digipass authentication for sonicwall ssl-vpn - vasco · digipass authentication for sonicwall -...

DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. of 55

DIGIPASS Authentication for SonicWall SSL-VPN

With IDENTIKEY Server / Axsguard IDENTIFIER

Integration Guidelines


Disclaimer Disclaimer of Warranties and Limitations of Liabilities

This Report is provided on an 'as is' basis, without any other warranties, or conditions.

No part of this publication may be reproduced, stored in a retrieval system, or

transmitted, in any form or by any means, electronic, mechanical, photocopying,

recording, or otherwise, without the prior written permission of VASCO Data Security.

Trademarks

DIGIPASS, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO

Data Security. All trademarks or trade names are the property of their respective

owners. VASCO reserves the right to make changes to specifications at any time and

without notice. The information furnished by VASCO in this document is believed to be

accurate and reliable. However, VASCO may not be held liable for its use, nor for

infringement of patents or other rights of third parties resulting from its use.

Copyright

2011 VASCO Data Security. All rights reserved.


Table of Contents

DIGIPASS Authentication for SonicWall SSL-VPN ........................................... 1

Disclaimer ...................................................................................................... 2

Table of Contents............................................................................................ 3

1 Reader ...................................................................................................... 5

2 Overview ................................................................................................... 6

3 Problem Description .................................................................................. 7

4 Solution .................................................................................................... 8

4.1 Benefits ............................................................................................... 8

4.2 How does two-factor authentication work?................................................ 8

4.3 Supported Platforms .............................................................................. 8

5 Technical Concept ..................................................................................... 9

5.1 General overview .................................................................................. 9

5.2 SonicWALL SSL-VPN prerequisites ........................................................... 9

5.3 IDENTIKEY Server Prerequisites .............................................................. 9

5.4 Overview of SonicWALL RADIUS Authentication with IK .............................10

5.5 Overview of actions ..............................................................................10

6 Configuration of the SonicWALL SSL-VPN ............................................... 11

6.1 Login to the SSL-VPN & check version .....................................................11

6.2 Set the time on SSL-VPN .......................................................................13

6.3 DNS Settings .......................................................................................14

6.4 Configure a default route for the SSL-VPN ...............................................15

6.5 Add NetExtender Client Address Range ...................................................16

6.6 Add NetExtender Client Routes...............................................................17

6.7 Create a Portal Domain .........................................................................18

6.8 Add a „local user‟ for the Domain ............................................................19


6.9 Edit the user‟s policy .............................................................................20

7 Configure the NSA 2400 .......................................................................... 21

7.1 Login ..................................................................................................21

7.2 Configure PRO4060 Interface and Zone ...................................................22

7.3 Create an Address ................................................................................26

7.4 Create inbound allow rule for https & NAT Policy ......................................27

7.5 Allow rule from DMZ to LAN for IDENTIKEY Server ...................................30

8 IDENTIKEY Server ................................................................................... 31

8.1 Policy configuration ..............................................................................31

8.2 Register Client .....................................................................................35

8.3 Configure User .....................................................................................35

8.3.1 Create New User ............................................................................35

8.3.2 Import DIGIPASS ...........................................................................37

8.3.3 Assign DIGIPASS ............................................................................38

8.4 Install Active Directory ..........................................................................40

8.4.1 Create Users ..................................................................................40

8.4.2 Import DIGIPASS ...........................................................................43

8.4.3 Assign Digipasses for Users .............................................................46

9 Two-factor authentication SSL-VPN test and conclusion ......................... 53

10 About VASCO Data Security .................................................................. 55


1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY

SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of

IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and

administration manuals of these products. Axsguard IDENTIFIER is the appliance

based solution, running IDENTIKEY SERVER by default.

Within this document, VASCO Data Security, provides the reader guidelines for

configuring the partner product with this specific configuration in combination with

VASCO Server and Digipass. Any change in the concept might require a change in the

configuration of the VASCO Server products.

The product name`IDENTIKEY SERVER`will be used throughout the document keeping

in mind that this document applies as well to the Axsguard IDENTIFIER.


