Meeting CJIS Advanced Authentication

Transcription

1 Meeting CJIS Advanced Authentication using User Certificate and Strong Key Protection Presented by: Carlos Leon, Network Manager City of Palm Beach Gardens

2 Meeting CJIS Requirements CJIS security policy calls for the use of advanced authentication methods authentication based on additional factors beyond simple user name/password authentication. NetMotion Mobility XE supports industry standard infrastructure: RADIUS servers as the front-end for Microsoft's Active Directory Authentication and PKI (public key infrastructure) for provisioning and exchange of digital certificates. Other RADIUS / PKI solutions are supported if they are compatible with X.509v3 user certificates, standard Microsoft CAPI enabled access to those certificates, and the RADIUS EAP TLS or EAP TLS inside the PEAP protocol. In addition to strong authentication, CJIS security policy mandates the use of FIPS validated encryption. NetMotion Mobility XE s use of validated/certified cryptographic libraries (NIST certificate numbers 237, 441 and 493) meets this requirement.

3 Strong Key Protection: Overview This process utilizes a user-based public key infrastructure (PKI) certificates X.509v3 secured by Microsoft Strong Key Protection which is stored on the user s hard drive. The certificate is then used by NetMotion VPN in a PEAP wrapper for EAP-TLS user authentication. VPN will request the certificate: Each time the employee reboots the computer After a time interval (13 hours is recommended) If employees bypasses NetMotion then connects If air card disconnects (drops), then reconnects, the password for the certificate will be not requested again.

4 Employee Logon Process Steps through the process for authentication and access to the network: Officers logon: Windows Network username & password to follow CJIS policy Officers VPN client (NetMotion) calls the PKI which forces the user to type an individual password to access the individual certificate following CJIS policy The VPN awaits the verification from the RADIUS server to allow for connection to the network. Officer will be prompted for certificate password every 13 hours.

5

6 Software Requirements for Solution Microsoft Windows Server 2008 R2 Enterprise or Datacenter: Microsoft Active Directory Certificate Services (AD CS) Microsoft Network Policy and Access Services (NPAS) Microsoft Active Directory Infrastructure NetMotion Mobility XE 9.21 Server NetMotion Mobility XE 9.x Client(s)

7 Today's Installation & Configuration Objectives Install and Configure simple deployment of Microsoft Certificate Services Install and Configure Network Policy and Access Services (RADIUS) NetMotion Mobility XE Server Configuration NetMotion XE Client Configuration Validating Client Connection

8 Installation & Configuration

9 Install Certificate Services Open Server Manager on the Windows 2008 R2 Server where you plan to install Certificate Services Click on Roles Click on Add Roles

10 Install Certificate Services Click Next Select Active Directory Certificate Services Click on Next

11 Install Certificate Services Click Next until you Complete the Wizard accepting all defaults as displayed NOTE: The values displayed for Common name for this CA: and Distinguished name suffix will be specific to your environment.

12 Configuring Certificate Services Open Server Manager on Certificate Services Server Expand out Roles Active Directory Certificate Services Servername Right click Certificate Templates and select Manage

13 Configuring Certificate Services Right Click the USER CERIFICATE A Duplicate Template dialog box may appear asking if this Certificate is for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise Select Windows 2008 Enterprise and click OK

14 Configuring Certificate Services Change the Template display name: In the screen shot we specified CJIS-NetMotion Click the Security tab and Select the Active Directory Group you wish to use

15 Configuring Certificate Services Set Extensions Application Polices Remove all but Client Authentication Certificate is only used by User Authentication Set Request Handing Prompt every time the certificate is used.

