Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Transcription

1 Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server October

2 Table of contents Overview... 3 Architecture... 5 Configure Juniper IPSec on an SSG 5 with OS V User configuration for Phase Authentication server configuration... 8 VPN tunnel configuration... 8 Configure a Policy Open the connection to the Intranet using SA Server VPN Client software configuration Open a connection Appendix 1: Configure an IAS RADIUS Server with SA Server IAS RADIUS prerequisites Add a RADIUS Client Install and configure SA Server agent for IAS Restart IAS Appendix 2: Configure Juniper Steel-Belted RADIUS Server SBR pre-requisites Add RADIUS Client Install and configure SA Server agent for SBR Restart SBR Appendix 3: Configure Free RADIUS Server on Linux Free RADIUS pre-requisites Add RADIUS Client Install and configure SA Server agent for Free RADIUS Restart Free RADIUS Appendix 4: Active Directory configuration

3 Overview This document provides a deployment scenario to show you how it is possible to configure a Juniper IPSec VPN to use Gemalto SA Server to authenticate Mobile Users. The deployment scenario describes an example that has been tested by Gemalto. It is possible that other configurations will work equally well but you should bear in mind that these have not been tested. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. To provide SA Server authentication for Juniper IPSEC VPN, your system requires the following pre-requisites: A Juniper IPSec VPN appliance SSG 5 with OS V5.4, In the following part, this appliance is supposed to be usable so a minimal installation must have been realized. During this installation, o The required license must be installed, o Administrator Account must be defined: Username and Password o <IP SSG 5 internal address> represents the IP address of the physical interface visible from the Internal Network and must be defined. The appliance hosts two physical interfaces and is able to act as a gateway from the Internal Network to the External Network. o <IP SSG 5 internal address> allows access to the Internal Network. This network is seen as a trusted network. In our laboratory <IP SSG 5 internal address> was o <IP SSG 5 external address> represents the IP address of the physical interface visible from the External Network. This address will be set during the appliance configuration. The External Network is seen as a not trusted network. In our laboratory <IP SSG 5 external address> was An AD Domain machine hosting an Active Directory LDAP and acting as domain controller. In our laboratory the domain hosted by AD Domain was gemalto.fr We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the Juniper IPSec VPN. Their accounts must be configured to allow remote access control. A Gemalto SA Server, The server must be installed in mixed mode and connected to the AD Domain. It is supposed to be provisioned for devices and users. <Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was A RADIUS Server, This server is the link between Juniper IPSec VPN and Gemalto SA Server. We have validated three configurations using o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was o Juniper Steel-Belted RADIUS for which <IP SBR address> will be used to refer to Juniper Steel-Belted RADIUS server IP address. o Free RADIUS for which <IP FreeR address> will be used to refer to Free RADIUS server IP address. Each RADIUS configuration is described in the appendices of this document. 3

4 In order to demonstrate a successful authentication, we also need: A resource provider using strong authentication for sensitive data, We used an HTTP Server to simulate this resource provider. It is located in the Internal Network. You can replace this server by any other resource provider as long as it is supported by Juniper IPSec VPN. In our laboratory, the HTTP Server URL was (using standard port 80) VPN Client machines, We used standard XP SP2 machines. These are the kind of machines that will be used by Mobile Users. As a prerequisite, Juniper Safenet SoftRemote client software should be installed to access to the Juniper IPSec VPN. 4

5 Architecture The following figure shows the architecture associated with the deployment scenarios described in this document. 5) User Authentication successful 1) IPSEC Client Connection Juniper VPN IPSec SSG 5 2) Authentication request to RADIUS Server RADIUS Server 3) Forward Authentication request to SA Server IPSec Request (IPSEC client) HTTP flow SA Server Gemalto 4) Validate ID+Password in the Active Directory Active Directory External Network Internal Network HTTP server 6) Access to internal ressources 5

6 Configure Juniper IPSec on an SSG 5 with OS V5.4 This chapter describes the configuration needed for integration and configuration of Juniper IPSec VPN with Gemalto SA Server. User configuration for Phase 1 An IPSec Key Exchange (IKE) phase is executed during the VPN set-up and this step uses two types of authentication: One with shared certificate or shared key and One with User IDs. The User ID can be an IP address, a domain or an address. So the Mobile Users should be associated to specific accounts for being accepted by the Juniper IPSec VPN gateway during the IKE authentication process! In our scenario, we used a single generic user who was affected to all Mobile Users. Note: This configuration is not recommended! For traceability, it is better to create one User ID per Mobile User. Note: At this point, we are only speaking about authentications that occur during the first phase of VPN set-up. Later, an XAuth authentication using Gemalto SA Server and LDAP user accounts will occur! Create a user To create the IKE user: Start the administration console, In the Objects section of the tree-structure, select Users, then Local Click on New 6

