Replacing legacy twofactor authentication with YubiRADIUS for corporate remote access How to Guide May 15, 2012
Introduction Disclaimer Yubico is the leading provider of simple, open online identity protection. The company s flagship product, the YubiKey, uniquely combines driverless USB hardware with open source software. More than a million users in 100 countries rely on YubiKey strong two-factor authentication for securing access to computers, mobile devices, networks and online services. Customers range from individual Internet users to e-governments and Fortune 500 companies. Founded in 2007, Yubico is privately held with offices in California, Sweden and UK. The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. Contact Information Yubico Inc 228 Hamilton Avenue, 3rd Floor Palo Alto, CA 94301 USA info@.com YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 2 of 19
Contents Introduction... 2 Disclaimer... 2 Trademarks... 2 Contact Information... 2 1 Document Information... 5 1.1 Purpose... 5 1.2 Audience... 5 1.3 References... 5 1.4 Version... 5 1.5 Definition... 5 2 Introduction... 6 2.1 Legacy Two-Factor Authentication (TFA) Systems... 6 3 Overview... 7 3.1 Legacy TFA authentication architecture... 7 3.2 Yubico open source TFA authentication architecture... 8 3.3 Yubico Open Source Solution... 8 3.3.1 YubiKey... 8 3.3.2 YubiRADIUS... 8 3.3.3 YubiCloud vs. On-board Validation Server... 10 3.3.4 Supports both single domain as well as multi domain... 11 4 Prerequisites... 12 4.1 Remote Access Product supporting RADIUS... 12 4.2 Virtualization platform to host YubiRADIUS... 12 4.2.1 Image requirements... 12 4.3 One or more YubiKey(s)... 12 4.4 Active Directory or LDAP Directory server... 12 5 Planning and preparations... 13 5.1 Access GW supporting RADIUS... 13 5.2 YubiCloud vs. Built in validation Server... 13 5.3 Virtual Appliance Platform... 13 5.4 Internet connection for downloading... 14 5.4.1 YubiRADIUS image... 14 5.4.2 Personalization (Programming) tool... 14 5.5 Firewall considerations... 14 5.6 Failover Multi Master planning... 15 YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 3 of 19
5.7 Master Slave Considerations... 15 5.8 Getting YubiKeys... 16 6 YubiRADIUS Setup and Configuration... 17 6.1 Process overview... 17 7 YubiKey Deployment... 18 7.1 Deployment for YubiCloud vs. On-board Val. Server... 18 7.2 Auto-deployment... 18 7.3 Helpdesk Considerations... 18 7.4 Programming considerations... 18 8 Summary... 19 8.1 Benefits when switching to YubiRADIUS... 19 8.2 Summary of the steps involved in the switch... 19 8.3 Auto-Deployment... 19 YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 4 of 19
1 Document Information 1.1 Purpose The purpose of this document is to guide readers through the steps of replacing an existing legacy two factor authentication infrastructure (such as RSA Authentication Manager/ACE Server infrastructure) with the open source based YubiRADIUS infrastructure from Yubico. 1.2 Audience This document is intended for technical staff of Yubico customers that want to replace existing two-factor authentication such as RSA SecurID with YubiKey based authentication for securing access to corporate resources via such techniques as Remote Access service or VPN. 1.3 References Part of the Yubico YubiRADIUS solution is based on the Open Source FreeRADIUS and WebMin software. 1.4 Version This version is released to the Yubico community as a how to guide. 1.5 Definition Term YRVA VPN SSL RADIUS PIN OTP OVF YubiKey ID AD LDAP TFA Definition Yubico s YubiRADIUS Virtual Appliance Virtual Private Network Secure Sockets Layer Remote Authentication Dial In User Service. The RADIUS protocol is used to communicate between access equipment such as an VPN GW and the RADIUS server) Personal Identification Number One Time Password Open Virtualization Format standard format supported by the major virtualization platform vendors The 12 character (48 bit) public identifier of a YubiKey Active Directory Lightweight Directory Access Protocol refers both the communication protocol as well as to a lightweight directory service for finding information about users and other resources in a network. Two-Factor Authentication YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 5 of 19
