Version 1.6 HOW-TO GUIDELINES Setting Up a RADIUS Server Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland Tel. +358 (9) 4767 11 Fax. +358 (9) 4767 1234 email: info@stonesoft.com Copyright 2002 Stonesoft Corp. All rights reserved. All trademarks or registered trademarks are property of their respective owners.
Introduction This document outlines the steps necessary to configure StoneGate, in order to authenticate users externally to an RSA ACE/Server version 5.0 for Windows NT. This document covers authentication procedures using either password authentication or SecureID tokens. Authentication is accomplished using the RADIUS server running on the RSA ACE/Server as an intermediate agent that processes external authentication requests from a StoneGate cluster. The document assumes the reader possesses basic knowledge of the RSA ACE/Server administration software. Screenshots of the RSA ACE/Server are provided in three appendices, but only a minimum configuration of the RSA ACE/Server is addressed. Network Configuration Example The following figure depicts the structure of the final configuration. ILLUSTRATION 1.1 Final configuration SG VPN Client @ Management network Management Server FW Intranet Log Server RSA ACE/ Server (as RADIUS server) NT Agent (ACE client) Setup Requirements This setup was established with the following components: StoneGate Management v. 1.6 HOW-TO GUIDELINES 2
Netscape v. 6 Microsoft Windows NT platform RSA ACE/Server v. 5.0 RSA ACE/Agent 4.4 Configuration Steps The RADIUS server setup consists of the following main steps: 1. Before you start 2. RSA ACE/Server installation 3. RADIUS server configuration 4. Authentication service configuration in StoneGate User Manager 5. Using authentication service in a rule base with StoneGate Security Policy Manager HOW-TO GUIDELINES 3
Before You Start Updating the hosts File The RSA ACE/Server must be able to resolve the IP address of its RADIUS requesters/clients according to their names and vice versa. Thus, if you do not have a DNS server, you have to edit the file \winnt\system32\drivers\etc\hosts and add an entry for each of the nodes in your cluster as highlighted in Illustration 1.2. You need to register the dedicated IP addresses (NDI), which are the source addresses that the RSA ACE/Server sees whenever an authentication request is generated by the cluster. Make sure that the current machine IP address of the RSA ACE/Server and any RSA ACE/Agent is registered in the DNS or located in the hosts file. If you do not have any DNS, enter the NDIs of a cluster. Figure 1.2 depicts the hosts file. ILLUSTRATION 1.2 Hosts file update HOW-TO GUIDELINES 4
Note: You need to use the dedicated IP addresses, not the virtual IP addresses of the cluster. RSA/ACE Server Installation Before you can start RADIUS Server configuration, you have to install the RSA/ACE Server. For instructions, please see Appendix A RSA ACE/Server Installation on page 40. HOW-TO GUIDELINES 5
RADIUS Server Configuration Before you can use the RADIUS server, you must configure and verify that you can use the RADIUS server incorporated with your RSA ACE/Server software. To configure the RADIUS server: 1. Go to Start>Programs>ACE Configuration Management. The RSA ACE/Server Configuration Management window opens. ILLUSTRATION 1.3 RSA ACE/Server Configuration Management 2. In the RSA ACE/Server Configuration Management window, first click on the Edit button on the bottom left of the box. 3. In the Enable Features section of this window, make sure that: The DES radio button of the Encryption Type is selected. The RADIUS Server Enabled check box is checked. HOW-TO GUIDELINES 6
4. Click OK to continue. 5. In the following dialog box, click Yes to save the configuration changes to the RSA ACE/Server configuration file. ILLUSTRATION 1.4 RSA ACE/Server Configuration Management RSA ACE/Server Startup Before you can use your ACE and RADIUS servers, you must first start them by doing the following: To start the RSA ACE/Server: 1. Go to Start > Settings > Control Panel. 2. Click the RSA/ACE Server icon to open the RSA ACE/Server start dialog box. ILLUSTRATION 1.5 RSA ACE/Server Start dialog box HOW-TO GUIDELINES 7
3. Check the Automatic ACE/Server Startup box and click Start to start the server. 4. When the RSA ACE/Server is started pop-up appears, click OK to continue. 5. In the Reminder window, click OK to exit. ILLUSTRATION 1.6 RSA ACE/Server Configuration Management 6. Go back to the RSA ACE/Server dialog box and click the Stop button to stop the RSA/ACE Server. RADIUS Server Verification Next, you need to ensure that the RADIUS service is started and listening on the appropriate port. 1. At the command prompt, enter: netstat -an find XXXX (where XXXX is the number of the port configured in RADIUS Server Configuration on page 6, i.e. 1645). 2. Check in the Windows NT Service panel that the RADIUS service is started and and listening on the appropriate port. HOW-TO GUIDELINES 8
