YubiRADIUS Deployment Guide for corporate remote access. How to Guide

Similar documents
Replacing legacy twofactor. with YubiRADIUS for corporate remote access. How to Guide

YubiRADIUS Virtual Appliance. Configuration and Administration Guide Software version: Document version: 1.0

NetMotion + YubiRADIUS Quick Start Guide

YubiCloud OTP Validation Service. Version 1.2

Configuring a YubiKey for the YubiCloud

YubiCloud Validation Service. Version 1.1

GreenRADIUS Virtual Appliance

VIP YubiKey Unlock Guide

YubiKey Authentication Module Design Guideline

YubiKey Integration for Full Disk Encryption

YubiKey & OATH- TOTP Verification

A brief on Two-Factor Authentication

Yubico YubiHSM Monitor

NEO Manager Quick Start Guide

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

Proof of Concept Guide

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

VMware vcenter Log Insight Getting Started Guide

F-Secure Messaging Security Gateway. Deployment Guide

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware Identity Manager Connector Installation and Configuration

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

300% increase 280 MILLION 65% re-use passwords $22 per helpdesk call Passwords can no longer protect you

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

On-boarding and Provisioning with Cisco Identity Services Engine

iphone in Business How-To Setup Guide for Users

Security Provider Integration RADIUS Server

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Request Manager Installation and Configuration Guide

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

VMware vcenter Support Assistant 5.1.1

Configuration Guide. BlackBerry Enterprise Service 12. Version 12.0

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Barracuda SSL VPN Administrator s Guide

September 25, Programming YubiKeys for Okta Adaptive Multi-Factor Authentication

DIGIPASS Authentication for GajShield GS Series

Configuration Guide BES12. Version 12.2

Aerohive Networks Inc. Free Bonjour Gateway FAQ

RSA Authentication Manager 8.1 Setup and Configuration Guide. Revision 2

vcloud Director User's Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

Server Software Installation Guide

msuite5 & mdesign Installation Prerequisites

DIGIPASS Authentication for Check Point Connectra

Millbeck Communications. Secure Remote Access Service. Internet VPN Access to N3. VPN Client Set Up Guide Version 6.0

Workspot, Inc. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: September 16, Product Information Partner Name

Dell One Identity Cloud Access Manager Installation Guide

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Quick Start Guide for Parallels Virtuozzo

vrealize Air Compliance OVA Installation and Deployment Guide

Deploying iphone and ipad Virtual Private Networks

IBM Cloud Manager with OpenStack

Installing and Configuring vcloud Connector

RSA SecurID Software Token 1.0 for Android Administrator s Guide

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Quick Start Guide for VMware and Windows 7

DIGIPASS Authentication for SonicWALL SSL-VPN

The Bomgar Appliance in the Network

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Two-factor authentication Free portable encryption for USB drive Hardware disk encryption Face recognition logon

IDENTIKEY Server Windows Installation Guide 3.2

Introduction to Endpoint Security

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

I N S T A L L A T I O N M A N U A L

VMware vcenter Log Insight Getting Started Guide

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

YubiKey OSX Login. yubico. Via Yubico-PAM Challenge-Response. Version 1.6. October 24, 2015

IDENTIKEY Appliance Administrator Guide

Configuration Guide. BES12 Cloud

Endpoint Security VPN for Mac

RSA SecurID Ready Implementation Guide

BlackShield ID Best Practice

vsphere Security ESXi 6.0 vcenter Server 6.0 EN

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Configuration Guide BES12. Version 12.1

DIGIPASS Authentication for Cisco ASA 5500 Series

vshield Administration Guide

Set Up Panorama. Palo Alto Networks. Panorama Administrator s Guide Version 6.0. Copyright Palo Alto Networks

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Installing and Configuring vcenter Support Assistant

Data Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology

Ultra-strong authentication to protect network access and assets

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Management, Logging and Troubleshooting

Transcription:

