VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

Similar documents
BEST PRACTICES GUIDE RSA MIGRATION MODULE

OAM 2FA Value-Added Module (VAM) Deployment Guide

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

.NET SAML Consumer Value-Added (VAM) Deployment Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

Integration Guide. SecureAuth

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Health Analyzer VAM Best Practices Guide

Pulse Secure Policy Secure

Barracuda Networks SSL VPN

Introduction. SecureAuth Corporation Tel: SecureAuth Corporation. All Rights Reserved.

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Secure single sign-on for cloud applications

Setting Up the Server

RED IM Integration with Bomgar Privileged Access

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

ACE Live on RSP: Installation Instructions

VMware Identity Manager Administration

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Integration Guide. LoginTC

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

SailPoint IdentityIQ 6.4

Installing and Configuring vcloud Connector

Migrating vrealize Automation 6.2 to 7.2

Device Recognition Best Practices Guide

SecurEnvoy Microsoft Server Agent

Deploying the Cisco Tetration Analytics Virtual Appliance in Microsoft Azure

VMware AirWatch Integration with SecureAuth PKI Guide

IdP High Performance and Optimization Best Practices Guide

RSA NetWitness Logs. Salesforce. Event Source Log Configuration Guide. Last Modified: Wednesday, February 14, 2018

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

SOA Software API Gateway Appliance 6.3 Administration Guide

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Relativity's mobile app Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

SecureAuth IdP Realm Guide

VMware Identity Manager vidm 2.7

CLI users are not listed on the Cisco Prime Collaboration User Management page.

USER MANUAL. SalesPort Salesforce Customer Portal for WordPress (Lightning Mode) TABLE OF CONTENTS. Version: 3.1.0

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

ForeScout CounterACT. Configuration Guide. Version 4.1

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Receiver for BlackBerry 2.2

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

How to Configure the RSA Authentication Manager

Echidna Concepts Guide

Citrix Access Gateway Implementation Guide

Configuring and Managing WAAS Legacy Print Services

Java SAML Consumer Value-Added Module (VAM) Deployment Guide

Horizon Workspace Administrator's Guide

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

Entrust PartnerLink Login Instructions

INTEGRATION GUIDE. DIGIPASS Authentication for VMware View

External Authentication with Windows 2008R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

MyFloridaNet-2 (MFN-2) Customer Portal/Password Management Reference Guide

Partner Integration Portal (PIP) Installation Guide

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

DIGIPASS Authentication for F5 BIG-IP

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

SUREedge MIGRATOR INSTALLATION GUIDE FOR HYPERV

Hitachi ID Systems Inc Identity Manager 8.2.6

SOA Software Intermediary for Microsoft : Install Guide

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

SUREedge MIGRATOR INSTALLATION GUIDE FOR NUTANIX ACROPOLIS

DIGIPASS Authentication for Cisco ASA 5500 Series

R9.7 erwin License Server:

271 Waverley Oaks Rd. Telephone: Suite 206 Waltham, MA USA

Software Token. Installation and User Guide. 22 September 2017

Lab 3. On-Premises Deployments (Optional)

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

New World ERP-eSuite

Oracle Access Manager Configuration Guide

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Remote Support Security Provider Integration: RADIUS Server

Deltek Touch T&E Startup Guide

Managing External Identity Sources

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

SUREedge Migrator Installation Guide for Amazon AWS

Password Reset Utility. Configuration

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Microsoft Unified Access Gateway 2010

Installing and Configuring vcloud Connector

WorldSpace Assure 1.4 for System Administrators

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

IVE Quick Startup Guide - OS 4.0

Ansible Tower Quick Setup Guide

Transcription:

VAM Radius 2FA Value-Added Module (VAM) Deployment Guide

Copyright Information 2018. SecureAuth is a registered trademark of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions are copyrighted products of SecureAuth Corporation. For information on support for this module, contact your SecureAuth support or sales representative: Email: support@secureauth.com inside-sales@secureauth.com Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support https://www.secureauth.com/contact 2

Table of Contents Introduction... 4 Benefits... 4 Solution Architecture... 5 Topology... 5 Radius 2FA Process Flow... 6 Requirements... 8 Deployment Prerequisites... 8 Deployment... 9 Best Practices... 9 Installing the VAM... 9 Configuring the VAM... 10 Testing the Radius 2FA VAM Deployment... 13 Use Case... 15 3

