Implementation Guide for protecting a. WatchGuard Firebox. with. BlackShield ID

Transcription

1 Implementation Guide for protecting a WatchGuard Firebox with BlackShield ID Copyright 2009 CRYPTOCard Inc.

2 Copyright Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: North America Toll Free: support@cryptocard.com For information about obtaining a support contract, see our Support Web page at Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: Publication History Date Changes Version January 26, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 BlackShield ID implementation guide for WatchGuard Firebox i

3 Table of Contents Overview... 1 Applicability... 1 Assumptions... 1 Operation... 2 Preparation and Prerequisites... 2 Configuring the WatchGuard Firebox... 2 Step 1: Enable RADIUS Authentication...2 Step 2: Add a Firebox group for Mobile VPN Users (IPSec or SSL)...3 Step 3: Add a RADIUS Filter-Id to the RADIUS Server...4 Internet Authentication Service (IAS) with BlackShield Agent enabled...4 Network Policy Server (NPS) with BlackShield Agent enabled...4 Troubleshooting... 6 Failed Logons...6 BlackShield ID implementation guide for WatchGuard Firebox ii

4 Overview By default the WatchGuard Firebox requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a onetime password generated by a CRYPTOCard token using the provided instructions below. BlackShield ID Pro works in conjunction with the WatchGuard Firebox to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: 1. Using the Firebox MUVPN Client, the user establishes a connection using his/her logon name and CRYPTOCard token-generated one-time password. 2. The WatchGuard Firebox passes the authentication information via RADIUS to the BlackShield ID Pro Internet Authentication Service (IAS) or Network Policy Server (NPS) agent configured to communicate to the BlackShield ID Pro Server. 3. The BlackShield ID Pro Server verifies the username and password and an Access- Accept message is returned to the WatchGuard Firebox, allowing the user to access the network. Applicability This integration guide is applicable to: Security Partner Information Security Partner Product Name and Version Protection Category WatchGuard WatchGuard Firebox Remote Access CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ Assumptions BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. BlackShield ID implementation guide for WatchGuard Firebox 1

5 Operation BlackShield ID Pro works in conjunction with the WatchGuard Firebox to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: 1. Using the Firebox MUVPN Client, the user establishes a connection using his/her logon name and CRYPTOCard token-generated one-time password. 2. The WatchGuard Firebox passes the authentication information via RADIUS to the BlackShield ID Pro Internet Authentication Service (IAS) or Network Policy Server (NPS) agent configured to communicate to the BlackShield ID Pro Server. 3. The BlackShield ID Pro Server verifies the username and password and an Access- Accept message is returned to the WatchGuard Firebox, allowing the user to access the network. Preparation and Prerequisites The following must be installed and operational prior to configuring the WatchGuard Firebox to use CRYPTOCard authentication: 1. Ensure end users can authenticate through the WatchGuard Firebox with a static password before configuring the WatchGuard Firebox to use RADIUS authentication. 2. BlackShield Pro server installed and a user account assigned with a CRYPTOCard token. 3. BlackShield Agent for Internet Authentication Service (IAS) or Network Policy Server (NPS). Configuring the WatchGuard Firebox Configuring the WatchGuard Firebox consists of 3 steps: Step 1: Enable RADIUS authentication Step 2: Add a Firebox group Step 3: Add a RADIUS Filter-Id to the RADIUS Server Step 1: Enable RADIUS Authentication 1. Connect to the Firebox System Status page, type in a web browser followed by the IP address of the Firebox trusted interface. 2. Select Firebox Users, Settings. BlackShield ID implementation guide for WatchGuard Firebox 2