7 Complete the following fields: o In User Name enter a user ID label, o Set Status to Enable, o Check the box IKE User, o Set Number of Multiple Logins with Same ID with a value that allows your use cases to run. We set it for example to 10 to allow up to 10 VPN Clients using the same IKE user in parallel. o Choose Simple Identity. o In IKE Identity enter a label. This label will be used during the VPN Client configuration (Page 16). In our laboratory, we used gemalto o Leave the remaining fields empty or with their default values. Click on [OK] Create a user group You now have to create a group for the previously created user. In the Objects section of the tree-structure, select Users, then Local Groups Click on New In Group Name, enter a group ID label In <- Group Members ->, select the previously created user and pres [>>] We created for example MyIdentity user. When the previously created user is presented in <- Available Members ->, click on [OK]. 7

8 Authentication server configuration As we want to use the RADIUS protocol for user authentication, we have to configure a new authentication server: In the Configuration section of the tree-structure, select Auth, then Auth Servers Click on New Complete the following fields: o In Name enter a RADIUS server name. We used for example IAS, SBR and FreeR according to the used RADIUS Server. o In IP/Domain Name enter the address of the selected RADIUS Server. We used for example <IP IAS address>, <IP SBR address> or <IP FreeR address> according to the used RADIUS Server. o In Account Type, select Auth and XAuth choices. o Select the RADIUS option and In RADIUS Port enter 1812; this is the default value for this field. You have to adapt this value to your own configuration. In Shared Secret enter a value that will secure the communication with the RADIUS Server. You will have to enter the same value during the configuration of the selected RADIUS Server (Pages 23/35/40). o Leave the remaining fields empty or with their default values. Click on [OK] VPN tunnel configuration To set up the VPN tunnel, some additional elements must be created and configured. 8

9 Configure the VPN Client IP addresses We must define a set of IP address that will be allocated to the IPSec virtual driver of VPN Client machines. To perform this task: In the Objects section of the tree-structure, select IP Pools Click on New Complete the following fields: o In IP Pool Name enter pool label. o In Start IP enter the first IP address to allocate. We used for example o In End IP enter the list IP address to allocate. We used for example Note: If you decide to use the Network Address Translation (NAT) feature, this range is not important regarding your network configuration but you should have enough IP addresses available for the requested number of parallel VPN connections. In our example, we used the NAT feature. This pool is used during the XAuth phase and should be associated with it: In the VPNs section of the tree-structure, select AutoKey Advanced, then XAuth Settings Complete the following fields: o In IP Pool Name select the label you defined in the previous section. o Leave the remaining fields empty or with their default values. Note: You can also fill the DNS parameters if needed. This was not needed for our sample configuration.. Click on [Apply] 9

10 Configure VPN Phase 1 We have to create a gateway and configure its connections. To perform this task: In the VPNs section of the tree-structure, select AutoKey Advanced, then Gateway Click on New Complete the following fields: o In Gateway Name enter a gateway label. This will be used in the Configure VPN Phase 2 section (Page 12). We used VPN Phase 1 o In Security Level, select Custom. This option allows defining the security algorithm to be used. o Select Dialup User Group in Remote Gateway Type. o In Group, Select the previously created Group We used for example GrpIdentity o In Preshared Key, enter a value that will be shared with each VPN client. This key will be needed during VPN Client configuration (Page 16). o Leave the remaining fields empty or with their default values. Click on [Advanced] 10

11 Complete the following fields: o In User Defined, select Custom. o In Phase 1 Proposal, select pre-g2-3des-sha; this means IKE authentication uses a pre-shared key with Diffie-Hellman Group 2, ciphering uses 3DES algorithm and SHA-1 for data integrity. Those choices should also be used during the VPN Client configuration. o In Mode (Initiator), select Aggressive. o Leave the remaining fields empty or with their default values. Click on [Return] to go back to the previous page. Click on [OK] and the following table is displayed. Associate the Gateway with the RADIUS Server Then, we have to connect the gateway with the RADIUS server to implement the Strong Authentication through SA Server. From the previous state, in the Configure column, click on Xauth. Complete the following fields: o Select XAuth Server section, o In Allowed Authentication Type, select Generic. o Then, select External Authentication and associate this choice with the selected RADIUS Server. We used IAS, SBR and FreeR according to the selected RADIUS server. o Leave the remaining fields empty or with their default values. Click on [OK] 11