2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server

to work with a SonicWALL device. Authentication is arranged on one central place

where it can be used in a regular VPN or SSL/VPN connection.

SonicWALL is a strong leader in secure, easy to configure and affordable SSL-VPN

clientless remote access and provides users additional Unified Threat Management

security when combined with SonicWALL‟s firewall/VPN appliances. This addresses all

companies going from the SMB (Small & Medium Businesses) to the Enterprise space.

VASCO Data Security delivers reliable authentication through the use of One Time

Password technology. VASCO IDENTIKEY Server combined with SonicWALL SSL-VPN

and SonicWALL firewall VPN appliances creates an open-market approach delivered

through VASCO DIGIPASS Technology.

VASCO IDENTIKEY Server allows users to utilize the VASCO DIGIPASS concept that

uses One Time Passwords that are assigned for time segments that provide easy and

secure SSL-VPN remote access. The One Time Password within the authentication

request is verified on the VASCO IDENTIKEY Server. After verification, a RADIUS

access-accept message is sent to the SonicWALL SSL-VPN server for authentication.

Digipass integration works in the same way with other SonicWall solutions :


3 Problem Description The basic working of the SonicWALL is based on authentication to an existing media

(LDAP, RADIUS, local authentication …). To use the IDENTIKEY Server with

SonicWALL, the external authentication settings need to be changed or added

manually.

Since static passwords are generally known as non-secure and easy to compromise,

One Time Passwords were introduced to the remote access market to secure corporate

LAN or central resources. A method to track and manage incoming users via the

SonicWALL SSL-VPN and firewall/VPN devices also needed to be introduced.

Two-factor authentication is a method that requires two independent means of

information to establish identity and privileges. Two-factor authentication is stronger

and more rigorous than traditional password authentications, which only require one

factor, such as the user‟s password.

The following pages present how to solve these issues with configuration the

SonicWALL SSL-VPN and NSA 2400, and the VASCO IDENTIKEY Server / Axsguard

IDENTIFIER.


4 Solution After configuring IDENTIKEY Server and the SonicWALL devices in the right way, you

eliminate the weakest link in any security infrastructure – the use of static passwords

– that are easily stolen, guessed, reused or shared.

The SonicWALL appliance gives you the ability of a combined SSL/VPN platform, it‟s

possible to access your network from a web portal page and/or to create a SSL tunnel.

4.1 Benefits

Two-factor authentication offers the following benefits in combination with SonicWALL

SSL-VPN:

Enhances security by requiring two independent variables of information for

authentication.

Reduces the security risks associated with one-factor passwords.

Minimizes the time administrators spend training and supporting users by

providing a strong authentication process that is simple, intuitive, and

automated.

4.2 How does two-factor authentication work?

Two-factor authentication requires the use of a third-party authentication service. The

authentication service consists of two components:

An authentication server that the administrator uses to configure user names

and assign tokens, and manage authentication-related tasks.

With two-factor authentication, users must enter a valid One Time Password to gain

access. A One Time Password consists of the following:

The user‟s personal identification number (PIN).

A One Time Password issued.

Users receive the temporary token codes from their VASCO DIGIPASS. The DIGIPASS

displays a new One Time Password every 32 seconds. When VASCO IDENTIKEY Server

authenticates the user, it verifies that the One Time Password timestamp is valid in

the current timeframe. If the PIN is correct and the One Time Password is current, the

user is authenticated.

Because user authentication requires these two factors, the VASCO DIGIPASS solution

offers stronger security than traditional single-factor authentication.

4.3 Supported Platforms

IDENTIKEY Server. This document describes version 3.2.

SonicWALL SSL-VPN SRA1200/4200 and SRA VA platforms running firmware

version 5.0 or higher. This document describes firmware version 5.0.0.0-14SV

of SSL-VPN.

SonicWALL NSA 2400 running SonicOS Enhanced 5.x. This document describes

SonicOS Enhanced version 5.7.0.0


5 Technical Concept 5.1 General overview

The concept is very easy: the IDENTIKEY Server (IK) is installed as a back-end

authentication service for the SonicWALL SSL-VPN.

This means that the IK receives all authentication requests from the SonicWALL SSL-

VPN. The One Time Password (OTP) within the authentication request will be verified

on the IK.