2 Introduction Yubico s mission is to make Internet identification secure, easy, and affordable for everyone. The Company offers a physical authentication device/token, the YubiKey, which is used to provide secure authentication to web services and various other applications. The YubiKey device is a tiny key-sized one-button authentication device, emulating a USB keyboard and designed to generate a unique user identity and a one-time password (OTP) without requiring any software installed on end users computers. 2.1 Legacy Two-Factor Authentication (TFA) Systems Organizations frequently utilize the powerful and flexible authentication mechanism provided by the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL based VPN solution provides a robust and flexible remote access solution. In any remote access scenario two-factor authentication is highly recommended and in many cases required for compliance with industry regulation such as for achieving PCI compliance. However, many organizations have a legacy Two-Factor Authentication (TFA) solutions which they for different reasons would like to replace with an open source solution from Yubico. In the sections below we will look at the considerations in planning and steps involved in replacing a legacy TFA solution with YubiKey tokens and YubiRADIUS TFA infrastructure. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 6 of 19
3 Overview When looking at replacing legacy TFA authentication solutions with a solution from Yubico, you will frequently find that there are many similarities and the task is therefore easier than perhaps first anticipated. Depending on the size of the organization the logistics leading up to the actual switchover will be the biggest planning part. However, Yubico has in YubiRADIUS implemented three important features in relation to the switchover to ease the logistics and coordination otherwise required. The following features help in the switchover from legacy solutions: 1. Users may use their regular Active Directory (or LDAP) Username and Password no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs Making it possible to gradually switch users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment YubiKey is assigned at first login (binding at first use) We will go through the list above in more detail in the sections below. 3.1 Legacy TFA authentication architecture The diagram below describes at a high level the infrastructure of the legacy solution to be replaced. Internet End user device Legacy Token Access/VPN GW Organization Legacy Authentication Server The Legacy solution usually has an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is connected via RADIUS protocol to a Legacy Authentication Server. The Legacy Token is either based on Hardware (as in the picture) or a software client (or combination) on the end users computers or access equipment. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 7 of 19
3.2 Yubico open source TFA authentication architecture The diagram below describes the new Yubico open source based infrastructure replacing the legacy. Similarly to the Legacy solution usually an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is connected via RADIUS protocol to YubiRADIUS. The Legacy Token is either based on Hardware (as in the picture) or a software client (or combination) on the end users computers or access equipment. 3.3 Yubico Open Source Solution The YubiKey is small USB connected OTP device that combined with the organizations Active Directory (or LDAP) and the Yubico open source based YubiRADIUS server provides simple and secure TFA access to applications. 3.3.1 YubiKey The YubiKey USB connected OTP device is recognized as a USB keyboard so it works on all computer platforms without any client software needed (Windows, Linux, Mac, ipad and newer Android etc.). With a simple touch on the YubiKey it automatically generates and enters a unique identity and One-Time Password (OTP). Combined with a PIN or password (from your LDAP or Active Directory database), the YubiKey provides strong two-factor authentication. The YubiKey is manufactured in Sweden with an auditable process for secrets. 3.3.2 YubiRADIUS The Yubico YubiRADIUS Virtual Appliance is a FreeRADIUS based solution built on open source components which provides an organization with Yubikey based two-factor authentication for remote access where the password part can checked against the organization s own (existing) AD (Active Directory) or LDAP so that users only have to remember their normal network password and the Yubikey part can be validated either using YubiCloud the Yubico Online Validation Service or an onsite Yubico Validation and Key Management Server combination. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 8 of 19
