Microsoft IAS and NPS Agent Configuration Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY
Agent IAS and NPS (Microsoft) Configuration Guide Copyright 2014 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the USA and other countries. All other trademarks referenced in this manual are trademarks of their respective owners. SafeNet hardware and/or software products described in this document may be protected by one or more U.S. patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Support If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Contact Method Address Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone United States 1-800-545-6608 International 1-410-931-7520 Email Technical Support Customer Portal support@safenet-inc.com https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. 2
Document Part Number: 007-012390-002 Publication History Date Changes Version 2014.03.27 Updates for 3.3.2 release A 2014.03.18 Changed references to Cryptocard and BlackShield ID where relevant. 2014.02.26 Changed Copyright year, and references to Cryptocard and BlackShield ID where relevant. 1.3 1.2 2012.06.30 Updates to reflect SafeNet branding. 1.1 2010.08.24 Document created 1.0 3
Agent IAS and NPS (Microsoft) Configuration Guide Contents Applicability... 5 Overview... 6 Installation... 6 Configuring Microsoft IAS for RADIUS Clients... 7 Installing the SAS Agent for IAS... 8 Configuring IAS to use SAS Agent... 9 Creating a Remote Access Policy... 9 Creating a Connection Request Policy... 11 Configuring Microsoft NPS for RADIUS Clients... 13 Installing SAS Agent for NPS... 14 Configuring NPS to Use the SAS Agent... 15 Creating a Connection Request Policy... 15 Configuring SAS Agent for IAS / NPS... 17 Applicability 4
Agent IAS and NPS (Microsoft) Configuration Guide Applicability The information in this document applies to: SafeNet Authentication Service (SAS) A cloud authentication service of SafeNet Inc. SafeNet Authentication Service Service Provider Edition (SAS-SPE) The software used to build a SafeNet authentication service. SafeNet Authentication Service Private Cloud Edition (SAS-PCE) A term used to describe the implementation of SAS-SPE/PCE. Note: references to BlackShield and CRYPTOCard reflect CRYPTOCard branding prior to acquisition by SafeNet. Over time these references will change to reflect SafeNet branding including program installation locations. Applicability 5
Overview SAS uses the IAS or NPS RADIUS components of Windows Server 2003, 2008, 2012, or 2012 R2 respectively. To enable SAS to accept RADIUS authentication requests you must: Install the Windows IAS or NPS component. Install the SAS Agent on the machine hosting IAS or NPS. RADIUS requests received by IAS/NPS from devices such as VPNs, firewall and other RADIUS Clients are passed to SafeNet Authentication Service via the agent. SAS SPE/PCE and IAS/NPS and the agent can be installed on the same server. The agent can be configured to failover to an alternate SAS SPE/PCE server. Installation Installation and configuration instructions for use with Microsoft IAS begin with Configuring Microsoft IAS for RADIUS Clients on page 7. Installation and configuration instructions for use with Microsoft NPS begin with Configuring Microsoft NPS for RADIUS Clients on page 13. The instructions for configuring the Agent after installation are common to both IAS and NPS. Once installation is complete, refer to the section: Configuring SAS Agent for IAS / NPS on page 17. Overview 6
Configuring Microsoft IAS for RADIUS Clients 1. Open the Internet Authentication Service Console 2. Select RADIUS Clients 3. Right click client and select New RADIUS Client 4. Enter Friendly name of your remote client (i.e. SSL VPN Authentication) 5. Enter the IP address of the client (i.e. VPN Device) 6. Click Next 7. Select Client-Vendor of RADIUS Standard 8. Enter Shared secret. This must match the shared secret on the client end. 9. Enter Confirm shared secret 10. Click Finish to add client IMPORTANT: These changes will not take effect until the IAS service has been restarted. Do this from the Windows Service manager or from a DOS command prompt as follows: C:\> Net stop IAS C:\> Net start IAS Installation 7
Installing the SAS Agent for IAS Locate and run the Agent installer: SAS NPS IAS Agent.exe for 32 bit servers SAS NPS IAS Agentx64.exe for 64 bit servers 1. Log on to the server on which IAS or NPS has been installed. 2. Locate and run the SAS Installer: SAS NPS IAS Agent.exe for 32 bit servers SAS NPS IAS Agent x64.exe for 64 bit servers. 3. Accept the license agreement to continue with the installation. 4. Enter the hostname or IP address of the primary Safenet Authentication Service. To use SSL install a valid certificate on the IAS / NPS server. Tick the check box and add the hostname or IP address of a failover Safenet Authentication Service if available. Click Next. Installing the SAS Agent for IAS 8
Configuring IAS to use SAS Agent On completion the installer will offer to display the agent configuration documentation. This documentation as well as an agent configuration management tool is available through the Start Programs / SafeNet / SAS NPS/IAS Agent program group. Creating a Remote Access Policy 1. Open the Internet Authentication Service Console 2. Select the Remote Access Policies 3. Select the first policy in the right hand pane, if one exists. 4. Select Remote Access Policies again 5. Right click and select New Remote Access Policy A Wizard should pop up. Click Next to dismiss welcome dialogue. 6. Select Set up a custom policy 7. Enter a friendly policy name of Authenticate to SAS 8. Click Next. Configuring IAS to use SAS Agent 9
9. Click Add 10. Select NAS-Port-Type 11. Click Add 12. Select Ethernet, then click Add 13. Select Grant remote access permission 14. Click Next 15. Click Next to skip changing the profile 16. Click Finish to add the policy. Configuring IAS to use SAS Agent 10