After IK verification, a RADIUS access-accept message is sent to the SonicWALL SSL-

VPN for the Authentication part.

Figure 1: General Overview / Network Diagram

5.2 SonicWALL SSL-VPN prerequisites

Please make sure you have a working setup of the SonicWALL. It is very important

this is working correctly before you start implementing the authentication to the

IDENTIKEY SERVER.

5.3 IDENTIKEY Server Prerequisites

In this guide we assume you already have IDENTIKEY Server installed and working. If

this is not the case, make sure you get it working before installing any other features.


5.4 Overview of SonicWALL RADIUS Authentication

with IK

The following is a description on the RADIUS authentication sequence WITHOUT

DIGIPASS assigned:

A remote user initiates a connection to the SonicWALL NSA.

The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded

to the SonicWALL SSL-VPN.

The SonicWALL SSL-VPN gathers the remote user‟s ID and password, and then

submits a RADIUS authentication request to the IDENTIKEY Server.

IDENTIKEY Server performs the verification and answers to the SonicWALL

SSL-VPN with an access-accept or access-reject message.

SonicWALL SSL-VPN then provides access to the authenticated user‟s individual

Portal on the SonicWALL SSL-VPN where the protected resources can be

accessed via a simple „bookmark‟ click or via IPSec-alike NetExtender access.

The following is a description on the RADIUS authentication sequence WITH

DIGIPASS Assigned:

A remote user initiates a connection to the SonicWALL NSA.

The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded

to the SonicWALL SSL-VPN.

The SonicWALL SSL-VPN gathers the remote user‟s ID and one time password

generated by the DIGIPASS, and then submits a RADIUS authentication

request to the IDENTIKEY Server.

IDENTIKEY Server performs the OTP verification and answers to the SonicWALL

SSL-VPN with an access-accept or access-reject message.

SonicWALL SSL-VPN then provides access to the authenticated user‟s individual

Portal on the SonicWALL SSL-VPN where the protected resources can be

accessed via a simple „bookmark‟ click or via IPSec-alike NetExtender access.

5.5 Overview of actions

In the next chapters we will show you how to configure each device and server in the

right way to enable the 2-factor authentication with IDENTIKEY Server.

SonicWALL SSL-VPN configuration SSL-VPN appliance Chapter 6

SonicWALL NSA2400 configuration Firewall appliance Chapter 7

IDENTIKEY Server configuration IDENTIKEY Server Chapter 8

Sample of a logon Logon Chapter 9


6 Configuration of the

SonicWALL SSL-VPN 6.1 Login to the SSL-VPN & check version

1. Browse to the default IP address of the SSL-VPN SRA 1200 or 4200 the X0

interface: https://192.168.200.1

2. Login with the default values: User Name: admin and Password: password

Note: If you enter http://192.168.200.1 it will automatically redirect to https.

3. Check in the System > Status page that the current „Firmware Version‟ is

at least 5.0:

Figure 2: Checking the Firmware version

If it is not 5.0 or higher, register the SonicWALL SSL-VPN appliance at

https://www.mysonicwall.com and download the latest firmware version with a valid

SonicWALL support entitlement.

https://192.168.200.1/

http://192.168.200.1/

https://www.mysonicwall.com/


Navigate to Network > Interfaces for the correct IP address of the SSL-VPN‟s X0

interface. According to the Network Diagram on page 3, this can be left to the default

IP address 192.168.200.1:

Figure 3: Checking the IP-address for the Network Interface


6.2 Set the time on SSL-VPN

Since the two-factor authentication depends on time synchronization, it is important

that the internal clocks for the SSL-VPN appliance and the VASCO IdentiKey are set

correctly.

Navigate to System > Time on the SSL-VPN appliance to select the correct Time

Zone:

Figure 4: Time Setting on the appliance


6.3 DNS Settings

Navigate to Network > DNS and set the correct DNS settings and/ or WINS Settings:

Figure 5: Checking DNS Settings


6.4 Configure a default route for the SSL-VPN

According to the Network Diagram on page 3, the default route for the SSL-VPN is the

NSA 2400‟s X2 interfaces that corresponds with the DMZ Zone. This IP address is set

to 192.168.200.250 and needs to be configured as the Default Route for the SSL-VPN.