YubiRADIUS - Virtual Appliance Free Radius PAM (Pluggable Auth Mod) Request ProxyServer UID - YubiKey Mapping & Database RADIUS Protocol Cisco ASA Or other Radius Equipment OTP/PW Separator OTP via YubiCloud OR Internal Management Webmin YubiCloud PW via LDAP Int. OR Ext. OpenLDAP *(Optional Internal) YK-VAL Validation Server YK-KSM Key Server Organization s Active Directory Optional - YubiHSM HSM (Hardware Security Module) for Additional Key Protection Deployment of Yubikeys can be as easy as sending out Yubikeys to users without prior registration and the Yubikey to User binding will be handled automatically upon first use by YubiRADIUS Virtual Appliance which also supports several other more traditional deployment methods. Deployment of Yubico YubiRADIUS Virtual Appliance solution itself requires no changes to the organizations AD/LDAP schema which is an important factor for most organizations. Further standard authentication interface with username and password is used also for the Yubico two-factor authentication so there is no client side software to be installed. Additionally the YubiRADIUS Virtual Appliance solution supports multiple domains in order to also support more involved deployments such as used by a large organization or a Security Service Provider. Each domain configuration works separately and has its own configuration settings. Finally in order to make it easy for customers to quickly deploy a solution Yubico provides a ready to deploy YubiRADIUS Virtual Appliance OVF and VMware based image with all needed components. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 9 of 19
3.3.3 YubiCloud vs. On-board Validation Server YubiRADIUS can be configured to validate YubiKeys either by using the YubiCloud (easiest deployment) or using the built in internal Validation Server. OTP via YubiCloud OR Internal YubiCloud YK-VAL Validation Server YK-KSM Key Server OTP validation through YubiCloud or On-board Validation Server YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 10 of 19
3.3.4 Supports both single domain as well as multi domain YubiRADIUS can be used in a ISP setting for multiple organizations or in an organization that has multiple domains with separate Ads or LDAPs per domain. The only difference between single and multiple domains/organizations are that in a multiple domain/organization deployment the user name must be followed with a fully qualified domain name. YubiCloud Online Validation Service Internet Yubico Local Validation Server YubiRADIUS Virtual Appliance Admin UI based on Webmin OR Yubico WebService API Yubico YubiRADIUS Virtual Appliance RADIUS LDAP RADIUS RADIUS Client Domain1 LDAP/AD Server RADIUS Client YubiRADIUS Virtual Appliance VM Image LDAP Domain2 LDAP/AD Server YubiRADIUS supports multi domain deployment with seperate AD/LDAPs per domain Single domain ID: Username PW: Password + OTP Multi domain or Multi organization ID: Username@domain.orgainzation.com PW: Password + OTP YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 11 of 19
4 Prerequisites The following are the prerequisites to deeply YubiRADIUS in order to replace a legacy two-factor authentication solution. 4.1 Remote Access Product supporting RADIUS The Access Product must support RADIUS protocol 4.2 Virtualization platform to host YubiRADIUS You need a virtualization platform such as VMware Server/ESX or similar to host the YubiRADIUS image. The image is available in two formats. Either VMware format or OVF (Open Virtualization Format) supported by many vendors such as Red Hat, IBM, VMware and others. Read more about the platforms below. http://en.wikipedia.org/wiki/open_virtualization_format 4.2.1 Image requirements The following is the out of the box recommended image requirements 1 Processor 256 MB memory 8 GB Disk 4.3 One or more YubiKey(s) For more information regarding YubiKey, please visit the following link: http://www..com/products/yubikey/ 4.4 Active Directory or LDAP Directory server Yubico YubiRADIUS virtual appliance (YVA) server supports username and password authentication with external Active Directory/LDAP directory or internal LDAP using the builtin OpenLDAP server. In order to deploy and test YVA solution, either external (to the image) Active Directory/LDAP or the on the image configurable OpenLDAP server must be used. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 12 of 19
5 Planning and preparations In order to replace a legacy TFA solution the following prerequisites, planning and preparations must be taken into consideration. In brief we will cover the following in this section. 1. Access GW supporting RADIUS 2. YubiCloud or Built in Database 3. Virtual Appliance Platform 4. Internet connection for downloading of 5. YubiRADIUS image 6. YubiKey Personalization (Programming) tool 7. Firewall planning and preparation 8. YubiRADIUS Failover Multi Master YubiRADIUS 9. Master Slave considerations 10. Getting YubiKeys 5.1 Access GW supporting RADIUS The first requirement is that the Access Gateway of any other Access equipment such as a Firewall with VPN functionality or VPN Gateway has support for RADIUS and related requirements listed below. Please verify the following: 1. RADIUS protocol must be supported 2. RADIUS Authentication port must be set to UDP port 1812 3. Authentication method PAP (not CHAP nor CHAP2) 4. RADIUS Server IP or DNS name can be configured 5. RADIUS Shared Secret can be configured 5.2 YubiCloud vs. Built in validation Server The YubiRADIUS virtual appliance can use either the built in Validation Server or the YubiCloud. In order to use the built in Validation server you will need an import file for the YubiKeys. There are two ways to get this. 1. If you order at least 500 YubiKeys you can ask that Yubico program the YubiKeys in such way that you will get an encrypted CD copy of the information (AES keys etc.) needed to import on the Validation server. 2. You can alternatively reprogram any number of YubiKeys you get from Yubico store using the Personalization (programming) tool. See below. 5.3 Virtual Appliance Platform The YubiRADIUS virtual appliance is available as a VMware Player/Server format or as an Open Virtualization Format (OVF) for infrastructure such as VMware ESX. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 13 of 19
Select a Virtualization Platform, either: 1. Virtualization Platform supporting OVF image format or 2. VMware Server or VMware Player using native format Once you selected a virtualization platform make sure it is prepared to have an image uploaded to it. 5.4 Internet connection for downloading An internet connection is needed to download Yubico open source YubiRADIUS image and Yubico Personalization Tool. The latter not needed if YubiRADIUS is used with YubiCloud. If your server environment does not allow direct downloading then download to a USB drive and use that for transferring the image and applications. 5.4.1 YubiRADIUS image Both the latest YubiRADIUS image in the selected format and the latest YubiRADIUS Configuration Guide can be downloaded using the following link. http://www..com/yubiradius Downloading the image will require about 1 GB of disk space. 5.4.2 Personalization (Programming) tool Personalization tool for programming YubiKeys for use of the internal database can be found using the following link. http://www..com/personalization-tool Choose between the cross platform tool (Windows, Mac OSX or Linux) or the Multiconfiguration tool for Windows. Both can program multiple YubiKeys quickly. Download and install the tool. 5.5 Firewall considerations If your network is segmented please make sure that Your Firewall(s) allows for UDP traffic on port 1812 (RADIUS Authentication) between any Access GW and YubiRADIUS appliance(s). Furthermore if YubiCloud is used for validation of the YubiKeys using YubiCloud then outbound port 443 (SSL) and port 80 needs to be open allowing YubiRADIUS server to contact YubiCloud via the REST based Web services API. Please note that YubiCloud supports automatic failover if you want to use the automatic failover you must configure all five servers i.e. api..com, api2..com, api3..com, api4..com, api5..com. The first api..com does not have a number in order to be backwards compatible with older clients using only one server. Firewall settings 1. Allow RADIUS Authentication protocol i.e. Open port 1812 UDP between any Access GW and YubiRADIUS server(s) YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 14 of 19
2. Make sure AD or the LDAP server can be reached from YubiRADIUS server. Open Port 389 for standard communication or Port 636 for (LDAPS protocol) to AD and LDAP. 3. For use with YubiCloud also allow port 80 and port 443 from YubiRADIUS to api..com including api2, 3, 4 and 5 (for failover). 4. The same ports port 80 and port 443 are used in the Multi Master setting and YubiRADIUS Master Slave setting as described below. If any of these are used make sure your Firewall has these posts open between the YubiRADIUS servers. 5. For any trouble shooting SSH access on TCP Port 22 is needed 5.6 Failover Multi Master planning YubiRADIUS can be deployed in a Multi Master setting allowing up to Three YubiRADIUS servers to synchronize data between the servers in order to work in a failover setting. When used in this setting the different YubiRADIUS servers should preferably be hosted on different virtual platform hosts. YubiRADIUS Instance 1 Optional Sync YubiRADIUS Instance 2 Drawing of two YubiRADIUS in Multi Master Configuration. Please note that the VK-VAL database in synchronized between all YubiRADIUS Servers (Multi Master). However for other databases i.e. YK-KSM, YK-MAP, YK-ROP and general configuration only Master-Slave mode is supported. This means that you should plan which server that should be the real master. 5.7 Master Slave Considerations Multiple YubiRADIUS instances can be configured in a Master Slave configuration. This can be useful if you use internal database in a setup with a large number of YubiRADIUS slaves i.e. small offices/home offices having their own YubiRADIUS but where you would like to minimize communication or when you don t want the YubiKey database to be local at remote locations. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 15 of 19
Master Salve uses the master s database for requests for authentication. YubiRADIUS Network Main Office YubiRADIUS (slaves) Local Office Sites YubiRADIUS Instance 1 Internet Optional Sync Failover YubiRADIUS Instance 2 5.8 Getting YubiKeys To test and deploy YubiRADIUS you will need some YubiKeys. You can purchase YubiKeys from Yubico Web store https://store..com/ or from one of Yubico s partners and resellers (contact sales@.com for Partners and Resellers). YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 16 of 19
6 YubiRADIUS Setup and Configuration The Setup and configuration is handled in a separate document using the following link. http://www..com/yubiradius Scroll down to the configuration guide. 6.1 Process overview If possible, for companies with multiple Access GWs, use a spare or commission one of the GWs to be the initial GW for the switchover. Then follow the steps below. At a high level the following needs to be done: Identify the Virtual Appliance Platform infrastructure to use Load the YubiRADIUS image Check Firewall settings to allow Radius port 1812, 389 for AD/LDAP communication and Web services port 80/443 if YubiCloud shall be used Importing YubiKeys for use of internal validation server or point to YubiCloud Import users from AD or LDAP Set up Failover and potential Slaves Set up Access GW or other equipment (called RADIUS Clients) to use RADIUS protocol port UDP 1812 to communicate with YubiRADIUS Create the RADIUS clients for the domain(s) in YubiRADIUS Follow the configuration guide for details YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 17 of 19
7 YubiKey Deployment Once the YubiRADIUS system has been set up there are only a few things left to do. Some will depend on whether you used YubiCloud or the On-board Validation Server. 7.1 Deployment for YubiCloud vs. On-board Val. Server YubiCloud is the simplest way to deploy keys but even using the Built-in Validation server deployment is also quite easy. When using YubiCloud you can use standard Yubikeys directly from the Store. In some situations you can even ask your users to buy their YubiKeys online so that you don t have to keep any inventory of YubiKeys and the first time the users use their YubiKey it will be tied to them in the system. When using the on-board Validation server you will need to import the corresponding YubiKeys AES keys before the YubiKeys can be used with the system. 7.2 Auto-deployment YubiRADIUS supports Auto-deployment which is the absolutely easiest way to deploy keys. Using the Auto-Deployment feature you don t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk person needed to be involved in the process (unless you want them to). YubiRADIUS auto deployment feature will automatically tie a YubiKey to valid user the first time the key is used and the user name and password portion is successfully authenticated by AD or LDAP. 7.3 Helpdesk Considerations Order some extra YubiKeys to have on hand in the help desk for people that call in to the Helpdesk function and have forgotten their YubiKeys at home. 7.4 Programming considerations When programming YubiKeys for using the internal you have several options. Most convenient is to ask Yubico to program the YubiKeys to work with your own Validations Server. Second best thing is to order Standard YubiKeys and reprogram them when they arrive. Go to http://www..com/personalization-tool For more information on how to program see info using the link. YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 18 of 19
8 Summary It is very straightforward to replace your Legacy Two-Factor Authentication (TFA) with the YubiKey/YubRADIUS solution. 8.1 Benefits when switching to YubiRADIUS Compared to many other Legacy Solutions you will benefit the following way when using YubiRADIUS. The following features help in the switchover from legacy solutions: 1. Users may use their regular Active Directory (or LDAP) Username and Password no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs Making it possible to gradually switch users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment YubiKey is assigned at first login (binding at first use) 8.2 Summary of the steps involved in the switch At a high level the following needs to be done: Load the YubiRADIUS on the Virtualization Platform infrastructure Firewall to allow Radius, AD/LDAP and Web services (if YubiCloud) Import YubiKeys if internal validation server is used (not YubiCloud) Import users from AD or LDAP Set up Failover and Slaves Create the RADIUS clients for the domain(s) in YubiRADIUS Test functionality with built in RadTest RADDIUS client Configure Access GW for RADIUS and YubiRADIUS This process only takes a few hours of time to complete after which you will be ready to start using the Yubico solution. 8.3 Auto-Deployment Using the Auto-Deployment feature you don t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk needed to be involved in the process (unless you want them to). YubiRADIUS Legacy Replacement 2012 Yubico. All rights reserved. Page 19 of 19