YubiRADIUS Deployment Guide for corporate remote access How to Guide May 15, 2012

Introduction Disclaimer Yubico is the leading provider of simple, open online identity protection. The company s flagship product, the YubiKey, uniquely combines driverless USB hardware with open source software. More than a million users in 100 countries rely on YubiKey strong two-factor authentication for securing access to computers, mobile devices, networks and online services. Customers range from individual Internet users to e-governments and Fortune 500 companies. Founded in 2007, Yubico is privately held with offices in California, Sweden and UK. The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. Contact Information Yubico Inc 228 Hamilton Avenue, 3rd Floor Palo Alto, CA 94301 USA info@.com YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 2 of 19

Contents Introduction... 2 Disclaimer... 2 Trademarks... 2 Contact Information... 2 1 Document Information... 5 1.1 Purpose... 5 1.2 Audience... 5 1.3 References... 5 1.4 Version... 5 1.5 Definitions... 5 2 Introduction... 6 2.1 Two-Factor Authentication (TFA) Systems... 6 3 Overview... 7 3.1 Yubico open source TFA authentication architecture... 8 3.2 Yubico Open Source Solution... 8 3.2.1 YubiKey... 8 3.2.2 YubiCloud vs. On-board Validation Server... 10 3.2.3 Supports both single domain as well as multi domain... 11 4 Prerequisites... 12 4.1 Remote Access Product supporting RADIUS... 12 4.2 Virtualization platform to host YubiRADIUS... 12 4.2.1 Image requirements... 12 4.3 One or more YubiKey(s)... 12 4.4 Active Directory or LDAP Directory server... 12 5 Planning and preparations... 13 5.1 Access GW supporting RADIUS... 13 5.2 YubiCloud vs. Built in validation Server... 13 5.3 Virtual Appliance Platform... 14 5.4 Internet connection for downloading... 14 5.4.1 YubiRADIUS image... 14 5.4.2 Personalization (Programming) tool... 14 5.5 Firewall considerations... 14 5.6 Failover Multi Master planning... 15 5.7 Master Slave Considerations... 16 5.8 Getting YubiKeys... 16 YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 3 of 19

6 YubiRADIUS Setup and Configuration... 17 6.1 Process overview... 17 7 YubiKey Deployment... 18 7.1 Deployment for YubiCloud vs. On-board Val. Server... 18 7.2 Auto-deployment... 18 7.3 Helpdesk Considerations... 18 7.4 Programming considerations... 18 8 Summary... 19 8.1 YubiRADIUS benefits... 19 8.2 Summary of the steps involved in the deployment... 19 8.3 Auto-Deployment... 19 YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 4 of 19

1 Document Information 1.1 Purpose The purpose of this document is to guide readers through the steps of deploying a two factor authentication infrastructure using the open source based YubiRADIUS infrastructure from Yubico. 1.2 Audience This document is intended for technical staff of Yubico customers that want to implement YubiRADIUS two-factor authentication YubiKey based authentication for securing access to corporate resources via such techniques as Remote Access service or VPN. 1.3 References Part of the Yubico YubiRADIUS solution is based on the Open Source FreeRADIUS and WebMin software. 1.4 Version This version is released to the Yubico community as a how to guide. 1.5 Definitions Term YRVA VPN SSL RADIUS PIN OTP OVF YubiKey ID AD LDAP TFA Definition Yubico s YubiRADIUS Virtual Appliance Virtual Private Network Secure Sockets Layer Remote Authentication Dial In User Service. The RADIUS protocol is used to communicate between access equipment such as an VPN GW and the RADIUS server) Personal Identification Number One Time Password Open Virtualization Format standard format supported by the major virtualization platform vendors The 12 character (48 bit) public identifier of a YubiKey Active Directory Lightweight Directory Access Protocol refers both the communication protocol as well as to a lightweight directory service for finding information about users and other resources in a network. Two-Factor Authentication YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 5 of 19