12 Configure VPN Phase 2 We now have to create an autokey IKE. To realize this task: In the VPNs section of the tree-structure, select AutoKey IKE Click on New Complete the following fields: o In VPN Name enter a VPN label. We used VPN Phase 2 o In Security Level, select Custom. o In Remote Gateway, select Predefined and choose the Gateway Name label you defined in Configure VPN Phase 1 section (Page 10). We used VPN Phase 1 label. o Leave the remaining fields empty or with their default values. Click on [Advanced] Complete the following fields: o In User Defined, select Custom. o In Phase 2 Proposal, select g2-esp-3des-sha. o Leave the remaining fields empty or with their default values. Click on [Return] to go back to the previous page. Click on [OK] 12

13 Configure a Policy To create a security policy Select the Policies section of the tree-structure. The following elements are displayed: In From, select Untrust and in To, select Trust Click on New Complete the following fields: o In Name (optional), enter a label for the policy. o In Source Address, select Address Book Entry and choose Dial-Up VPN. o In Destination Address, select the objects that should be available through the Juniper IPSec VPN. We used the LAN-interne object which was previously created and that represents the full Internal Network. o In Action, select Tunnel o In Tunnel, select the previously created VPN AutoKey IKE in section Configure VPN Phase 2. We used the previously created VPN Phase 2 o Check the Logging box. o Leave the remaining fields empty or with their default values. Click on [Advanced] 13

14 Complete the following fields: o Check Source Translation. o In (DIP on), select None (Use Egress Interface IP). o Leave the remaining fields empty or with their default values. Note: This configuration will generate the Network Address Translation (NAT). All VPN Client machines will be presented to the Internal Network using the <IP SSG 5 internal address>. Click on [Return] to go back to the previous page. Click on [OK]. The screen now display: 14

15 Open the connection to the Intranet using SA Server Here is how a Mobile User accesses to the Internal Network using the Juniper IPSec VPN and Gemalto SA Server. Note: We presume the Juniper Safenet SoftRemorte package has already been installed on the VPN Client machines. VPN Client software configuration Start the Juniper client software: In Start, select Program then Netscreen-Remote Click on Netscreen-Remote This action starts the client software. This is visible through the displayed in the system tray. Double-click on the icon to display the Client VPN configuration window. icon that is Right-click on My Connections, Select Add > then Connection Assign a name to the connection. This name will be used in the following section (Page 20/21). We used VPN Gemalto. 15

16 Complete the following fields: o In Connection Security section, choose Secure. o In ID Type, select IP Subnet. o In Subnet and Mask, enter values compatible with the Internal Network. This Internal Network represents the LAN-interne object which was used in the Configure a policy section (Page 13). It is important that the elements you provide here are the same as the ones used to define this object. o Check Use and select Secure Gateway Tunnel choice. o In ID Type, select IP Address and associate it with the <IP SSG 5 external address> o Leave the remaining fields empty or with their default values. Then, select My Identity Complete the following fields: o In Select Certificate, choose None. o In ID Type, choose Domain Name and associate it with the value you entered in IKE Identity in the Create a User section (Page 7). We used gemalto. o In Virtual Adapter, choose Preferred. o In Name, choose Any. Click on [Pre-Shared Key] and complete the field with the value you choose for Preshared Key in the Configure VPN Phase 1 section (Page 10). Then validate. 16

17 Then, select Security Policy Complete the following fields: o In Select Phase 1 Negotiation Mode, choose Aggressive Mode. o Select Enable Perfect Forward Secrecy (PFS) o In PFS Key Group, choose Diffie-Hellman Group 2. o Leave Enable Replay Detection empty. 17

18 Then, expand Security Policy, expand Authentication (Phase 1) and select Proposal 1 Complete the following fields: o In Authentication Method, choose Pre-Shared Key; Extended Authentication. o In Encrypt Alg, choose Triple DES. o In Hash Alg, choose SHA-1. o In Key Group, choose Diffie-Hellman Group 2. o Leave the remaining fields empty or with their default values. 18