16 Configuring Certificate Services Now you need to issue the template Return to Server Manager Right click on Certificate Templates Select New Certificate Template to Issue

17 Configuring Certificate Services The template you just duplicated should now be listed under Certificate Templates

18 Configuring Active Directory

19 Configuring Active Directory to use Use Group Policies to enforce: Strong Key Policy Strong Key Protection User must enter a password each time they use a key 19

20 Configuring Active Directory to Deploy Certificates Open Group Policy Management Snap-In Note: This snap-in exists on the Domain Controller Right click on the Default Domain Policy Select Edit to open the Group Policy Management Editor 20

21 Configuring Active Directory Apply to officer laptops Organizational Unit or at Domain level Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

22 Configuring Network Policy and Access Services (NPAS)

23 Configuring Network and Access Policy Services There are 3 things that should be defined in Network Policy and Access Services 1. Create the RADIUS Client 2. Create a Connection Request Policy 3. Create a Network Policy If you have more than one Mobility XE server in your pool you will need to create a RADIUS Client for each NetMotion Mobility XE server

24 Install and Configure Network Policy and Access Services

25 Install Network Policy & Access Services (NPS) Open Server Manager on the Windows 2008 R2 Server where you plan to install NPS Click on Roles Click on Add Roles

26 Install Network Policy & Access Services Select Network Policy and Access Services Click Next Select Network Policy Server Click Install to begin installation Click Close to complete the install 26

27 NPAS Create the RADIUS Client Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPS RADIUS Clients and Servers RADIUS Clients Right click RADIUS Clients and select New

28 NPAS Create a Connection Request Policy Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPAS Policies Connection Request Policies Right click Connection Request Policies and select New

29 NPAS - Connection Request Policy Set Specified Condition as NAS Identifier NetMotion

30 NPAS - Create a Network Policy Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPS Policies Network Policies Right click Network Policies and select New

31 NPAS - Create a Network Policy Conditions»Windows Group form Active Directory»NAS Identifier to be used in Netmotion settings

32 NPAS - Create a Network Policy Constraints: Select Microsoft: Smart Card or other certificate and click OK NOTE: Selecting this option does NOT mean you must have Smart Cards

33 XE Server Installing NetMotion

34 Mobility XE Server install Note: Retain Password

35 Configuration NetMotion XE Server

36 Mobility XE Server Configuration Configure Mobility XE for RADIUS EAP and EAP-TLS Global Server Setting

37 Mobility XE Server Configuration Configure RADIUS Server List Global Server Setting NOTE: NAS ID: same as the NAS Identifier in NPAS

38 Mobility XE Server Configuration Configure User Logon Re-authentication Interval Global Client Setting

39 Installing User Certificate

40 Client Configuration Requirement: Laptop joined to domain NetMotion Client in bypass User must have local network access WIFI or Ethernet

41 Installing User Certificate User opens Certificate Console (Windows 7) Certmgr.msc

42 Installing User Certificate Start the process Expand Personal Right Click Certificates Click on Request New Certificate

43 Installing User Certificate Pick correct certificate Named CJIS- Netmotion during the Certificate install Type password that will be used to access certificate. Enforced by strong key protection and requirement on certificate. Password follows Domain password policy Finish

44 NetMotion XE Client configuration

45 NetMotion Client configuration Must configure client to use local personal user certificate Right Click Properties Status Configuration -> Client Certificate

46 Netmotion XE Client Connection

47 Client Connection First time XE client will ask for which certificate from the store to use:

48 Client Connection User asked to type in Password to access certificate which allows for connection

49 Renewing user Certificate

50 Renewing user Certificate Requirement: Laptop joined to domain User must have network access WIFI or Ethernet access NetMotion Connected or bypassed

51 Renewing user Certificate Open certificate store

52 Renewing user Certificate NOTE: User will need to know old password

53 Lost Password

54 Recover Certificate lost password Process to create a new certificate if user does NOT know the password for the certificate. Requirement: Laptop joined to domain NetMotion Client in bypass User must have network access WIFI or Ethernet access

55 Recover Certificate lost password User must delete old certificate and request new

56 QUESTIONS: Meeting CJIS Advanced Authentication using User Certificate and Strong Key Protection Presented by: Carlos Leon, Network Manager City of Palm Beach Gardens