client Network. 14. Complete the fields and click OK. 15. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 16. Click Activate. -- 13 -
Configure RSA SecurID on a VPN IPsec Service 1. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > Client to Site. 2. Click Lock. 3. Click the External CA tab and then click Click here for options. 4. In the X509 Client Security section, select the External Authentication check box. 5. In the Group VPN Settings window, select rsaace from the Authentication Scheme pull down list. Click OK. 6. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. Click activate -- 14 -
Create a VPN Group Policy 1. 2. From the Config Tree, select Virtual Servers > S1 > Assigned Services > your created (VPN- Service) > Client to Site. 3. Click Lock. 4. Click the External CA tab and then click Group Policy tab. 5. Right click the table and select New Group Policy. 6. Enter a name for the Group Policy. 7. From the Network list, select the VPN client network. 8. In the Network Route section, enter the network that must be reachable through the VPN connection. 9. Configure the group policy; right click the Group Policy Condition table and selecting New Rule. 10. In the Group Pattern field, define the group or leave it blank if no groups are used. 11. Click OK. 12. Click Send Changes, and then activate the new configuration by clicking the Activation Pending link. A dialog will open asking you to confirm the activation. 13. Click Activate. -- 15 -
RSA SecurID Login Screens SSL VPN Screens Login screen: User-defined New PIN: -- 16 -
System-generated New PIN: Next Tokencode: te: In the Next Token field enter the Next Passcode; PIN plus Tokencode. -- 17 -
Network Access Client Screens Login screen: User-defined New PIN: -- 18 -
Next Tokencode: -- 19 -
Certification Checklist for RSA SecurID Access Date Tested: October,13, 2016 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.2 Virtual Appliance RSA Authentication Agent 8.1.1.109.06_03_11_03_16_51 Linux RSA Software Token 5.0.0.292 Windows 10 Barracuda Network Access clients 4.0 Windows 10 Barracuda.0 Linux RSA SecurID Authentication Date Tested: October,13,2016 Mandatory Functionality Native Native RADIUS UDP TCP Client New PIN Mode Force Authentication After New PIN N/A N/A System Generated PIN N/A N/A User Defined (4-8 Alphanumeric) N/A N/A User Defined (5-7 Numeric) N/A N/A Deny 4 and 8 Digit PIN N/A N/A Deny Alphanumeric PIN N/A N/A Deny PIN Reuse N/A N/A Passcode 16 Digit Passcode N/A N/A 4 Digit Fixed Passcode N/A N/A Next Tokencode Mode Next Tokencode Mode N/A N/A On-Demand Authentication On-Demand Authentication N/A N/A On-Demand New PIN N/A N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A N/A RSA Authentication Manager N/A N/A = Pass = Fail N/A = n-available Function -- 20 -
Known Issues Barracuda Network Access VPN Client does not display the system generated PIN for the user. Contact your site administrator to predefine your PIN or use the url to your site s RSA Self-Service Console to predefine your own PIN -- 21 -
Appendix Perform Test Authentication: If you need to perform a test authentication, you can log into the NG Firewall using SSH. A SSH client is included in NG Admin under the SSH tab. Once logged in, type the following command in the console: phibstest e user=<username> password=<password> authscheme=rsaace Change <username> with your user name and <password> with your fixed password, tokencode or passcode depending on the authentication requirements. RSA SecurID Authentication Files RSA SecurID Authentication Files UDP Agent Files sdconf.rec sdopts.rec de secret sdstatus.12 / jastatus.12 Location ne stored, In Memory /phion0/rsa/rsamain t implemented. ne stored, In Memory or path to node secret file ne stored, In Memory /phion0/rsa/rsamain TCP Agent Files rsa_api.properties sdconf.rec sdopts.rec de secret Location N/A N/A N/A N/A Partner Integration Details Partner Integration Details Display RSA Server Info Perform Test Authentication Agent Tracing Yes -- 22 -