Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

Similar documents
Implementation Guide for Funk Steel-Belted RADIUS

WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Citrix Access Gateway Implementation Guide

Checkpoint VPN-1 NG/FP3

Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

ISA 2006 and OWA 2003 Implementation Guide

Best Practices Guidelines

Implementation Guide for protecting. CheckPoint Firewall-1 / VPN-1. with. BlackShield ID

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

CRYPTOCard BlackBerry Token Implementation Guide

KT-1 Token. Reference Guide. CRYPTOCard Token Guide

Cisco 802.1x Wireless using PEAP Quick Reference Guide

Implementation Guide for protecting. SonicWall Security Appliances. with. BlackShield ID

ST-1 Software Token. QUICK Reference

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Barracuda Networks SSL VPN

Token Guide for USB MP. with. BlackShield ID

Integration Guide. SafeNet Authentication Service. Strong Authentication for Citrix Web Interface 4.6

Dell SonicWALL NSA 3600 vpn v

Token Guide for KT-4 for

CRYPTOCard Migration Agent for CRYPTO-MAS

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Barracuda Networks NG Firewall 7.0.0

Integration Guide. SafeNet Authentication Service. Protecting Microsoft Internet Security and Acceleration (ISA) Server 2006 with SAS

ActivIdentity 4TRESS AAA Web Tokens and F5 BIG-IP Access Policy Manager. Integration Handbook

RB-1 PIN Pad Token. QUICK Reference

RSA SecurID Implementation

Integration Guide. LoginTC

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

ipad in Business Security Overview

SC-1 Smart Card Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

Remote Support Security Provider Integration: RADIUS Server

Barracuda SSL VPN Integration

Security Provider Integration RADIUS Server

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

How to Configure Authentication and Access Control (AAA)

Oracle 10g. Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

External Authentication with Checkpoint R77.20 Authenticating Users Using SecurAccess Server by SecurEnvoy

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

ESET SECURE AUTHENTICATION. Microsoft RRAS with NPS PPTP VPN Integration Guide

4TRESS FT2011 Out-of-Band Authentication and Juniper Secure Access

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Integration Guide. SafeNet Authentication Service. Strong Authentication for Juniper Networks SSL VPN

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with Check Point Security Gateway

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Cisco Systems, Inc. IOS Router

4TRESS AAA. Out-of-Band Authentication (SMS) and Juniper Secure Access Integration Handbook. Document Version 2.3 Released May hidglobal.

Ericom PowerTerm WebConnect

Attachmate Reflection for Secure IT 8.2 Server for Windows

Apple Computer, Inc. ios

VMware Identity Manager vidm 2.7

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

Configuring L2TP over IPsec

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

DIGIPASS Authentication for O2 Succendo

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft NPS Technical Manual Template

Microsoft Unified Access Gateway 2010

RSA Authentication Manager 7.1 Administrator s Guide

Integration Guide. SafeNet Authentication Manager. Using RADIUS Protocol for Cisco ASA

Message Networking 5.2 Administration print guide

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

BlackShield ID. Windows Logon Agent CRYPTOCard Corp. All rights reserved.

STRS OHIO F5 Access Client Setup for ChromeBook Systems User Guide

Host Access Management and Security Server Administrative Console Users Guide. August 2016

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Authlogics Forefront TMG and UAG Agent Integration Guide

Security Access Manager 7.0

Welcome Guide. SafeNet Authentication Service. RB-1 Tokens. SafeNet Authentication Service: Welcome Guide. RB-1 Tokens

DIGIPASS Authentication for NETASQ

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

External Authentication with Windows 2008R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Ultra Protect v7.2 SSL VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware Identity Manager Administration

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

Pulse Secure Client for Chrome OS

ForeScout CounterACT. Configuration Guide. Version 4.1

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Stonesoft Integration

DIGIPASS Authentication for Cisco ASA 5500 Series

NCP Secure Enterprise macos Client Release Notes

VI. Corente Services Client

PePWave Mesh Connector User Manual

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Two factor authentication for OpenVPN Access Server

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Sophos Firewall Configuring SSL VPN for Remote Access

MyFloridaNet-2 (MFN-2) Customer Portal/Password Management Reference Guide

AppScaler SSO Active Directory Guide

Integration Guide. SafeNet Authentication Service. SAS using RADIUS Protocol with WatchGuard XTMv. SafeNet Authentication Service: Integration Guide