6 3. Select the RADIUS tab then place a checkmark in Enable RADIUS Authentication. 4. In the RADIUS server IP address field, type the IP address of the RADIUS server. In the RADIUS server port enter In the RADIUS server secret enter the shared secret between the Firebox and RADIUS server. In RADIUS timeout enter 10 seconds. The shared secret between the Firebox and RADIUS server is casesensitive. Step 2: Add a Firebox group for Mobile VPN Users (IPSec or SSL) Once RADIUS authentication has been enabled and a Firebox group must been added to the WatchGuard Firebox setup so users can properly authenticate using a CRYPTOCard token. 1. Connect to the Firebox System Status page, type in a web browser followed by the IP address of the Firebox trusted interface. 2. Select Firebox Users, New Group. 3. In the Settings tab, type the Account Name for the group. 4. Select the MUVPN tab, click Enable Mobile VPN with IPSec or Enable Mobile VPN with SSL. 5. Type a shared key in the Shared key field. The Shared key is used to encrypt the.wgx file for the MUVPN clients. It is not the Shared Secret used between the Firebox and RADIUS server. 6. If necessary, select All traffic uses tunnel if the remote client sends all traffic through the VPN tunnel. 7. Enter a starting and ending IP Address in the Virtual IP address range. 8. Click Submit. BlackShield ID implementation guide for WatchGuard Firebox 3

7 Step 3: Add a RADIUS Filter-Id to the RADIUS Server A Filter-Id in must be added to the RADIUS server configuration so users can properly authenticate using a CRYPTOCard token. Internet Authentication Service (IAS) with BlackShield Agent enabled 1. Under Administrative Tools launch Internet Authentication Service. 2. Expand Connection Request Processing then highlight Connection Request Policies. 3. Right click on the BlackShield entry (by default Allow all users to authenticate with BlackShield) and select Properties. 4. Click Edit Profile then select the Advanced tab. 5. Click Add. In the Add Attribute dialog, highlight Filter-Id then select Add. 6. In the Attribute Values section select Add. 7. Select String beside Enter the attribute value in: 8. In the text box enter the WatchGuard Firebox MUVPN group name. 9. Click OK to apply the setting. Network Policy Server (NPS) with BlackShield Agent enabled 1. Under Administrative Tools launch Network Policy Server. 2. Expand Policies then highlight Connection Request Policies. 3. Right click on the BlackShield entry (by default Allow all users to authenticate with BlackShield) and select Properties. 4. Select the Settings tab, highlight RADIUS Attributes Standard then select Add. 5. Under Access type select All. In the Attributes section highlight Filter-Id then click Add. 6. In the Attribute Information dialog select Add. BlackShield ID implementation guide for WatchGuard Firebox 4

8 7. Select String below Enter the attribute value in: 8. In the text box enter the WatchGuard Firebox MUVPN group name. 9. Click OK to apply the setting. BlackShield ID implementation guide for WatchGuard Firebox 5

9 Troubleshooting When troubleshooting issues setting up RADIUS authentication on a WatchGuard Firebox, it may be helpful to refer to the Firebox logs or the WatchGuard Log Server. Refer to the Firebox documentation for details. All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. All logging information for the BlackShield IAS\NPS agent can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory. Failed Logons The following is an explanation of the logging messages that may appear in the event viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server. Error Message: Solution: Packet DROPPED: A RADIUS message was received from an invalid RADIUS client. Verify a RADIUS client entry exists on the RADIUS server. Error Message: Solution: Authentication Rejected: Unspecified This will occur when one or more of the following conditions occur: The username does not correspond to a user on the BlackShield Server. The CRYPTOCard password does not match any tokens for that user. The shared secret entered in Cisco Secure ACS does not match the shared secret on the RADIUS server Error Message: Solution: Authentication Rejected: The request was rejected by a third-party extension DLL file. This will occur when one or more of the following conditions occur: The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server. The Pre-Authentication Rules on the BlackShield server do not allow incoming requests from the BlackShield Agent for IAS\NPS. The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on the BlackShield Server. The username does not correspond to a user on the BlackShield Server The CRYPTOCard password does not match any tokens for that user. BlackShield ID implementation guide for WatchGuard Firebox 6