Creating a Connection Request Policy 1. Open the Internet Authentication Service Console 2. Expand Connection Request Processing 3. Select Connection Request Policies 4. Select the first policy in the right hand pane, if one exists. 5. Select Connection Request Policies again 6. Right click and select New Connection request policy 7. A Wizard should pop up. Click Next 8. Select A custom policy 9. Enter a policy name of Allow all users to authenticate with SAS 10. Click Next 11. Click Add 12. Select Day-And-Time-Restriction 13. Click Add 14. Click Permitted 15. Click OK and then click Next. Configuring IAS to use SAS Agent 11
16. Click Edit Profile 17. Click Accept Users without validating credentials. 18 Click OK. 19. Click Next. 12. Click Finish to add the policy. Configuring IAS to use SAS Agent 12
Configuring Microsoft NPS for RADIUS Clients RADIUS clients are any network access devices/servers or software that requires authentication from the Safenet Authentication Service. 1. Open the Network Policy Server Console 2. Select RADIUS Clients 3. Right click client and select New RADIUS Client 4. Ensure that the textbox for Enable this RADIUS Client is selected 5. Enter Friendly name of your remote client (i.e. SSL VPN Authentication) 6. Enter the IP Address of the remote client (e.g.vpn device) 7. Select Vendor name of RADIUS Standard 8. Select Client-Vendor of RADIUS Standard 9. Enter Shared secret. This must match the shared secret on the client. 10. Re-enter the shared secret in the Confirm shared secret 11. Click OK to add client IMPORTANT: These changes will not take effect until the Network Policy Server has been restarted. Configuring Microsoft NPS for RADIUS Clients 13
Installing SAS Agent for NPS Locate and run the Agent installer: SAS NPS IAS Agent.exe for 32 bit servers. SAS NPS IAS Agentx64.exe for 64 bit servers. 1. Log on to the server on which IAS or NPS has been installed. 2. Locate and run the SAS Installer: SAS NPS IAS Agent.exe for 32 bit servers SAS NPS IAS Agent x64.exe for 64 bit servers. 3. Accept the license agreement to continue with the installation. 4. Enter the hostname or IP address of the primary Safenet Authentication Service. To use SSL install a valid certificate on the IAS / NPS server. Tick the check box and add the hostname or IP address of a failover Safenet Authentication Service if available. Click Next. Installing SAS Agent for NPS 14
Configuring NPS to Use the SAS Agent On completion the installer will offer to display the agent configuration documentation. This documentation as well as an agent configuration management tool is available through the Start Programs / SafeNet / SAS NPS/IAS Agent program group. Creating a Connection Request Policy 1. Open the Network Policy Server Console 2. Expand Policies 3. Select Connection Request Policies 4. Right Click and select New 5. 6. 7. The New Connection Request Policy Wizard begins 8. When prompted enter a policy name of Allow all users to authenticate with SAS 9. Under Type of network access server select Remote Access Server (VPN-Dial up) 10. Click Next 11. Click Add from the Specify Condition dialog 12. Select Date and Time Restrictions 13. Click Add Configuring NPS to Use the SAS Agent 15
14. Select Permitted and click OK 15. Click Next 16. In the next dialog select Accept users without validating credentials NOTE: This causes authentication requests to be intercepted by the SAS agent. This setting is required in order to allow the agent to function correctly. 17. Select Next 18. 19. Select Next Click Finish to add the policy 20. Under Connection Request Policies, right click on Use Windows Authentication for all users and select Disable Configuring NPS to Use the SAS Agent 16
Configuring SAS Agent for IAS / NPS To launch the SAS Configuration Tool, click Start > All Programs > SAS > SAS NPS IAS Agent > Configuration Tool. NPS/IAS Settings The following options can be toggled from the IAS / NPS Settings tab: Agent Activation Turn the SAS NPS Agent on or off IP Address Detection Provides the ability to detect and send the remote client IP address to SAS Migration Mode Allows users to proxy the authentication request to the next server listed in the Remote RADIUS Server Groups within NPS or IAS NPS/IAS Trace Turn on verbose logging within NPS or IAS Communication Settings The following options can be toggled from this Tab: Authentication Server Settings Re-configure where the Safenet Authentication Service resides. (Also has the ability to send it via SSL). Allows the ability to configure a secondary Safenet Authentication Service for failover. Timeout Settings Set the maximum timeout value on the each authentication attempt Encryption Settings Browses to the SAS Agent Key File Configuring SAS Agent for IAS / NPS 17
Authentication Test The following options can be toggled from this Tab: Authentication Test Allows Admin s to test authentication from the agent to the Safenet Authentication Service Server Status Check Ability to test if the Safenet Authentication Service is online Logging The following options can be toggled from this Tab: Logging Level Adjust the logging level on the information that will be logged. Default is set to Log Level 3, which will only log information from Warning to Critical Log File Location Browses to location of where the log file is located Configuring SAS Agent for IAS / NPS 18
Localization The following options can be toggled from this Tab: Edit Resource Strings Each string is forwarded over to the VPN device based on the state of the token during authentication (e.g. Token is in New PIN mode) Note that the default location of the resource string file is the \languages\en folder. Since upgrade of the agent will overwrite any changes made in this directory. To avoid losing changes, refer to Customizing SAS in the Administrator Guide. Configuring SAS Agent for IAS / NPS 19