SecureW2 Enterprise Client

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Configuring an IPSec Tunnel Between a Cisco SA500 and the Cisco VPN Client

Directory Integration with VMware Identity Manager

ForeScout CounterACT. Controller Plugin. Configuration Guide. Version 1.0

REMOTE ACCESS TO HUSKY S COMPUTER NETWORKS TWO WAYS TO CONNECT IN EUROPE

Transcription:

Implementing CRYPTOCard Authentication for Whale Communications e-gap Remote Access SSL VPN Copyright 2005 CRYPTOCard Corporation All Rights Reserved http://www.cryptocard.com

Copyright Copyright 2005, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp. Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Corp. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Technical Support information CRYPTOCard works closely with our Channel Partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard Channel Partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly, telephone 800-307-7042 or +1-613-599-2441. If you prefer, send an email to support@cryptocard.com. To inquire about obtaining a support contract, refer to our Support" Web page for the latest contact information at http://www.cryptocard.com. Comments If you have comments or suggestions you would like to make regarding this document, please send an email to support@cryptocard.com. Publication History Date Version Changes 2005.08.04 Rev.1.0 Initial Release CRYPTOCard Authentication for Whale Communications e-gap SSL VPN i

Table of Contents IMPLEMENTING CRYPTOCARD AUTHENTICATION...I FOR...I WHALE COMMUNICATIONS...I E-GAP REMOTE ACCESS SSL VPN...I IMPLEMENTATION AND APPLICATION SUMMARY...III CRYPTOCARD AUTHENTICATION FOR E-GAP SSL VPN... 1 Overview... 1 Prerequisites... 2 WHALE COMMUNICATIONS E-GAP SSL VPN CONFIGURATION... 2 Step 1 - Configuring a Radius Authentication Server... 2 Step 2 RADIUS Protocol Access Control List... 3 Step 3 Adding e-gap to the RADIUS Protocol Access Control List... 3 CONNECTING WITH THE E-GAP SSL VPN... 5 New PIN Mode... 6 Stored on Server, User-changeable PIN example... 6 Stored on Server, Server-changeable PIN example... 7 TROUBLESHOOTING... 9 Troubleshooting authentication failures... 9 CRYPTO-Server Log Files... 10 CRYPTOCard Authentication for Whale Communications e-gap SSL VPN ii

Implementation and Application Summary Compatibility and Interoperability: Whale Communications e-gap Remote Access SSL VPN Systems Protected: Whale Communications e-gap Remote Access SSL VPN CRYPTOCard Dependencies: CRYPTO-Server 6.x RADIUS Client Browser Dependencies: Internet Explorer 5+ Mozilla Firefox 1+ Network Architecture: SSL VPN Remote Access Supported CRYPTOCard Token Types: CRYPTOCard Tokens: RB-1, KT-1, ST-1, SC-1, UB-1 Encryption Level: DES, 3DES, AES128, AES192, AES256 PIN Modes Token based: fixed, user changeable, numeric, alphanumeric* Server based: fixed, user changeable, server changeable. Passcode: Supported SecurID Token Types: SecurID : SD-200, SD-520, SD-600, SD- 5100, SD-6100 Encryption Level: DES PIN Modes Server based: fixed, user changeable, server changeable, numeric, alphanumeric Passcode: Length: 6,8 numeric Types: numeric Length: 6,7,8 Types: numeric, alphanumeric, base64* (*depending upon token series) CRYPTOCard Authentication for Whale Communications e-gap SSL VPN iii

CRYPTOCard Authentication for e-gap SSL VPN Overview Whale Communications e-gap SSL VPN is used to create encrypted tunnels between remoteand mobile users, providing access to corporate networks. The e-gap SSL VPN secures browser-based access to applications such as email, portals, and other applications based upon authentication information such as a username and password. CRYPTOCard authentication replaces static passwords with strong two-factor authentication to prevent the use of lost, stolen, shared, or easily guessed passwords, to establish a tunnel and gain access to protected resources. CRYPTOCard provides authentication using the RADIUS protocol. The end-user launches a web browser and navigates to the e-gap login page. Then using their logon name and a passcode from their CRYPTOCard software, hardware, or smart card token, the end-user establishes a connection to the internal network. The e-gap SSL VPN passes the authentication information to the CRYPTO-Server (via RADIUS). The CRYPTO-Server verifies the username and password, and an Access-Accept message is sent to the e-gap SSL VPN, allowing the user to access the protected network and resources. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 1