Introduction The Radius 2FA Value-Added Module (VAM) provides a migration path for our customers leading away from RSA security tokens and toward more advanced 2-factor authentication (2FA) methods. Customers can continue to use their existing RSA tokens when authenticating to SecureAuth IdP, allowing a phased retirement of the legacy hard token technology. This gives SecureAuth IdPs the ability to validate RSA soft and hard tokens by using the RSA RADIUS Validation client. Because the integration utilizes RADIUS, the Radius 2FA VAM can be used with RSA and other legacy hard token modules. The Radius 2FA VAM is one of SecureAuth s value-added modules, a suite of software components developed by SecureAuth s Tailoring Frontline Services to fit the needs of customers seeking a simple way to adapt their system to the SecureAuth cybersecurity solution. Benefits The benefits derived from the use of Radius 2FA VAM are: + Once migrated from RSA, customers enjoy a dramatically lower administration cost, improved user uptime, and greater customer satisfaction + Support for RADIUS validation of RSA soft and hard tokens + Support for any vendor that currently uses a non-secureauth token and supports a RADIUS client validation process 4

Solution Architecture The essential architecture of the Radius 2FA VAM solution is described in this section. Topology An illustration of the Radius 2FA topology is shown in Figure 1. FIGURE 1. Radius 2FA Topology Example The following steps describe the process flow (refer to the circled numbers above): 1. An external user enters a well-known application address in a web browser for a federation- or non-federation-aware application utilizing SecureAuth for its main authentication. The application address entered reaches the SecureAuth IdP appliance. 2. The request is mediated by SecureAuth IdP. The user name and password, along with multifactor authentication, is performed depending on the SecureAuth realm configuration. During multi-factor authentication, the SecureAuth application validates using a user s hard token (in the form of a key fob, chip, password + token, password, passcode, or other accepted method). The validation of the hard token via SecureAuth is a RADIUS request back to the RSA or other token validation system via RADIUS. 3. The applications and data overseen by the RADIUS server is then made available to the authenticated requester. 5

4. The applications and data overseen by the RADIUS server is then made available to the authenticated requester. While the Radius 2FA VAM was designed for use with the Radius 2FA, there are, in fact, other RADIUS server providers, such as Vasco, Defender, and SafeNet, that can be used with this VAM. Radius 2FA Process Flow The Radius 2FA process flow is shown in Figure 2. FIGURE 2. Radius 2FA Process Flow A more detailed example of the process flow would include the following steps: 1. The user attempts to access an application, such as SalesForce. 2. The RADIUS server overseeing the application redirects the request to SecureAuth IdP. 3. SecureAuth IdP prompts the user for userid and password. 4. The user enters the necessary credentials and presses Submit. 5. SecureAuth IdP prompts the user to provide one of several available options for the second factor. 6. The user selects RSA Token as the second factor. 7. SecureAuth IdP prompts the user to enter a token at the next screen. 6

8. The user looks at the RSA token on his/her keychain (or other hard token device) and reads the number, then enters that number from the RSA token in the SecureAuth token text box and presses Submit. 9. SecureAuth IdP accepts the token and passes the user along to the RADIUS server with permission to access the required application. 7

Requirements Deployment Prerequisites The requirements for deployment of this VAM are: + SecureAuth IdP version 8.2 or later + RADIUS server such as RSA, Vasco, Defender, or SafeNet able to validate the token as specified for that hard token deployment + Connectivity between SecureAuth IdP appliance and RADIUS server + Download the appropriate version of Radius 2FA package. (There is a version of this package for each supported version of SecureAuth IdP.) 8

Deployment While there are several ways to deploy the RSA Migration VAM, the procedure detailed on the following pages is the approach recommended by SecureAuth. + Best Practices + Installing the VAM + Configuring the VAM + Testing the Radius 2FA VAM Deployment Best Practices When planning for deployment, keep in mind the following best practices: + Utilize the RADIUS Test Client to streamline the integration. We recommend that you test both the RADIUS server connectivity and token validation using the Test Client before any integration. For more on the Test Client, see Testing the Radius 2FA VAM Deployment on page 13. + We have found specific errors arising from RADIUS server policies in Vasco RADIUS servers. Any possible problems can be alleviated by using the Test Tool and examining the server logs. + Make sure you download the Radius 2FA deployment package from the SecureAuth website that matches your version of SecureAuth IdP. Remember: there are at present three versions of SecureAuth IdP that this VAM can support, but each IdP version has its own flavor of the Radius 2FA VAM. So, check your current version of SecureAuth IdP before going on-line to download the proper VAM version. Installing the VAM To configure the SecureAuth IdP RADIUS installation for Radius 2FA authentication, perform the following steps. 1. Download the Radius 2FA VAM Deployment Package from the SecureAuth site to an appropriate directory on the hard drive where the SecureAuth IdP client program has been installed. 9