Navigate to Network > Routes and set the correct Default Route on the SSL-VPN X0

interface:

Figure 6: Configuring a default route


6.5 Add NetExtender Client Address Range

NOTE: Navigate to NetExtender > Client Addresses to set the NetExtender Client

Address Range

If using NetExtender Clients, such as = IPSec like SSL-VPN tunnels:

Figure 7: Setting the NetExtender Client Address Range

In this example, the Client Address Range Begin and End can be left default as Client

Addresses will be assigned in the same subnet 192.168.200.0/24 of the SSL-VPN X0

interface. Exclude the SonicWALL SSL-VPN X0 interface and the SonicWALL NSA‟s X2

interface IP address, according to the Network Diagram on page 3.

NOTE: All the above IP settings and configurations shown in this document screen

shot will vary as per your network topology


6.6 Add NetExtender Client Routes

1. Navigate to NetExtender > Client Routes.

2. Click the Add button to select the correct Client Routes for the authenticated

remote users accessing the private networks via the SSL-VPN connection:

Figure 8: Adding the correct Client Routes

According to the Network Diagram on page 8, this corresponds with the subnet

connected to the X0 (LAN) interface of the SonicWALL NSA.


6.7 Create a Portal Domain

Navigate to Portal > Domains and select Radius as the Authentication Type from

the Drop-down menu:

Figure 9: Adding a portal domain

Enter the Domain Name. This is the Domain Name users will use in order to log into

the SonicWALL SSL-VPN appliance portal.

The „Radius server address‟ is the IP address of the Vasco IDENTIKEY Server.

The „Radius server port‟ needs to match the Radius port of the Vasco IDENTIKEY

Server, as well as the „Secret password‟ that is used for Radius authentication

between these two elements.

In this example only a „Primary Radius server‟ is used.


6.8 Add a „local user‟ for the Domain

Navigate to Users > Local Users to enter a user to the VASCO domain.

Figure 1: Adding a user to the domain (1)

Assign this user to the Radius Domain. Enter the Username.

NOTE: Passwords will be generated through the Radius Server. Make sure you

duplicate the same usernames from the Radius Server (Vasco Demo in this example).

This is not really required to add an external user account manually. When you use

external user (in this example vasco user) this user profile automatically added on

“Users > Local Users” page.


6.9 Edit the user‟s policy

Navigate to Users > Local Users and click the Configure button:

Figure 11: Changing the policy for the user

We now configured the authentication to go the IDENTIKEY Server. You still need to

configure the IDENTIKEY Server in order to have the same back-end as your

application was using before. If the users were checked on Active Directory, RADIUS

or any other back-end authentication service, you will need to setup IDENTIKEY

Server with the same back-end authentication.


7 Configure the NSA 2400 7.1 Login

1. Browse to the default IP address of the SonicWALL NSA on the LAN interface

labeled X0 on http://192.168.168.168 and login with the following default values:

User Name: admin

Password: password (please change afterwards)

Figure 2: System Administration Window

NOTE: It is advised that you register the SonicWALL NSA appliance on

https://www.mysonicwall.com where you can download the latest firmware version

with a valid SonicWALL support entitlement.

http://192.168.168.168/

https://www.mysonicwall.com/


7.2 Configure PRO4060 Interface and Zone

Navigate to Network > Interfaces according to the Network Diagram on page 3 to

configure the correct IP addresses and Zones:

Figure 3: Configuring IP-addresses and zones (1)

Click the Configure button for the X2 interface and enter the IP address

192.168.200.250 as follows:



Click the Configure button for the X1 interface (fixed tied to the WAN zone) and enter the IP

address 10.10.10.10 as follows:


Now the X0 interface is configured (fixed tied to the LAN zone) with the IP address

10.120.1.250 as follows:



NOTE: As the IP address for accessing the GUI of the NSA 2400 on the X0 interface is

changed, the IP address of the computer accessing the GUI needs to be reconfigured

in the same IP subnet as the X0 Interface.