Prerequisites Whale Communications e-gap SSL VPN is installed & configured. Verify that the Whale Communications e-gap SSL VPN authentication works using static passwords before commencing installation and testing with CRYPTOCard. CRYPTO-Server 6.x is installed. Note that if CRYPTO-Server 6.x is installed and configured to use a JDBC ( non LDAP ) database, then the CRYPTO-Server user name must be identical to the user name currently employed by the end-user. If a firewall exists between the Whale Communications e-gap SSL VPN and CRYPTO- Server 6.x, it must allow RADIUS traffic on UDP ports 1812 ( RADIUS authentication ) and 1813 ( RADIUS accounting ). CRYPTO-Server 6.x uses ports 1812 / 1813 by default for RADIUS. A NAS.x entry in the Radius Protocol entity on CRYPTO-Server must exist which includes the Whale Communications e-gap SSL VPN. Whale Communications e-gap SSL VPN Configuration The Whale Communications e-gap SSL VPN can normally be configured in a matter of minutes, however proper preparation to ensure all prerequisites are met is essential. Step 1 - Configuring a Radius Authentication Server CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 2

Confirm use of Filter-ID Radius attribute to pass back group information to e-gap for authorization purposes. Note that challenge-response must be enabled in order for our new PIN mode to function. Step 2 RADIUS Protocol Access Control List The Whale Communications e-gap SSL VPN uses the RADIUS Protocol to communicate with the CRYPTO-Server. The RADIUS Protocol contains an access control list that specifies RADIUS enabled clients are allowed to authenticate against the CRYPTO-Server. You must verify that all RADIUS enabled clients are within the RADIUSProtocol access control list. Open the CRYPTO-Console and connect to the CRYPTO-Server. Select the Server menu, System Configuration. In the Entity column, select RadiusProtocol. Look at the value corresponding to the Key NAS.2. The value of this key defines which RADIUS enabled clients are allowed to authenticate against the CRYPTO-Server. By default, the CRYPTO-Server is configured to listen for RADIUS Protocol authentication requests over UDP port 1812, from any host on the same subnet. Step 3 Adding e-gap to the RADIUS Protocol Access Control List If the e-gap system is not within a RadiusProtocol NAS entry range it must be added. It is possible to define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. In System Configuration, right click on the RadiusProtocol Entity and select New Key- Value. The syntax of the data for a NAS entry is as follows: CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 3

Key: Value: NAS.# <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> First IP Address The first IP address of the RADIUS client(s) configured in this NAS.# key. Last IP Address Hostname: RADIUS Shared Secret Key Perform Reverse Lookup The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the First and Last IP Address will be the same. Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. A string used to encrypt the password being sent between the CRYPTO- Server and the RADIUS client (i.e. the e-gap SSL VPN ). The Shared Secret string can be any combination of numbers and uppercase and lowercase letters. An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by crosschecking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO- Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely. Authentication Protocols Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP,MSCHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently CRYPTOCard only supports the PAP and MSCHAPv2 authentication protocols for RADIUS clients. Here is an example of a NAS entry called NAS.3, which will accept RADIUS client requests from IP Address 192.168.21.1 to 192.168.21.254. The CRYPTO-Protocol Service\daemon must be restarted once all NAS entries have been entered. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 4

Connecting with the e-gap SSL VPN Once the e-gap SSL VPN and CRYPTO-Server have been configured correctly, the end-user should be able to open a web browser and authenticate to the e-gap SSL VPN using a passcode from their CRYPTOCard token. First the end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. In the example below, the end-user bob has provided his user name and a passcode from his CRYPTOCard token. Once the CRYPTO-Server has validated the passcode provided, an access-accept reply is sent back to the e-gap SSL VPN, and the user has established their authenticated VPN connection. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 5

