Implementation Guide (Version 5.4) Copyright 2012 Deepnet Security Limited Copyright 2012, Deepnet Security. All Rights Reserved. Page 1
Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2012, Deepnet Security. All Rights Reserved. Page 2
Table of Contents Overview... 4 Prerequisites... 4 DualShield Configuration... 5 Logon Procedure... 5 Application... 6 Certificates... 7 Certificate Authority... 7 SSL Certificate... 7 Register Radius Client... 8 Configure Radius Server... 9 NetMotion Configuration... 11 Server Configuration... 11 Client Configuration... 12 User Authentication... 13 One-Time Password... 13 Modify Logon Procedure...13 Test Logon...13 One-Demand Password... 15 Modify Logon Procedure...15 Test Logon...15 Device Authentication... 17 NetMotion Configuration... 17 Server Configuration...17 Client Configuration...17 DualShield Configuration... 19 Test Logon... 24 Copyright 2012, Deepnet Security. All Rights Reserved. Page 3
Overview This configuration guide describes how to integrate with Dualshield unified authentication platform in order to perform the multi-factors authentication. supports external RADIUS server as its authentication server with PEAP authentication method. DualShield unified authentication platform includes a fully compliant RADIUS server DualShield Radius Server. DualShield supports multiple EAP authentication methods (PEAP, EAP-TLS, GTC, MSCHAPv2 etc) with a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey X.509 Certificate RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: client/server DualShield Radius Server DualShield Authentication Server Prerequisites It is expected that has already been setup and operating. Prior to configuring for two-factor authentication, you must also have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide The document below provides general instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide Copyright 2012, Deepnet Security. All Rights Reserved. Page 4
DualShield Configuration In the DualShield authentication server we need to create a RADIUS application which will be used for the two-factor authentication in. An application in DualShield needs a logon procedure which defines how users will be authenticated when they attempt to logon to the application. Logon Procedure 1. Login to the DualShield Management Console 2. In the main menu, select Authentication Logon procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the type. 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select the Static Password as the authenticator 9. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 5
Application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save 7. Click the context menu of the newly created application, select Agent 8. Select the DualShield Radius server, e.g. Local Radius Server 9. Click Save 10. Click the context menu of the newly created application, select Self Test Copyright 2012, Deepnet Security. All Rights Reserved. Page 6
Certificates As the authentication protocol between NetMotion server and DualShield Radius server is Radius and the method is EAP/PEAP, we need a SSL server certificate for the DualShield Radius server. In the production environment, you will probably want to purchase a commercial SSL certificate for your DualShield Radius server. In a test environment, however, you can create your own CA and issue a SSL certificate for DualShield Radius server. Certificate Authority To create a CA certificate, 1. In main menu, select Repository Certificate Management Certificate Authority 2. Click Create in the toolbar 3. Fill in the form 4. Click Save SSL Certificate To create a SSL certificate, 1. In main menu, select Repository Certificate Management Server Certificates 2. Click Create in the toolbar Copyright 2012, Deepnet Security. All Rights Reserved. Page 7
3. Select the CA created in the previous step 4. Fill in the form 5. Click Save Register Radius Client We need to register NetMotion server as a Radius client in DualShield 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar 3. Select the application that was created in the previous steps 4. Enter NetMotion Server s IP in the IP address 5. Enter the Shared Secret which will be used later in the NetMotion Server. 6. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 8
Configure Radius Server 1. In the main menu, select RADIUS Server 2. Click the context menu of the Radius Server, select EAP options 3. Select the General tab Select PEAP as the Default EAP Type 4. Click Save 5. Select the TLS tab Select the SSL server certificate to be uploaded to the DualShield Radius Server 6. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 9
7. Click the PEAP tab Select GTC as the Default EAP Type 8. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 10
NetMotion Configuration includes two components, NetMotion Server and NetMotion Client. Server Configuration Login the NetMotion Moblity XE Console 1. In the main menu, Settings Server, 2. Select Authentication: User Radius Server List 3. Click Add button to add the DualShield Radius Server 4. Enter the Dualshield Radius Server IP address, port, shared secret, and NAS ID 5. Select Authentication: User Protocol 6. Select RADIUS-EAP(PEAP and EAP-TLS). 7. Click Apply 8. In the main menu, Select Settings Client 9. Select Logon --- prompt for user credentials at every reconnect 10. Enable Prompt at every reconnect 11. Click Apply Copyright 2012, Deepnet Security. All Rights Reserved. Page 11