After these changes, the summary in the Network > Interfaces page will look as

follows:

Figure 77: Network Interface Summary


7.3 Create an Address

Click the Add button and Navigate to Network > Address Objects:

Figure 8: Creating the Address Objects (1)

Repeat for an SSL-VPN SRA 4200 object in the DMZ zone. The IP address matches

the Network Diagram on page 3:

Figure 9: Creating the Address Objects (2)


7.4 Create inbound allow rule for https & NAT Policy

In this chapter we will create an inbound „Allow‟ rule to permit all https traffic on WAN

to the SSL-VPN SRA 4200 object in the DMZ zone.

Select Firewall > Access Rules in the Matrix from WAN to DMZ:

Figure 10: Checking Access Rules

Step 1: Create an Allow access rule for https on the „WAN primary IP‟ address

object of the SonicWALL NSA by clicking the Add button:

Figure 11: Creating ‘Allow’ rule (1)

The „Allow‟ rule for https should look as follows:



Click „OK‟ and the following „Access Rules‟ will appear in the list from WAN to DMZ:



Step 2: Navigate to Network > NAT Policies and Select OK:

Figure 14: Creating a NAT policy


7.5 Allow rule from DMZ to LAN for IDENTIKEY Server

Create an access rule from the DMZ zone to the LAN zone for access to the VASCO

IdentiKey object.

Navigate to Firewall > Access Rule and indicate in the Matrix the Access Rules from

DMZ to LAN.

Figure 15: Creating an Access Rule

NOTE: If access from DMZ to LAN is needed towards more Destinations other than the

VASCO IdentiKey, add them here accordingly.


8 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and

administrative account.

8.1 Policy configuration

Follow these steps to add a new policy:

1. Login to Vasco Identikey Web Administration window

2. Click Policies tab and select Create.

Figure 16: Policy configuration (1)

NOTE: There are policies available by default, and you can also create new policies to

suit your needs.

Fill in a policy name and choose the option most suitable in your situation. If you

want the policy to inherit a setting from another policy, choose the inherit option. If

you want to copy an existing policy, choose the copy option, and if you want to make

a new policy, choose the create option.



In the policy options configure it to use the right back-end server. This could be the

local database, but also active directory or another radius server.

This is probably the same that was in your default client authentication options before

you changed it. Or you use the local database, Windows or you go further to another

radius server.

NOTE: Configure the policy properties to use the appropriate back-end server. This

may be the same authentication service as previously used in the SonicWALL VPN/SSL

box.

The example below shows the SonicWALL policy:

• Local Auth.: Default (DIGIPASS/Password)

• Back-End Auth.: Default (None)

• Dynamic User Registration: Default (No)

• Password Autolearn: Default (No)

• Stored Password Proxy: Default (No)

• Windows Group Check: Default (No Check)

After configuring this Policy, the authentication will happen locally in the IDENTIKEY

Server. So user credentials are passed through to the IDENTIKEY Server, it will check

these credentials to its local user database and will answer to the client with an

Access-Accept or Access-Reject message.


In the Policy tab, click the Edit button, and change the Local Authentication to

Digipass/Password.



8.2 Register Client

Now create a new component by right-clicking the Components and choose New

Component.

Figure 19: Client configuration (1)

Select RADIUS Client for Client Type. Enter the IP address of the SonicWALL

SSL/VPN box. In the policy ID field you should find your new policy. Fill in the

Shared Secret you entered for the RADIUS server properties on the SonicWALL

SSL/VPN box. Click Create.

8.3 Configure User

8.3.1 Create New User

Click the Users tab and select Create.


Figure 20: User configuration (1)

Fill in the username and password fields. Click the Create button to choose the

domain and Organizational Unit:


The user will show in the list of users in the Vasco Identikey Web Administration MMC:



8.3.2 Import DIGIPASS

Click on the DIGIPASS Tab and select Import:


Figure 23: DIGIPASS configuration (1)

Browse for the *.DPX file, enter the Transport Key and click UPLOAD

Figure 24: DIGIPASS configuration (2)

A confirmation message pops up when the DIGIPASS is imported successfully:

8.3.3 Assign DIGIPASS

There are two ways to assign a DIGIPASS to a user. Search for a DIGIPASS and

assign it to a user or search for a user and assign it to a DIGIPASS.