19 Then, expand Key Exchange (Phase 2) and select Proposal 1 Complete the following fields: o Check Encapsulation Protocol ESP). o In Encrypt Alg, choose Triple DES. o In Hash Alg, choose SHA-1. o In Encapsulation, choose Tunnel. o Leave the remaining fields empty or with their default values. Click on in the toolbar to save the given parameters. 19

20 Open a connection Right-click on the icon displayed in the system tray. Select Connect, then My Connections then the name defined in VPN Client Software configuration section (Page 15). We used VPN Gemalto. This first window is displayed: Then an authentication window appears: In Username:, enter the User ID of a Mobile User as defined in the LDAP. In Password:, enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. Click on [OK] 20

21 When authenticated, the Mobile user can see: To close the VPN: Right-click on the icon displayed in the system tray. Select Disconnect, then My Connections and then the name defined in VPN Client Software configuration section (Page 15). We used VPN Gemalto. The following window is displayed: 21

22 Appendix 1: Configure an IAS RADIUS Server with SA Server We used the IAS server version embedded in Windows Server 2003 SP1. IAS RADIUS prerequisites The IAS RADIUS installation is not described in this document. It is presumed to be already done. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. You can check IAS RADIUS and AD Domain are part of the same domain using the following process: Right click on My Computer and Select Properties Check in Computer Name tab that the computer is in a domain. You can modify those parameters if needed. Access to IAS administration You have to: Click on Start and Select Administrative Tools Select Internet Authentication Service 22

23 Add a RADIUS Client You now have to add the Juniper IPSec VPN as a RADIUS client: Right click on RADIUS Clients and Select New RADIUS Client In Friendly name enter a name for Juniper IPSec VPN, In Client address (IP or DNS) enter <IP SSG 5 internal address>. Click on [Next >] Select RADIUS Standard for Client-Vendor: Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the Juniper IPSec VPN ( Shared secret in the Authentication server configuration section Page 8). Click on [Finish] to validate those parameters. 23

24 Configure Access Policies You have to add a new remote access policy: Right click on Remote Access Policies and Select New Remote Access Policy Click on [Next >] in the wizard windows Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. Click on [Next >] Click on [Add ] in Policy Conditions window 24

25 Select Client-IP-Address in Attribute types: and click on [Add ] Enter <IP SSGA 5 Internal Address> in Type a word or a wild card (for example, abc.*): and click on [OK] Click on [Next >] 25

26 Select Grant remote access permission in If a connection request matches the specified conditions: and click on [Next >]. Click on [Edit Profile ] in the profile window Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP) Select Encryption tab 26

27 Check only the No encryption box. Then click on [OK] In the Profile window, click on [Next >] In the New Remote Access Policy Wizard window, click on [Finish] The new policy is now available. 27

28 Configure Connection Request Policies You have to add a new connection request policy: In Connection Request Processing, Right click on Connection Request and Select New Connection Request Policy Click on [Next >] in the wizard window Select A custom policy, Enter a name in Policy name and Click on [Next >] In the Policy conditions windows, click on [Add ], Select Client-IP-Address, Click on [Add ], Enter <IP SSG 5 Internal Address>, Click on [OK] and Click on [Next >] In the Request Processing Method, click on [Edit Profile] In the Authentication tab, select Authenticate requests on this server and click on [OK] In the Request Processing Method window, click on [Next >] In the New Connection Request Policy Wizard window, click on [Finish] 28

29 The new policy is now available. Install and configure SA Server agent for IAS You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server. Double-click on IAS_AgentSetup.exe on the IAS RADIUS server, Click on [Next >] 29

30 Select I accept the terms in the license agreement and click on [Next >] You now have to enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. Click on [Next >] 30

31 Click on [Install] Click on [Finish] 31

32 Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS. Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. 32

33 Appendix 2: Configure Juniper Steel-Belted RADIUS Server We used the Juniper Steel-Belted RADIUS V6.01 on a Windows Server 2003 SP1. SBR pre-requisites Juniper Steel-Belted RADIUS installation is not described in this document. Launch SBR admin portal To open Juniper Steel-Belted RADIUS admin portal: Start a browser on the following URL: <IP SBR address>:1812 Click on Launch link. A login window is displayed. You have to fill User Name and Password using an account with administrator privileges on the Juniper Steel-Belted RADIUS server. Port is automatically filled with the default 1813 value. Click on [Login] 33