2 Introduction Yubico s mission is to make Internet identification secure, easy, and affordable for everyone. The Company offers a physical authentication device/token, the YubiKey, which is used to provide secure authentication to web services and various other applications. The YubiKey device is a tiny key-sized one-button authentication device, emulating a USB keyboard and designed to generate a unique user identity and a one-time password (OTP) without requiring any software installed on end users computers. The YubiKey is The Key to the Cloud 2.1 Two-Factor Authentication (TFA) Systems Organizations frequently utilize the powerful and flexible authentication mechanism provided by the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL based VPN solution provides a robust and flexible remote access solution. In any remote access scenario two-factor authentication is highly recommended and in many cases required for compliance with industry regulation such as for achieving PCI compliance. In the sections below we will look at the considerations in planning and steps involved in deploying a TFA solution with YubiKey tokens and YubiRADIUS virtual appliance infrastructure. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 6 of 19

3 Overview When looking at migrating from a user name and password only remote access solution to a TFA authentication solution from Yubico, you will frequently find that there are many similarities and the task is therefore easier than perhaps first anticipated. Depending on the size of the organization the logistics leading up to the actual switchover will be the biggest planning part. However, Yubico has in YubiRADIUS implemented important features for easy deployment and migration from password only solutions. The following features help in the migration from password only solutions: 1. Users may continue to use their regular Active Directory (or LDAP) Username and Password no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs Making it possible to gradually switch users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment YubiKey is automatically assigned to user at first login (binding at first use) We will go through the list above in more detail in the sections below. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 7 of 19

3.1 Yubico open source TFA authentication architecture The diagram below describes the YubiRADIUS open source based infrastructure. Similarly to a password only solution usually an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is connected via RADIUS protocol to YubiRADIUS. 3.2 Yubico Open Source Solution The YubiKey is small USB connected OTP device that combined with the organizations Active Directory (or LDAP) and the Yubico open source based YubiRADIUS server provides simple and secure TFA access to applications. 3.2.1 YubiKey The YubiKey is recognized as a USB keyboard so it works on all computer platforms without any client software needed (Windows, Linux, Mac, ipad and newer Android etc.). With a simple touch on the YubiKey it automatically generates and enters a unique identity and One-Time Password (OTP) via the keyboard interface to the active field or window. Combined with a PIN or password (from your LDAP or Active Directory database), the YubiKey provides strong two-factor authentication. The YubiKey is manufactured in Sweden with an auditable process for secrets. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 8 of 19

3.2.2 YubiRADIUS The Yubico YubiRADIUS Virtual Appliance is a FreeRADIUS based solution built on open source components which provides an organization with Yubikey based two-factor authentication for remote access where the password part can checked against the organization s own (existing) AD (Active Directory) or LDAP so that users only have to remember their normal network password and the Yubikey part can be validated either using YubiCloud the Yubico Online Validation Service or an onsite Yubico Validation and Key Management Server combination. Deployment of Yubikeys can be as easy as sending out Yubikeys to users without prior registration and the Yubikey to User binding will be handled automatically upon first use by YubiRADIUS Virtual Appliance which also supports several other more traditional deployment methods. Deployment of Yubico YubiRADIUS Virtual Appliance solution itself requires no changes to the organizations AD/LDAP schema which is an important factor for most organizations. Further standard authentication interface with username and password is used also for the Yubico two-factor authentication so there is no client side software to be installed. Additionally the YubiRADIUS Virtual Appliance solution supports multiple domains in order to allow it to be used in more involved deployments such as used by a large organization or a Security Service Provider. Each domain configuration works separately and has its own configuration settings. Finally in order to make it easy for customers to quickly deploy a solution YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 9 of 19