1. Select user and Click on Assign DIGIPASS button:


Figure 25: Assign DIGIPASS (1)

2. Or Select a DIGIPASS and NEXT.



NOTE: If the User ID is left blank, press the Find button and a list of all the available

users in the same domain will appear. If no users appear, make sure the domains of

the DIGIPASS and the user match.


When a user is assigned to a DIGIPASS a confirmation message will pop up:

8.4 Install Active Directory

NOTE: These set of steps are required when VASCO IDENTIKEY server is installed for

Active Directory.

8.4.1 Create Users

Create users by using an Active Directory back-end in the Active Directory Users

and Computers MMC.

Right-click a user and select Properties. This may happen automatically when the

Dynamic User Registration (DUR) option in the policy settings is active.


Figure 28: Active Directory configuration (1)


Select the DIGIPASS User Account tab and manually enter a password.



Click the Apply button to see the Update History fields with the current date and

time. This means the DIGIPASS account was created successfully.


8.4.2 Import DIGIPASS

Right-click on Users and make sure the Import Digipass… option is in the MMC.



Click on the Import Digipass… option.


Browse for the *.DPX file and enter the Transport Key.



Select Show Applications to view available applications:


When the DIGIPASSes are imported successfully, a confirmation message appears:



8.4.3 Assign Digipasses for Users

Right-click on the Users on Active Directory MMC



Click on the Assign Digipass…



Click on the Next button on the Digipass Assignment Wizard


List of users will be displayed as selected in previous step



Select the User(s) you want to assign Digipasses


Search for the serial numbers


Select Serial Number(s) from the list



Click on the Next button and click on Finish button to complete the wizard


When digipasses assigned successfully, a confirmation message shown on Digipass

Assignment Wizard.


9 Two-factor authentication

SSL-VPN test and conclusion To test the two-factor authentication SSL-VPN connectivity with VASCO IdentiKey,

connect your PC on the WAN (X1) interface of the NSA 2400 according to Figure 1:

Network Diagram. Point your browser to https://10.10.10.10.

1. Login to the Local Domain as an Administrator.

2. Enter Admin for the User Name and password for the Password.

3. Navigate to Portal > Domains and click Configure to test the RADIUS

connectivity to VASCO IdentiKey.

NOTE: If the RADIUS Authentication is successful, logout of the Administrator GUI and

login to https://10.10.10.10 with the User Name you created:

Figure 39: Test and conclusion (1)

https://10.10.10.10/

https://10.10.10.10/


NOTE: Use the FixedPassword+DIGIPASSPIN+DIGIPASSOTP password combination

for access to the SSL-VPN Portal where you have access to your Bookmarks or

NetExtender (IPSec and SSL-VPN) connectivity:

Figure 40: Test and conclusion (2)

Conclusion:

SonicWALL SSL-VPN and firewall/VPN appliances together with DIGIPASS

authentication solutions provide easy and secure clientless remote access to

the user dependent internal network resources.


10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication

products for e-Business and e-Commerce.

VASCO‟s User Authentication software is carried by the end user on its DIGIPASS

products which are small “calculator” hardware devices, or in a software format on

mobile phones, other portable devices, and PC‟s.

At the server side, VASCO‟s VACMAN products guarantee that only the designated

DIGIPASS user gets access to the application.

VASCO‟s target markets are the applications and their several hundred million users

that utilize fixed password as security.

VASCO‟s time-based system generates a “one-time” password that changes with every

use, and is virtually impossible to hack or break.

VASCO designs, develops, markets and supports patented user authentication

products for the financial world, remote access, e-business and e-commerce. VASCO‟s

user authentication software is delivered via its DIGIPASS hardware and software

security products. With over 25 million DIGIPASS products sold and delivered, VASCO

has established itself as a world-leader for strong User Authentication with over 500

international financial institutions and almost 3000 blue-chip corporations and

governments located in more than 100 countries.

digipass authentication for sonicwall ssl-vpn - vasco · digipass authentication for sonicwall -...

Documents