ILLUSTRATION 1.7 Netstat RSA ACE/Server Administration The authentication methods to be used in this example are static password and keyfob (token). All administration functions are conducted from the main administration window. Main administration window 1. Open the main administration window. 2. Select Start>Programs>RSA ACE/Server>Database Administration Host Mode. 3. The RSA ACE/Server v. 5.0 Administration dialog box opens. HOW-TO GUIDELINES 9
ILLUSTRATION 1.8 Main administration window Importing tokens You must import tokens from an.asc file before the tokens can be assigned to a user. To import tokens: 1. Select Token>Import Token from the main menu. 2. Insert the token diskette into drive a:\. 3. Select the path to the.asc file from the diskette, and click Open. 4. The Import Status dialog box opens allowing verification that the two demo tokens were imported. HOW-TO GUIDELINES 10
ILLUSTRATION 1.9 Import Status dialog box Adding a group You should next define a group to which users can be added. To add a group: 1. From the RSA ACE/Server Administration main menu, select Group>Add Group. 2. The Edit Group dialog box opens. Enter a group name and click OK to continue. ILLUSTRATION 1.10 Edit Group dialog box Adding a user Now you can add users to the group created. The way to do this depends on the authentication method, i.e. keyfob (token) or static password, defined for the user. HOW-TO GUIDELINES 11
Adding a user with a keyfob (token) authentication method Follow the instructions below to add a user with a keyfob (token) authentication method. For instructions on how to add a user with static password authentication method, please see Adding a user with a static password autentication method on page 14. To add a user with a keyfob (token) authentication method: 1. Enter a user by selecting User>Add User in the main RSA ACE/Server Administration window. The Add User dialog box opens. 2. Enter at least the last name and default login (User ID) in the appropriate fields. 3. Click the Assign Token button. ILLUSTRATION 1.11 Add User dialog box 4. In the main Administration window, select Tokens. 5. Select the token you want to assign to this user from the list of tokens on the Select Token dialog box and click OK to continue. HOW-TO GUIDELINES 12
ILLUSTRATION 1.12 Select Token 6. You should now return to the Edit User window, which now contains the information that you have defined. ILLUSTRATION 1.13 Edit User HOW-TO GUIDELINES 13
7. Click the Group Memberships button. The Memberships dialog box opens. ILLUSTRATION 1.14 Memberships 8. Select the group you created from the Available Groups column. 9. Click Join Group. 10. Click Exit to continue. Adding a user with a static password autentication method Follow the instructions below to add a user with a static password authentication method. For instructions on how to add a user with keyfob (token) authentication, please see Adding a user with a keyfob (token) authentication method on page 12. To add a user with a static password authentication method: 1. Enter a user by selecting User>Add User in the main RSA ACE/Server Administration window. The Add User dialog box opens. See illustration Add User dialog box on page 12. 2. Enter at least the name and default login (User ID) in the appropriate fields of the Add User dialog box. 3. Click on the Set/Change User Password... button. 4. Enter a password of 4-8 digits in the Enter Password and Confirm Password fields. 5. You should now return to the Edit User window, which now contains the information that you have defined. HOW-TO GUIDELINES 14
ILLUSTRATION 1.15 Edit User 6. Repeat steps 6-10 from above (as in keyfob token authentication). Defining Agent Hosts for the Nodes and for the RADIUS Server The agent hosts must be defined so that users can authenticate from these computers. The RADIUS server acts as a proxy and must be defined as a virtual client. The computers to be defined as agent hosts are: The nodes of the cluster using the NDI belonging to the NIC in which the CVI authentication option is defined. In this example there are two nodes - Sophia21 and Sophia22. HOW-TO GUIDELINES 15