Client Configuration Prior to configure NetMotion Client, we need import the CA Certificate that was used to issue the SSL certificate to the Trusted Root CA store on the local computer where the NetMotion client is running. 1. Export the CA certificate from the DualShield Console 2. Import the CA certificate into the local Trusted Root CA store Now, configure the NetMotion client. 1. Launch the Client, click configuration button 2. In the Server Certifiates tab, select the CA certificate that was imported. Copyright 2012, Deepnet Security. All Rights Reserved. Page 12
3. Click OK. User Authentication One-Time Password only supports one authentication sever. To support two-factor authentication with the user s AD password and one-time password, you will configure the logon procedure in DualShield so that DualShield will verify both the user s AD password and one-time password Modify Logon Procedure In DualShield, edit the logon procedure that you have created for the NetMotion application. Test Logon Launch the Client, click Connect : Copyright 2012, Deepnet Security. All Rights Reserved. Page 13
Enter the user's static password (AD password), and click OK. DualShield will verify the user s password. If succeeded, NetMotion client will prompt the user to enter a one-time password: Enter a valid one-time password, click OK. NetMotion client will now establish connection to its server. Copyright 2012, Deepnet Security. All Rights Reserved. Page 14
One-Demand Password To support on-demand password (Deepnet T-Pass), simply edit the logon procedure and add the On-Demand Password in the authenticator list. Modify Logon Procedure In DualShield, edit the logon procedure that you have created for the NetMotion application. Test Logon Launch the Client, click Connect : Enter the user's static password (AD password), and click OK. DualShield will verify the user s password. If succeeded, your DualShield authentication server will automatically send out a one-time password to the user via SMS or email message: Copyright 2012, Deepnet Security. All Rights Reserved. Page 15
NetMotion client will prompt the user to enter the one-time password: Enter the one-time password received, click OK. NetMotion client will now establish connection to its server. Copyright 2012, Deepnet Security. All Rights Reserved. Page 16
Device Authentication NetMotion supports device authentication in parallel to the user authentication. When device authentication is enabled, the NetMotion Mobility server allows connections only from Mobility clients that can perform device authentication. NetMotion Configuration Server Configuration Login the NetMotion Moblity XE Console 1. In the main menu, select Settings Server 2. Select Authentication:Device - Require Device Authentication 3. Enable Require device authentication 4. Click Apply 5. In the main menu, select Settings Client 6. Select Authentication - Mode 7. Select User required/device optional 8. Click Apply Client Configuration NetMotion s device authentication requires a certificate to be installed on the client machine. You should obtain a client certificate and install it to the personal certificates folder on the local computer. Copyright 2012, Deepnet Security. All Rights Reserved. Page 17
The subject CN is important. In this example, the subject CN of the device certificate is demo.test. Launch the NetMotion Mobility client, click Configuration and select the Client Certificates tab Copyright 2012, Deepnet Security. All Rights Reserved. Page 18
Enable the Allow client certificates option and select Personal User Certificate DualShield Configuration The device authentication is carried out in parallel to the user authentication. In DualShield, we need to create a separate database to keep device certificates and to create a separate logon procedure. 1. Create a new logon procedure In this logon procedure, add a logon step with certificate as the only authenticator Copyright 2012, Deepnet Security. All Rights Reserved. Page 19
2. Create a new application We will use the Application Wizard to create a new application Copyright 2012, Deepnet Security. All Rights Reserved. Page 20
3. Bind the new logon procedure to the new application 4. Register a new Radius Client Copyright 2012, Deepnet Security. All Rights Reserved. Page 21
5. Create a new user a) Click Directory Users in the main menu b) Select NetMotion Devices domain in the left panel c) Click Create on the toolbar in the right panel Enter the Login Name in the form of host/xxx, where xxx is the subject CN of the device certificate, e.g. demo.test The rest fields in the form are insignificant. Copyright 2012, Deepnet Security. All Rights Reserved. Page 22
6. Import device certificate a) Select Certificate in the context menu b) Click Import Certificate button on the toolbar Import the device certificate (PEM format, no private key). Copyright 2012, Deepnet Security. All Rights Reserved. Page 23
Test Logon Launch the NetMotion client Select the device certificate, and then click OK If the device authentication is successful, then the NetMotion client will continue to the process of user authentication. Copyright 2012, Deepnet Security. All Rights Reserved. Page 24