Yubico provides a ready to deploy YubiRADIUS Virtual Appliance OVF and VMware based image with all needed components. 3.2.2 YubiCloud vs. On-board Validation Server YubiRADIUS can be configured to validate YubiKeys either by using the YubiCloud (easiest deployment) or using the built in internal Validation Server. OTP validation through YubiCloud or On-board Validation Server. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 10 of 19

3.2.3 Supports both single domain as well as multi domain YubiRADIUS can be used in an ISP setting for multiple organizations or in an organization that has multiple domains with separate ADs or LDAPs per domain. The only difference between single and multiple domains/organizations are that in a multiple domain/organization deployment the user name must be followed with a fully qualified domain name. YubiRADIUS supports multi domain deployments with separate AD/LDAPs per domain Single domain ID: Username PW: Password + OTP Multi domain or Multi organization ID: Username@domain.orgainzation.com PW: Password + OTP YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 11 of 19

4 Prerequisites The following are the prerequisites to deploy YubiRADIUS two-factor authentication solution. 4.1 Remote Access Product supporting RADIUS The Access Product must support RADIUS protocol 4.2 Virtualization platform to host YubiRADIUS You need a virtualization platform such as VMware Server/ESX or similar to host the YubiRADIUS image. The image is available in two formats. Either VMware format or OVF (Open Virtualization Format) supported by many vendors such as Red Hat, IBM, VMware and others. Read more about the platforms below. http://en.wikipedia.org/wiki/open_virtualization_format 4.2.1 Image requirements The following is the out of the box recommended image requirements 1 Processor 256 MB memory 8 GB Disk 4.3 One or more YubiKey(s) For more information regarding YubiKey, please visit the following link: http://www..com/products/yubikey/ 4.4 Active Directory or LDAP Directory server Yubico YubiRADIUS virtual appliance (YVA) server supports username and password authentication with external Active Directory/LDAP directory or internal LDAP using the builtin OpenLDAP server. In order to deploy and test YVA solution, either external (to the image) Active Directory/LDAP such as the company directory or the on the image configurable OpenLDAP server must be used. YubiRADIUS comes with OpenLDAP preconfigured with 5 test users for easu testing but this directory can also be used in test deployment or deployment in an organization that would like different passwords for remote access and network access. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 12 of 19

5 Planning and preparations In order to deploy YubiRADIUS TFA solution the following prerequisites, planning and preparations must be taken into consideration. In brief we will cover the following in this section. 1. Access GW supporting RADIUS 2. YubiCloud or Built in Database 3. Virtual Appliance Platform 4. Internet connection for downloading of 5. YubiRADIUS image 6. YubiKey Personalization (Programming) tool 7. Firewall planning and preparation 8. YubiRADIUS Failover Multiple YubiRADIUS configured to avoid single point of failure 9. Master Slave considerations 10. Getting YubiKeys 5.1 Access GW supporting RADIUS The first requirement is that the Access Gateway of any other Access equipment such as a Firewall with VPN functionality or VPN Gateway has support for RADIUS and related requirements listed below. Please verify the following: 1. RADIUS protocol must be supported 2. RADIUS Authentication port must be set to UDP port 1812 3. Authentication method PAP (not CHAP nor CHAP2) 4. RADIUS Server IP or DNS name can be configured 5. RADIUS Shared Secret can be configured 5.2 YubiCloud vs. Built in validation Server The YubiRADIUS virtual appliance can use either the built in Validation Server or validation using the YubiCloud. In order to use the built in Validation server you will need an import file for the YubiKeys. There are two ways to get this. 1. If you order at least 500 YubiKeys you can ask Yubico to program the YubiKeys in such way that you will get an encrypted copy of the information (AES keys etc.) needed to import on the Validation server (on a CD or USB drive). 2. You can alternatively simply reprogram the YubiKeys you buy from Yubico store using the Personalization (programming) tool. See below. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 13 of 19