The computer running the RSA ACE/Server because it also hosts the Radius-to-Ace proxy, the purpose of which is to forward authentication requests from the nodes to the RSA ACE/Server. The definition must be entered for each node plus the RSA ACE/Server itself. To define the agent hosts: 1. Define a client on the RSA ACE/Server for each of the nodes in the cluster. Select Agent Host > Add Agent Host. 2. The Edit Agent Host dialog box opens. ILLUSTRATION 1.16 Edit Agent Host 3. In the Name field, enter the name from the hosts file. 4. Click in the Network Address field. The IP address for this name should automatically populate this field. If not, check the spelling of the name. 5. For Encryption Type, specify DES (Data Encryption Standard). 6. Click on the Group Activations button to authenticate the group that will be authenticating from StoneGate. The Group Activations dialog box opens. HOW-TO GUIDELINES 16
ILLUSTRATION 1.17 Group Activations 7. In the Group Activations dialog box, select the group to be activated from the list of Groups on the left. Click the Activate Group button and the group will appear on the list of Directly Activated Groups on the right. Click Exit to return to the previous window. 8. In the Edit Agent Host window, click the Assign/Change Encryption Key button. The Assign/Change Encryption Key dialog box opens. ILLUSTRATION 1.18 Assign/Change Encryption Key dialog box 9. Enter an encryption key that will be used to communicate with the RADIUS server associated with the StoneGate cluster. This key will be the same as the one used for the RADIUS server on the cluster. The encryption key defined here must be the same as the one defined in the field Shared Secret in the Authentication Server Properties window in StoneGate GUI. See Figure 1.22 on page 21. HOW-TO GUIDELINES 17
10. Next, define the agent hosts for the other node, Sophia 22. Use the same parameters as with Sophia21 and repeat the steps 1-8. Illustration 1.19 depicts the agent host definitions used for node Sophia22. ILLUSTRATION 1.19 Edit Agent Host 11. Finally, define the agent hosts for the RSA ACE/Server itself (jowcol). Repeat the steps 1-8 described above. Illustration 1.20 depicts the agent host definitions of the RSA ACE/Server itself. HOW-TO GUIDELINES 18
ILLUSTRATION 1.20 Edit Agent Host The RADIUS server configuration has now been finalized. RSA/ACE Client Setup The next thing to do is to setup the RSA ACE Client. If you need more information about the setup, please see Appendix B RSA ACE Client Setup on page 46. If you are already familiar with the RSA ACE Client setup, you can skip Appendix B. First Contact with Casual ACE Agent Next, the ACE Client needs to be contacted. If you need more information about this, please see Appendix C First Contact with Casual ACE Agent on page 58. If you are already familiar with the RSA ACE Client setup, you can skip Appendix C. HOW-TO GUIDELINES 19
Creating RADIUS Server and Service in StoneGate In StoneGate, you must perform the following tasks: Create a RADIUS server. Create a RADIUS authentication service. Create users or a special *external* user. Add rules in the Security Policy Manager. Check the service number. At least one CVIs in the cluster must be defined for use in authentication, which means it must use CVI mode A (this determines the interface used for authentication requests). This is enabled by checking the Use as identity for authentication request box. ILLUSTRATION 1.21 Interface Properties Creating a RADIUS Server Next, create a RADIUS server in StoneGate Network Element Manager. To create a RADIUS server: 1. In the StoneGate Control Panel, open the Network Element Manager. Select the Repository View and right-click on Servers. From the contextual menu that appears, select New>Authentication Server. 2. The Authentication Server Properties window opens. HOW-TO GUIDELINES 20
ILLUSTRATION 1.22 Authentication Server Properties window 3. Fill in the fields of the window. Verify that the port number in the Port Number field is the same as the RSA ACE/Server RADIUS port number (1645). 4. Enter the shared secret. It is the same as the key created on the ACE Host Agent running on this server. See Figure 1.18 on page 17. 5. Check the RADIUS radio button in the Type field. 6. Click OK to continue. Creating a RADIUS Authentication Service Next, create a RADIUS authentication service in StoneGate User Manager. To create a RADIUS authentication service: 1. In the StoneGate User Manager, select the Authentication Services tab. 2. Click on the New Authentication service button on the toolbar. HOW-TO GUIDELINES 21
3. The Authentication Service dialog box opens. ILLUSTRATION 1.23 Authentication Service dialog box 4. Enter a name for the authentication service, select the RADIUS radio button, and click OK to continue. 5. The new service appears greyed-out on the list of authentication services in the left panel of the Authentication Services tab. It is greyed-out because it does not yet include any server. ILLUSTRATION 1.24 User Manager Authentication Services tab 6. Drag and drop the RadiusServer that you created from the right panel to the left panel under the RADIUS authentication service. The server is now activated. HOW-TO GUIDELINES 22
ILLUSTRATION 1.25 RADIUS server activated 7. Create a group profile for all users authenticating to the RSA ACE/Server. In the User Manager User Directory tab, expand the InternalDomain. 8. Right-click on the stonegate domain. Select New>Group from the contextual menu that appears. 9. The Group Properties dialog box opens. ILLUSTRATION 1.26 GroupProperties dialog box 10. Enter a name for the group profile and click the Authentication tab. 11. Drag and drop the authentication service created to the Bound Authentication Services panel. Click OK to continue. HOW-TO GUIDELINES 23
ILLUSTRATION 1.27 Group Properties Authentication tab Modifying an Existing Authentication Service Definition The default port defined in the RSA ACE/Server of the RADIUS service is 1645. The RADIUS service defined in StoneGate is 1812. This means that the port number for one or the other product will need to be changed. Note: If you change the port number on the RSA ACE/Server, you will also need to edit the services file on the Windows NT server and change the record for the RADIUS service port. Another option is to modify the definition of the StoneGate RADIUS service. The port should be UDP (not TCP) in the services file. See Illustration 1.29. Instead of modifying the default RADIUS service, you can create a new one and add it to the security policy. In the Security Policy Manager, create a rule that allows the cluster to communicate with the RSA ACE/Server. To modify an existing service: 1. In the Service Properties panel located in the Service Manager Services tab, modify the destination port of the RADIUS service. Change the port number in the Dst Ports field from 1812 to 1645. Illustration 1.28 depicts the situation before the change. HOW-TO GUIDELINES 24
ILLUSTRATION 1.28 Service Manager, before Illustration 1.29 depicts the situation after changing the destination port number. ILLUSTRATION 1.29 Service Manager, after There is no need to add a rule in the rule base to allow RADIUS traffic from the nodes to the RADIUS server because the RADIUS service is already defined in the default rules. HOW-TO GUIDELINES 25
ILLUSTRATION 1.30 Security Policy Manager When you select the View Inherited Rules button from the toolbar, all inherited rules will be displayed. The RADIUS service is in rule 7. ILLUSTRATION 1.31 Security Policy Manager RADIUS service Creating an External User Next, you need to create an *external* user profile. This is a special user profile that passes the actual user ID (not *external*) to the RSA ACE/Server along with the next token for authentication. This is the preferred method for authenticating to the RSA ACE/Server. Otherwise, you need to create a user profile on StoneGate for every user that will authenticate to the RSA ACE/Server. You must also maintain the same list on the RSA ACE/Server. HOW-TO GUIDELINES 26
To create an *external* user: 1. In the User Manager, expand InternalDomain and stonegate domain. Right-click on the group created above and select New>User. The User Properties dialog box opens. ILLUSTRATION 1.32 User Properties 2. In the General tab, define *external* as the UserName. Select the Always Active check box or set the expiration parameters. Click OK to continue. 3. Select the Authentication tab and drag and drop the RADIUS service to the panel on the right listing bound authentication services. For an *external* user, you do not need to specify any password here because it is retrieved from the RADIUS server. Click OK to continue. ILLUSTRATION 1.33 User Properties Authentication tab HOW-TO GUIDELINES 27
The *external* user has now been created and it appears in the user directory of the User Manager as depicted in Illustration 1.34. ILLUSTRATION 1.34 User Manager, User Directory tab 4. In the Security Policy Manager, open the Access Rules tab. ILLUSTRATION 1.35 Security Policy Manager Access Rules tab 5. Double-click in the Authentication field. The Authentication Parameters dialog box opens. HOW-TO GUIDELINES 28