34 Add RADIUS Client You now have to add the Juniper IPSec VPN as a RADIUS client: Right click on RADIUS Clients 34

35 and Select Add: Complete the following fields: o In Name: enter a friendly name for Juniper IPSec VPN, o In IP Address: enter <IP SSG 5 internal address>, o In Shared secret: enter the same value you entered when you configured the Juniper IPSec VPN (Shared secret in the Authentication server configuration section Page 8). o Make sure you select - Standard Radius in Make or model: Click on [OK] Install and configure SA Server agent for SBR You now have to install the SA Server SBR agent on the Juniper Steel-Belted RADIUS server. This component will forward all authentication requests received by the SBR to SA Server. 35

36 Double-click on SBR_AgentSetup.exe on Juniper Steel-Belted RADIUS server, Click on [Next >] Select I accept the terms in the license agreement and click on [Next >] 36

37 Select the Service folder in the SBR installation directory so that it appears in Folder name: Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius Click on [Next >] Enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. 37

38 Click on [Next >] Click on [Install] Click on [Finish] Restart SBR To launch the installed agent, you now have to re-start SBR service. Select Start, Select Control Panel, Select Administrative Tools Select Services 38

39 Then, Right Click on Steel-Belted Radius And choose Restart Check agent integration To check the installed agent is running, Start the Steel-Belted Radius Administrator (as presented in the Launch SBR admin portal section) Select Authentication Policies then Order of Methods Check that Protiva SBR Agent is in Active Authentication Methods: Note: Other authentication methods can be present in both columns according to the SBR configuration. 39

40 Appendix 3: Configure Free RADIUS Server on Linux We used the Free RADIUS V on a Suse Linux Enterprise 10. Free RADIUS pre-requisites Free RADIUS installation is not described in this document. It is already pre-installed on this distribution and configured for some pre-defined RADIUS clients. Add RADIUS Client You now have to add the Juniper IPSec VPN as a RADIUS client: Log on to the Linux server as root Open clients.conf usually located in /etc/raddb/ directory with a text editor Add a new section: client <IP SSG 5 Internal Address> { secret = xxxxxxxxx shortname = JuniperIPSecVpn } and give secret the same value as the one you entered when you configured the Juniper IPSec VPN ( Shared secret in the Authentication server configuration section Page 8) and give shortname a label; this is an optional field. Install and configure SA Server agent for Free RADIUS You now have to install the SA Server Free RADIUS agent on the Free RADIUS Server. This component will forward all authentication requests received by Free RADIUS to SA Server. Log on to the Linux server as root Open a Terminal console Move to the directory where SA Server agent.rpm is located Stop Free RADIUS using the command: radiusd stop Here is a screen shot from our laboratory machine If needed, install openssl library to use an HTTPS link with SA Server. Here is a screen shot from our laboratory machine Start agent installation using the command : rpm ivh rlm_protiva rpm Here is a screen shot from our laboratory machine Note: On a 64-bit system, you have to use rlm_protiva x86_64.rpm. 40

41 Open radiusd.conf usually located in /etc/raddb/ directory with a text editor Look for the modules section and add the following elements: #SA Server authentication module protiva { # host: the host port to connect to host = <Base URL SA Server> # url: path to the servlet on the host machine url = /saserver/servlet/userrequestservlet #securitylevel: security level to be used # 1 = no SSL # 2 = with SSL securitylevel = 1 # certfile: certivicat file to be used #you must specify a certfile if using SSL certfile = /usr/local/etc/raddb/tomcat.pem # openssl time out in seconds openssltimeout = 5 } Here is a screen shot from our laboratory machine Look for the authenticate section and add the following element: Auth-Type protiva { protiva } Save radiusd.conf Open users usually located in /etc/raddb/ directory with a text editor Look for the following section: DEFAULT Auth-Type = System Fall-Through = 1 Add an additional Auth-Type before those line to obtain: DEFAULT Auth-Type = protiva Fall-Through = Yes DEFAULT Auth-Type = System Fall-Through = 1 Restart Free RADIUS Then restart Free RADIUS using the command: radiusd start Here is a screen shot from our laboratory machine 41

42 Appendix 4: Active Directory configuration Mobile Users must be part of the AD Domain. You can check this is done using the following process: Click on Start, Select Control Panel and Select Administrative Tools Select Active Directory Users and Computers Mobile Users must also have the Remote Access Permission. You can check this is done using the following process: Click on Users, right click on the target user and select Properties Select Dial-in tab and check the box Allow access in Remote Access Permission section. 42