5.3 Virtual Appliance Platform The YubiRADIUS virtual appliance is available as a VMware Player/Server format or as an Open Virtualization Format (OVF) for infrastructure such as VMware ESX. Select a Virtualization Platform, either: 1. Virtualization Platform supporting OVF image format or 2. VMware Server or VMware Player using native format Once you selected a virtualization platform make sure it is prepared to have an image uploaded to it. 5.4 Internet connection for downloading An internet connection is needed to download Yubico open source YubiRADIUS image and Yubico Personalization Tool. The latter not needed if YubiRADIUS is used with YubiCloud. If your server environment does not allow direct downloading then download to a USB drive and use that for transferring the image and applications. 5.4.1 YubiRADIUS image Both the latest YubiRADIUS images in the selected format and the latest YubiRADIUS Configuration Guide can be downloaded using the following link. http://www..com/yubiradius Downloading the image will require a bit less than 1 GB of disk space. 5.4.2 Personalization (Programming) tool Personalization tool for programming YubiKeys for use of the internal database can be found using the following link. http://www..com/personalization-tool Choose between the cross platform tool (Windows, Mac OSX or Linux) or the Multiconfiguration tool for Windows. Both can program multiple YubiKeys quickly. Download and install the tool. 5.5 Firewall considerations If your network is segmented please make sure that Your Firewall(s) allows for UDP traffic on port 1812 (RADIUS Authentication) between any Access GW and YubiRADIUS appliance(s). Furthermore if YubiCloud is used for validation of the YubiKeys using YubiCloud then outbound port 443 (SSL) and port 80 needs to be open allowing YubiRADIUS server to contact YubiCloud via the REST based Web services API. Please note that YubiCloud supports automatic failover if you want to use the automatic failover you must configure all five servers i.e. api..com, api2..com, api3..com, api4..com, api5..com. The first api..com does not have a number in order to be backwards compatible with older clients using only one server. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 14 of 19

Firewall settings 1. Allow RADIUS Authentication protocol i.e. Open port 1812 UDP between any Access GW and YubiRADIUS server(s) 2. Make sure AD or the LDAP server can be reached from YubiRADIUS server. Open Port 389 for standard communication or Port 636 for (LDAPS protocol) to AD and LDAP. 3. For use with YubiCloud also allow port 80 and port 443 from YubiRADIUS to api..com including api2, 3, 4 and 5 (for failover). 4. The same ports port 80 and port 443 are used in the Multi Master setting and YubiRADIUS Master Slave setting as described below. If any of these are used make sure your Firewall has these posts open between the YubiRADIUS servers. 5. For any trouble shooting SSH access on TCP Port 22 is needed 5.6 Failover Multi Master planning YubiRADIUS can be deployed in a Multi Master setting allowing up multiple YubiRADIUS servers to synchronize authentication data between the servers in order to work in a failover setting. When used in this setting the different YubiRADIUS servers should preferably be hosted on different virtual platform hosts. Drawing of two YubiRADIUS instances in a Multi Master Configuration. YubiRADIUS Instance 1 Optional Sync YubiRADIUS Instance 2 Drawing of two YubiRADIUS instances in a Multi Master Configuration Please note that the VK-VAL database in synchronized between all YubiRADIUS Servers (Multi Master). However for other databases i.e. YK-KSM, YK-MAP, YK-ROP and general configuration only sync of certain data is supported *(see configuration guide) YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 15 of 19

5.7 Master Slave Considerations Multiple YubiRADIUS instances can be configured in a Master Slave configuration. This can be useful if you use internal database in a setup with a large number of YubiRADIUS slaves i.e. small offices/home offices having their own YubiRADIUS but where you would like to minimize communication or when you don t want the YubiKey database to be local at remote locations. Master Salve uses the master s database for requests for authentication. YubiRADIUS Network Main Office YubiRADIUS (slaves) Local Office Sites YubiRADIUS Instance 1 Internet Optional Sync Failover YubiRADIUS Instance 2 5.8 Getting YubiKeys Drawing of YubiRADIUS in Master-Slave Configuration. To test and deploy YubiRADIUS you will need some YubiKeys. You can purchase YubiKeys from Yubico Web store https://store..com/ or from one of Yubico s partners and resellers (contact sales@.com for Partners and Resellers). YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 16 of 19