For the specific location of this deployment package, contact your Custom Development SE. FIGURE 3. Deployment Package Placement 2. Using a decompression program like WinZip or 7-Zip, unpack the Radius Client Deployment Package. Three sub-folders appear: FIGURE 4. Deployment Package Sub-folders 3. Unpack the SecureAuth0 folder. 4. Copy these files to the corresponding folders in the SecureAuth IdP appliance s / SecureAuth0 sub-folders. 5. Unpack the SecureAuthxx folder. 6. Copy these files to the targeted realm s bin folder, such as SecureAuth1/bin or SecureAuth2/ bin. Repeat this step for each SecureAuth folder that currently exists, except for the SecureAuth0 folder. Configuring the VAM 1. Bring up the SecureAuth IdP Admin Console by entering the URL http://localhost:8088/ configuration on the local machine s browser. The admin console user interface can only be viewed on the local machine access. 10

2. From the admin console s left panel, click the Tools option at the top of the page like Figure 5. FIGURE 5. Tools Drop-down Menu 3. Select the Update Web Config option. A screen like Figure 6 appears. FIGURE 6. Update Web Config Option Screen 4. Click both the Update and Update Resource buttons. The web config files are updated using the new DLLs you copied to the appropriate folders. After the update is completed, the admin UI reappears. 5. From the admin UI, click on the Admin Realm option at the top of the page. 6. From the left pane, click to select the targeted realm, such as SecureAuth1 or SecureAuth2. 7. Click to select the Registration Methods tab. 11

Scroll down until you see the newly-created RADIUS Server Settings section as shown in Figure 7. FIGURE 7. RADIUS Server Settings Field Selections The default settings for the attached RADIUS server are displayed. 8. Change the values in these fields as required. These fields include: RADIUS Server Host Name Authentication Port Authentication Account Retries Socket Timeout Shared Secret Select whether a RADIUS server is enabled for this SecureAuth appliance Enter the IP address or the server name of the attached RADIUS server Enter the port number this appliance will use to authenticate applications overseen by the external RADIUS server gateway Enter the account number needed to verify the RADIUS server authentication Enter the number of timeout errors allowed to access this RADIUS server before the server is locked for a specific amount of time Enter the number of milliseconds this RADIUS port is allowed to time out before another try is possible Enter the shared secret that enables this appliance to access the RADIUS server 9. If any of the fields are changed in Step 8, update the configuration accordingly. 12

SecureAuth IdP should now be able to use a RADIUS-generated hard token as a second-factor authentication. Testing the Radius 2FA VAM Deployment A third component included in the Radius 2FA VAM deployment package is the RADIUS Test Client. This command line tool enables you to test the deployment and ascertain whether the VAM configuration is working properly prior to any integration. To do this, perform the following procedure: 1. Place the RADIUS test tool into a directory of your choosing and extract the files. Notice that one of the files is an executable. 2. Open the command line prompt by typing cmd. The command prompt dialog box appears. 3. Use cd to navigate to the directory where you placed the executable, then enter: SecureAuth.RadiusServerTestClient [hostname] [sharedsecret] [username] [password] where: [hostname] [sharedsecret] [username] [password] Enter the name of the host where the RADIUS server resides Enter the shared secret that enables the RADIUS server to communicate with the client Enter the name of the user Enter the password associated with this user NOTE: If you enter only the executable name, a list of all parameters supported by this executable appear. The test client runs and indicates whether the deployment was successful or not, as shown in the example in Figure 8 on page 14. 13

FIGURE 8. RADIUS Test Client Example Screen 14

Use Case This section provides a brief use case example for the Radius 2FA after its deployment. Once this VAM has been installed and configured, you can enter a user name and password in the normal manner, then a screen like Figure 9 appears: FIGURE 9. Workflow Example Screen 1 Once you click the Secure Token radio button and click the Submit button. A screen like Figure 10 appears: FIGURE 10. Workflow Example Screen 2 Click the buttons to specify the correct security token code then click Submit. 15

After the token is validated, the applications protected by SecureAuth IdP through the RADIUS server are now available to the user. In one possible example of this, a company possesses both legacy RADIUS servers and Windows servers. Prior to the introduction of this VAM, only the applications connected to the Windows servers would have been available for the advanced authentication techniques offered by the SecureAuth IdP; however, with the deployment of the Radius 2FA VAM, the RADIUS servers and their allied applications can now use SecureAuth IdP as well as illustrated in Figure 1 on page 5. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback