DIGIPASS Authentication for Check Point Connectra With IDENTIKEY Server 2009 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 21
Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & IDENTIKEY are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2009 VASCO Data Security. All rights reserved. 2009 VASCO Data Security. All rights reserved. Page 2 of 21
Table of Contents DIGIPASS Authentication for Check Point Connectra... 1 Disclaimer... 2 Table of Contents... 3 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 4 Technical Concept... 5 4.1 General overview... 5 4.2 Connectra prerequisites... 5 4.3 IDENTIKEY Server Prerequisites... 5 5 Check Point Connectra... 6 5.1 RADIUS configuration... 6 5.2 User configuration... 8 5.3 Group configuration...10 5.4 Policy configuration...11 6 IDENTIKEY Server... 13 6.1 Policy configuration...13 6.2 Client configuration...16 7 Test Connectra Login... 18 7.1 Response Only...18 7.2 Challenge/Response...19 8 About VASCO Data Security... 21 2009 VASCO Data Security. All rights reserved. Page 3 of 21
1 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server to work with Check Point Connectra. The Connectra is an SSL-VPN appliance, deployed in an organization s DMZ, and secures all traffic with standards-based SSL. Remote users connect via an easy-to-use web portal and making use of the SSL Network Extender. This way, external employees can make a secure connection and use all their programs in a company-like environment. And this is all accessible from one portal page. It is possible with the Connectra to: connect to network shares browse the internet + save bookmarks start network programs + save shortcuts access to mail use Citrix environment 2 Problem Description The basic working of the Connectra is based on authentication to an existing media (LDAP, Radius, local authentication ). To use the IDENTIKEY Server with the Connectra, its RADIUS settings need to be changed or added manually. 3 Solution After configuring the IDENTIKEY Server and Connectra in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. Figure 1: Solution 2009 VASCO Data Security. All rights reserved. Page 4 of 21
4 Technical Concept 4.1 General overview The main goal of the Check Point Connectra is to perform authentication in a secure way to make a secure SSL-VPN connection. As the Connectra can authenticate to an external service with RADIUS, we will place the IDENTIKEY Server as middleware or as back-end service, to secure the authentication with our proven IDENTIKEY software. 4.2 Connectra prerequisites Please make sure you have a working setup of the Connectra. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY Server. For this document, we used version R66. Older or newer versions will be compatible with minor differences in certain areas. 4.3 IDENTIKEY Server Prerequisites In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features. 2009 VASCO Data Security. All rights reserved. Page 5 of 21
5 Check Point Connectra The Check Point Connectra is managed by the SmartDashboard application which is part of the SmartConsole applications. This package can be found on the management web interface of the Check Point Connectra. 5.1 RADIUS configuration Open the SmartDashboard application and make a connection to the Connetra device that you want to manage. First thing to do, is adding the radius server to the configuration. Select Users and Authentication Authentication RADIUS Servers and click the New button. Figure 2: RADIUS configuration (1) 2009 VASCO Data Security. All rights reserved. Page 6 of 21
Fill in the necessary details and click OK. For the Host field, if your server is not yet listed, click the New button and add it to the list. Remember that RADIUS Service is using the older 1645 port. The newer 1812 port will be used by the NEW-RADIUS service. Also select RADIUS Ver. 2.0 Compatible as RADIUS Version. Figure 3: RADIUS configuration (2) You will see the entry showing up in the list. Figure 4: RADIUS configuration (3) 2009 VASCO Data Security. All rights reserved. Page 7 of 21
5.2 User configuration Next step is to configure the external users that will use the Check Point Connectra. Go to Users and Authentication External Users External User Profiles and click the New button. Choose to match all users, or to match them by domain. Figure 5: User configuration (1) Go to the Authentication tab, choose RADIUS as the Authentication Scheme and select the RADIUS server that you created in the previous step. Figure 6: User configuration (2) Figure 7: User configuration (3) 2009 VASCO Data Security. All rights reserved. Page 8 of 21
The external user profile will show up in the list. Figure 8: User configuration (4) 2009 VASCO Data Security. All rights reserved. Page 9 of 21
5.3 Group configuration Once we created our user profile, we have to create a group for this user profile too. Go to Users and Authentication Internal Users User Groups and click the New button. Figure 9: Group configuration (1) Enter a group Name and select the correct external user profile we created in the previous step. Click the OK button to finish. Figure 10: Group configuration (2) You will see the group showing up in the next window. 2009 VASCO Data Security. All rights reserved. Page 10 of 21
5.4 Policy configuration Our policy is set correctly now and we have to publish it to the Check Point Connecta. Go to the Policy Install menu or select this button: Figure 11: Policy configuration (1) Confirm the message to install the policy. Figure 12: Policy configuration (2) 2009 VASCO Data Security. All rights reserved. Page 11 of 21
Once the policy is installed, you will get a success message. You now policy will now be active on the Check Point Connectra. Figure 13: Policy configuration (3) 2009 VASCO Data Security. All rights reserved. Page 12 of 21
6 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 6.1 Policy configuration To add a new policy, select Policies Create. Figure 14: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies. 2009 VASCO Data Security. All rights reserved. Page 13 of 21
Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 15: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message. 2009 VASCO Data Security. All rights reserved. Page 14 of 21
In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 16: Policy configuration (3) The user details can keep their default settings. Figure 17: Policy configuration (4) 2009 VASCO Data Security. All rights reserved. Page 15 of 21
6.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 18: Client configuration (1) 2009 VASCO Data Security. All rights reserved. Page 16 of 21
As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 19: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working. 2009 VASCO Data Security. All rights reserved. Page 17 of 21
7 Test Connectra Login Point your web browser to the secure portal page of the Check Point Connectra. In our example this is https://connectra.labs.vasco.com. 7.1 Response Only Login with username: testuser and password: a One Time Password (OTP). Figure 20: Response Only When the authentication was successful you will be shown the Connectra portal page. Figure 21: Challenge / Response (4) 2009 VASCO Data Security. All rights reserved. Page 18 of 21
7.2 Challenge/Response You can choose the trigger for challenge/response in the IDENTIKEY Server policy, a keyword, password or a combination of both. In this case the trigger is a password. Enter your username and password and click Sign In. Figure 22: Challenge / Response (2) The IDENTIKEY Server will return a Challenge, which you have to type in on your PIN pad enabled DIGIPASS. This will generate a Response that you can type in applicable field, and click Submit. Figure 23: Challenge / Response (3) 2009 VASCO Data Security. All rights reserved. Page 19 of 21
When the authentication was successful you will be shown the Connectra portal page. Figure 24: Challenge / Response (4) 2009 VASCO Data Security. All rights reserved. Page 20 of 21
8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 2009 VASCO Data Security. All rights reserved. Page 21 of 21