6 YubiRADIUS Setup and Configuration The Setup and configuration is handled in a separate document using the following link. http://www..com/yubiradius Scroll down to the link for the configuration guide and click the link. 6.1 Process overview If possible, for companies with multiple Access GWs, use a spare or commission one of the GWs to be the initial GW for the switchover. Then follow the steps below. At a high level the following needs to be done: Identify the Virtual Appliance Platform infrastructure to use Load the YubiRADIUS image Check Firewall settings to allow Radius port 1812, 389 for AD/LDAP communication and Web services port 80/443 if YubiCloud shall be used Importing YubiKeys for use of internal validation server or point to YubiCloud Import users from AD or LDAP Set up Failover and potential Slaves Set up Access GW or other equipment (called RADIUS Clients) to use RADIUS protocol port UDP 1812 to communicate with YubiRADIUS Create the RADIUS clients for the domain(s) in YubiRADIUS Follow the configuration guide for details YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 17 of 19

7 YubiKey Deployment Once the YubiRADIUS system has been set up there are only a few things left to do. Some will depend on whether you used YubiCloud or the On-board Validation Server. 7.1 Deployment for YubiCloud vs. On-board Val. Server YubiCloud is the simplest way to deploy keys but even using the Built-in Validation server deployment is also quite easy. When using YubiCloud you can use standard Yubikeys purchased directly from the Store. In some situations you can even ask your users to buy their YubiKeys online so that you don t have to keep any inventory of YubiKeys and the first time the users use their YubiKey it will be tied to them in the system. When using the on-board Validation server you will need to import the corresponding YubiKeys AES keys before the YubiKeys can be used with the system. 7.2 Auto-deployment YubiRADIUS supports Auto-deployment which is the absolutely easiest way to a Using the Auto-Deployment feature you don t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk person needed to be involved in the process (unless you want them to). YubiRADIUS auto deployment feature will automatically tie a YubiKey to valid user the first time the key is used and the user name and password portion is successfully authenticated by AD or LDAP. 7.3 Helpdesk Considerations Order some extra YubiKeys to have on hand in the help desk for people that call in to the Helpdesk function and have forgotten their YubiKeys at home. 7.4 Programming considerations When programming YubiKeys for using the internal server you have several options. Most convenient is to ask Yubico to program the YubiKeys to work with your own Validations Server. Second best thing is to order Standard YubiKeys and reprogram them when they arrive. Go to http://www..com/personalization-tool For more information on how to program see info using the link above. YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 18 of 19

8 Summary It is very straightforward to deploy YubiRADIUS Two-Factor Authentication (TFA) solution. 8.1 YubiRADIUS benefits The following features help in fast implementation and minimum support: 1. Users may use their regular Active Directory (or LDAP) Username and Password no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs Making it possible to gradually add users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment YubiKey is assigned at first login (binding at first use) 8.2 Summary of the steps involved in the deployment At a high level the following needs to be done: Load the YubiRADIUS on the Virtualization Platform infrastructure Firewall to allow Radius, AD/LDAP and Web services (if YubiCloud) Import YubiKeys if internal validation server is used (not YubiCloud) Import users from AD or LDAP Set up Failover and potential Slave VAs Create/setup the RADIUS clients for the domain(s) in YubiRADIUS Test functionality with built in RadTest RADIUS client Configure the Remote Access solution for RADIUS This process only takes a few hours of time to complete after which you will be ready to start using the Yubico solution. 8.3 Auto-Deployment Using the Auto-Deployment feature you don t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk needed to be involved in the process (unless you want them to). YubiRADIUS Deployment Guide for corporate remote access 2012 Yubico. All rights reserved. Page 19 of 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information