New PIN Mode CRYPTOCard hardware tokens, the KT-1 Keychain token, and RB-1 Pin-pad token can be programmed with a Stored on Server PIN style. This style requires the end-user to prepend the PIN to the passcode displayed on the token. The combination of the PIN and passcode is used to authenticate the end-user. There are three options when selecting a Stored on Server PIN style Stored on Server, Fixed PIN: This PIN must be prepended to the passcode. The end-user cannot change the PIN. A CRYPTO-Server operator can change the PIN. Stored on Server, User-changeable PIN: Periodic PIN change will be forced by the CRYPTO-Server according to the PIN Change Period option. The end-user will determine the new PIN value. This PIN must be prepended to the passcode. Stored on Server, Server-changeable PIN: Periodic PIN change will be forced by the CRYPTO-Server according to the PIN Change Period option. The CRYPTO-Server will determine the new PIN value. This PIN must be prepended to the passcode. Stored on Server, User-changeable PIN example The end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. After the initial authentication, the CRYPTO-Server has enforced a PIN change and requires the end-user to provide a new PIN. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 6

If the new PIN provided by the end-user meets the minimum PIN requirements as configured on CRYPTO-Server, the end-user will then be allowed access to the network and applications. The end-user will need to use this new PIN until the next PIN change is enforced. Stored on Server, Server-changeable PIN example The end-user opens a web browser and enters the URL for the e-gap SSL VPN. They will be presented with a logon page asking for their user name and password. After the initial authentication, the CRYPTO-Server has enforced a PIN change and provides the new PIN to the end-user. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 7

In this example, the CRYPTO-Server has provided a new PIN of 7501 to the end-user. This new PIN is then used along with the next passcode from the token in order to authenticate and gain access to the network and applications. The end-user will need to use this new PIN until the next PIN change is enforced. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 8

Troubleshooting Troubleshooting authentication failures Symptom Users fail CRYPTOCard authentication Possible cause and resolution The Whale Communications e-gap SSL VPN system has not been configured as a valid NAS for the RADIUS Protocol. From System Configuration, add a NAS entry for the e- Gap SSL VPN to the RadiusProtocol entity. Apply the change and restart the CRYPTO- Protocol Server service /daemon. Remote users token has become out-of-sync with CRYPTO-Server 6.x. Attempt a test of the remote users token from the CRYPTO-Console and provide the 8 digit challenge to the remote user. Have the remote user resynchronize their token using the challenge provided. Alternatively, increase the value for the CRYPTO-Server look ahead by editing the MaxForward key found in the Token entity within System Configuration. Remote user with hardware token configured for the PIN to be stored on the server. Ensure that the remote user is entering their PIN plus the passcode from their token. Alternatively, reset the PIN for the remote user via CRYPTO-Console. Remote users token has become locked. For software and Smartcard tokens, re-issue the token to the remote user. For hardware tokens with the PIN stored on the server, re-enable the token by changing it s state from Locked to Active. The RADIUS shared secret key does not match between the e-gap SSL VPN and the CRYPTO-Server. Verify this value is exactly the same on both devices. Symptom Authentication requests do not reach CRYPTO-Server Possible cause and resolution A firewall exists between the e-gap SSL VPN system and CRYPTO-Server. Ensure that port 1812 UDP is open on the firewall to allow traffic for the RADIUS Protocol. The e-gap SSL VPN system has not been configured to use RADIUS authentication. Use the e-gap Administration tool to enable RADIUS authentication. The CRYPTO-Server and e-gap SSL VPN have been configured to use different ports for the RADIUS protocol. Verify the RADIUS port values in use by each system and ensure they are the same. CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 9

CRYPTO-Server Log Files To aid in troubleshooting authentication problems, review the information in the CAPProtocol.dbg file and the cryptocard.log file. A higher level of debugging information can be displayed in the RadiusProtocol.dbg file by enabling the DebugLog.Enabled key in the RadiusProtocol entity. From CRYPTO-Console, select the Server menu, then System Configuration. In the RadiusProtocol entity choose the DebugLog.Enabled key and set it s value to true. Apply the change and restart the CRYPTO-Protocol service / daemon. For CRYPTO-Server installed on Windows, the default log file location is found under: \CRYPTOCard\CRYPTO-Server\log For CRYPTO-Server installed on SuSE Enterprise 9 or Red Hat Enterprise 3.0 or 4.0, the default log file location is found under: /usr/local/cryptocard/cryptoserver/log For CRYPTO-Server installed on Mac OSX 10.3 or 10.4, the default log file location is found under: /Applications/CRYPTO-Server/log CRYPTOCard Authentication for Whale Communications e-gap SSL VPN 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback