NetMotion Mobility XE

Similar documents
Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

DualShield Authentication Platform

Microsoft Office 365 with ADFS

DualShield. for PAM RADIUS. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Network Policy Server (NPS) Remote Routing Access (RRAS)

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

High Availability And Disaster Recovery

NetMotion + YubiRADIUS Quick Start Guide

High Availability And Disaster Recovery

2 FACTOR + 2. Authentication WAY

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

2 factor + 2. Authentication. way

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Configuring a Windows 2003 Server for IAS

DIGIPASS Authentication for Cisco ASA 5500 Series

2X ApplicationServer & LoadBalancer Manual

DIGIPASS Authentication for GajShield GS Series

Identikey Server Getting Started Guide 3.1

MIGRATION GUIDE. Authentication Server

Strong Authentication for Juniper Networks SSL VPN

Configuring Global Protect SSL VPN with a user-defined port

DIGIPASS Authentication for Check Point Connectra

How to connect to the diamonds wireless network with Vista.

Setup and Configuration Guide for Pathways Mobile Estimating

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Windows Vista: Connecting to the wireless network at Hood College

Omniquad Exchange Archiving

Cisco VPN Concentrator Implementation Guide

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

Agent Configuration Guide

How to Access Coast Wi-Fi

Sage 200 Web Time & Expenses Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Installation Guide. SafeNet Authentication Service

DIGIPASS Authentication for Check Point Security Gateways

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

SecureW2 Client for Windows User Guide. Version 3.1

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Strong Authentication for Juniper Networks

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

CA Nimsoft Service Desk

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Strong Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Citrix XenServer Workload Balancing Quick Start. Published February Edition

CA VPN Client. User Guide for Windows

Device LinkUP + Desktop LP Guide RDP

Juniper Networks SSL VPN Implementation Guide

Check Point FW-1/VPN-1 NG/FP3

Check Point FDE integration with Digipass Key devices

Juniper SSL VPN Authentication QUICKStart Guide

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Strong Authentication for Microsoft SharePoint

HOTPin Integration Guide: DirectAccess

Strong Authentication for Microsoft TS Web / RD Web

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

Defender EAP Agent Installation and Configuration Guide

NSi Mobile Installation Guide. Version 6.2

User Guide for eduroam

How to configure MAC authentication on a ProCurve switch

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Meeting CJIS Advanced Authentication

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Defender Token Deployment System Quick Start Guide

EMR Link Server Interface Installation

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

LepideAuditor Suite for File Server. Installation and Configuration Guide

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

SafeNet Authentication Service

Using Vasco IDENTIKEY Server with NetScaler

Cisco ASA Authentication QUICKStart Guide

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Integration Guide. Swivel Secure Authentication

Wireless Network Configuration Guide

IDENTIKEY Appliance Administrator Guide

DIGIPASS CertiID. Getting Started 3.1.0

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Integrating Juniper Netscreen (ScreenOS)

BlackShield ID Agent for Remote Web Workplace

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

Certificate Management

Archiving User Guide Outlook Plugin. Manual version 3.1

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

CruzNet Secure Set-Up Instructions for Windows Vista

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Transcription:

Implementation Guide (Version 5.4) Copyright 2012 Deepnet Security Limited Copyright 2012, Deepnet Security. All Rights Reserved. Page 1

Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2012, Deepnet Security. All Rights Reserved. Page 2

Table of Contents Overview... 4 Prerequisites... 4 DualShield Configuration... 5 Logon Procedure... 5 Application... 6 Certificates... 7 Certificate Authority... 7 SSL Certificate... 7 Register Radius Client... 8 Configure Radius Server... 9 NetMotion Configuration... 11 Server Configuration... 11 Client Configuration... 12 User Authentication... 13 One-Time Password... 13 Modify Logon Procedure...13 Test Logon...13 One-Demand Password... 15 Modify Logon Procedure...15 Test Logon...15 Device Authentication... 17 NetMotion Configuration... 17 Server Configuration...17 Client Configuration...17 DualShield Configuration... 19 Test Logon... 24 Copyright 2012, Deepnet Security. All Rights Reserved. Page 3

Overview This configuration guide describes how to integrate with Dualshield unified authentication platform in order to perform the multi-factors authentication. supports external RADIUS server as its authentication server with PEAP authentication method. DualShield unified authentication platform includes a fully compliant RADIUS server DualShield Radius Server. DualShield supports multiple EAP authentication methods (PEAP, EAP-TLS, GTC, MSCHAPv2 etc) with a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey X.509 Certificate RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: client/server DualShield Radius Server DualShield Authentication Server Prerequisites It is expected that has already been setup and operating. Prior to configuring for two-factor authentication, you must also have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide The document below provides general instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide Copyright 2012, Deepnet Security. All Rights Reserved. Page 4

DualShield Configuration In the DualShield authentication server we need to create a RADIUS application which will be used for the two-factor authentication in. An application in DualShield needs a logon procedure which defines how users will be authenticated when they attempt to logon to the application. Logon Procedure 1. Login to the DualShield Management Console 2. In the main menu, select Authentication Logon procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the type. 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select the Static Password as the authenticator 9. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 5

Application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name 4. Select Realm 5. Select the logon procedure that was just created 6. Click Save 7. Click the context menu of the newly created application, select Agent 8. Select the DualShield Radius server, e.g. Local Radius Server 9. Click Save 10. Click the context menu of the newly created application, select Self Test Copyright 2012, Deepnet Security. All Rights Reserved. Page 6

Certificates As the authentication protocol between NetMotion server and DualShield Radius server is Radius and the method is EAP/PEAP, we need a SSL server certificate for the DualShield Radius server. In the production environment, you will probably want to purchase a commercial SSL certificate for your DualShield Radius server. In a test environment, however, you can create your own CA and issue a SSL certificate for DualShield Radius server. Certificate Authority To create a CA certificate, 1. In main menu, select Repository Certificate Management Certificate Authority 2. Click Create in the toolbar 3. Fill in the form 4. Click Save SSL Certificate To create a SSL certificate, 1. In main menu, select Repository Certificate Management Server Certificates 2. Click Create in the toolbar Copyright 2012, Deepnet Security. All Rights Reserved. Page 7

3. Select the CA created in the previous step 4. Fill in the form 5. Click Save Register Radius Client We need to register NetMotion server as a Radius client in DualShield 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar 3. Select the application that was created in the previous steps 4. Enter NetMotion Server s IP in the IP address 5. Enter the Shared Secret which will be used later in the NetMotion Server. 6. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 8

Configure Radius Server 1. In the main menu, select RADIUS Server 2. Click the context menu of the Radius Server, select EAP options 3. Select the General tab Select PEAP as the Default EAP Type 4. Click Save 5. Select the TLS tab Select the SSL server certificate to be uploaded to the DualShield Radius Server 6. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 9

7. Click the PEAP tab Select GTC as the Default EAP Type 8. Click Save Copyright 2012, Deepnet Security. All Rights Reserved. Page 10

NetMotion Configuration includes two components, NetMotion Server and NetMotion Client. Server Configuration Login the NetMotion Moblity XE Console 1. In the main menu, Settings Server, 2. Select Authentication: User Radius Server List 3. Click Add button to add the DualShield Radius Server 4. Enter the Dualshield Radius Server IP address, port, shared secret, and NAS ID 5. Select Authentication: User Protocol 6. Select RADIUS-EAP(PEAP and EAP-TLS). 7. Click Apply 8. In the main menu, Select Settings Client 9. Select Logon --- prompt for user credentials at every reconnect 10. Enable Prompt at every reconnect 11. Click Apply Copyright 2012, Deepnet Security. All Rights Reserved. Page 11

Client Configuration Prior to configure NetMotion Client, we need import the CA Certificate that was used to issue the SSL certificate to the Trusted Root CA store on the local computer where the NetMotion client is running. 1. Export the CA certificate from the DualShield Console 2. Import the CA certificate into the local Trusted Root CA store Now, configure the NetMotion client. 1. Launch the Client, click configuration button 2. In the Server Certifiates tab, select the CA certificate that was imported. Copyright 2012, Deepnet Security. All Rights Reserved. Page 12

3. Click OK. User Authentication One-Time Password only supports one authentication sever. To support two-factor authentication with the user s AD password and one-time password, you will configure the logon procedure in DualShield so that DualShield will verify both the user s AD password and one-time password Modify Logon Procedure In DualShield, edit the logon procedure that you have created for the NetMotion application. Test Logon Launch the Client, click Connect : Copyright 2012, Deepnet Security. All Rights Reserved. Page 13

Enter the user's static password (AD password), and click OK. DualShield will verify the user s password. If succeeded, NetMotion client will prompt the user to enter a one-time password: Enter a valid one-time password, click OK. NetMotion client will now establish connection to its server. Copyright 2012, Deepnet Security. All Rights Reserved. Page 14

One-Demand Password To support on-demand password (Deepnet T-Pass), simply edit the logon procedure and add the On-Demand Password in the authenticator list. Modify Logon Procedure In DualShield, edit the logon procedure that you have created for the NetMotion application. Test Logon Launch the Client, click Connect : Enter the user's static password (AD password), and click OK. DualShield will verify the user s password. If succeeded, your DualShield authentication server will automatically send out a one-time password to the user via SMS or email message: Copyright 2012, Deepnet Security. All Rights Reserved. Page 15

NetMotion client will prompt the user to enter the one-time password: Enter the one-time password received, click OK. NetMotion client will now establish connection to its server. Copyright 2012, Deepnet Security. All Rights Reserved. Page 16

Device Authentication NetMotion supports device authentication in parallel to the user authentication. When device authentication is enabled, the NetMotion Mobility server allows connections only from Mobility clients that can perform device authentication. NetMotion Configuration Server Configuration Login the NetMotion Moblity XE Console 1. In the main menu, select Settings Server 2. Select Authentication:Device - Require Device Authentication 3. Enable Require device authentication 4. Click Apply 5. In the main menu, select Settings Client 6. Select Authentication - Mode 7. Select User required/device optional 8. Click Apply Client Configuration NetMotion s device authentication requires a certificate to be installed on the client machine. You should obtain a client certificate and install it to the personal certificates folder on the local computer. Copyright 2012, Deepnet Security. All Rights Reserved. Page 17

The subject CN is important. In this example, the subject CN of the device certificate is demo.test. Launch the NetMotion Mobility client, click Configuration and select the Client Certificates tab Copyright 2012, Deepnet Security. All Rights Reserved. Page 18

Enable the Allow client certificates option and select Personal User Certificate DualShield Configuration The device authentication is carried out in parallel to the user authentication. In DualShield, we need to create a separate database to keep device certificates and to create a separate logon procedure. 1. Create a new logon procedure In this logon procedure, add a logon step with certificate as the only authenticator Copyright 2012, Deepnet Security. All Rights Reserved. Page 19

2. Create a new application We will use the Application Wizard to create a new application Copyright 2012, Deepnet Security. All Rights Reserved. Page 20

3. Bind the new logon procedure to the new application 4. Register a new Radius Client Copyright 2012, Deepnet Security. All Rights Reserved. Page 21

5. Create a new user a) Click Directory Users in the main menu b) Select NetMotion Devices domain in the left panel c) Click Create on the toolbar in the right panel Enter the Login Name in the form of host/xxx, where xxx is the subject CN of the device certificate, e.g. demo.test The rest fields in the form are insignificant. Copyright 2012, Deepnet Security. All Rights Reserved. Page 22

6. Import device certificate a) Select Certificate in the context menu b) Click Import Certificate button on the toolbar Import the device certificate (PEM format, no private key). Copyright 2012, Deepnet Security. All Rights Reserved. Page 23

Test Logon Launch the NetMotion client Select the device certificate, and then click OK If the device authentication is successful, then the NetMotion client will continue to the process of user authentication. Copyright 2012, Deepnet Security. All Rights Reserved. Page 24

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information