ILLUSTRATION 1.36 Authentication Parameters, Parameters tab 6. Select the Parameters tab. 7. In the Method area, select the Require Authentication check box. Authentication applies on this rule if checked. If unchecked, no authentication process is applied to the rule and other parameters remain inoperative. If you select the Firewall-initiated Authentication check box, this enforces the firewall to initiate the authentication connection in case the client cannot be fully trusted. 8. In the Authorize area, you can select either: Connection to authorize a single connection with a single authentication before time-out expires. Any new connection needs authentication. Set the Time-out in milliseconds. Client IP to authorize all connections based on the IP address of the authenticated user until expiration of time-out. Set the Time-out in milliseconds. 9. Click the Authentication Services tab to display the embedded Authentication Service View and select the authentication services accepted by the rule. 10. Expand the Authentication Service View as necessary and select an authentication service. 11. Click Add to include the service in the Accepted Authentication Services list on the right. You can remove services from the list by selecting one and clicking the Remove button. HOW-TO GUIDELINES 29
12. Click OK to validate your settings. ILLUSTRATION 1.37 Authentication Parameters, Authentication Services tab Adding Rules in the Security Policy Manager The node will communicate with the RSA ACE/Server using the IP addresses defined as the Default for Outgoing Connections in the NDI interface in the firewall cluster element. The protocol used is RADIUS (or radius-udp1645 if you decide to create a new service). 1. In the Security Policy Manager, select first the User View from the selection box. Then drag and drop the *external* user to the Users field. 2. Drag and drop the RADIUS authentication service to the Authentication field. 3. Save and install the security policy. Illustration 1.38 depicts the situation before. HOW-TO GUIDELINES 30
ILLUSTRATION 1.38 Security Policy Manager, before Illustration 1.39 depicts the situation after. ILLUSTRATION 1.39 Security Policy Manager, after The RADIUS Server setup is now complete. HOW-TO GUIDELINES 31
Authentication After the RADIUS server setup, you should check that it is operating properly. Try to authenticate using either Authentication Client or Telnet 2543. The Authentication Client is part of StoneGate VPN Client. Using Authentication Client authentication Follow the steps below to authenticate using the Authentication Client. To authenticate using the Authentication Client: 1. Select Start>Programs>StoneGate>VPN Client. 2. The main page of StoneGate VPN Client opens on your default browser. 3. Select option Firewall > Authentication. ILLUSTRATION 1.40 VPN Client Authentication main page 4. The User Authentication page opens. Type in the name or the address of the StoneGate Security Gateway. HOW-TO GUIDELINES 32
ILLUSTRATION 1.41 User Authentication 5. When you use Authentication Client authentication, an Authentication Required prompt opens. HOW-TO GUIDELINES 33
ILLUSTRATION 1.42 Authentication Required 6. Enter the username, domain, and password and click the Submit button. Here, the password must consist of the PIN code (4 digits) + the keyfob number (6 digits). 7. The Authentication Finished page opens. It informs you whether the authentication has been successful. Using simple Telnet authentication If you do not have any authentication client (StoneGate VPN Client) installed, you must create a Telnet connection to the gateway address, using StoneGate authentication port 2543. ILLUSTRATION 1.43 Telnet connection HOW-TO GUIDELINES 34
Troubleshooting The following screenshot from the Log Browser shows an example of a typical error caused by situations in which the DNS server or /etc/hosts file was not correctly configured. Illustration 1.44 shows that the firewall tried to authenticate a user three times but did not succeed because in our case the /etc/hosts file was not correctly configured. The firewall was not able to resolve the IP address into a host name. ILLUSTRATION 1.44 Reverse lookup Authenticating if there are Several Authentication Services StoneGate can use the following authentication services: UserPassword IPSec Certificate Radius TACACS+ HOW-TO GUIDELINES 35
The authentication service used for a connection is chosen by the firewall engine unless the user specifies it as part of the user name. In all versions of StoneGate (up to and including 1.6.2) the firewall chooses the first authentication service in the user's LDAP database. However, the list of user's authentication services is not organized (it is actually a group) so the firewall may not choose the authentication service shown topmost in the user's GUI. To guarantee predictable service that operates correctly every time, the administrator should set only one authentication service for each user, or users should always specify the authentication service while authenticating. The full syntax of the user name field in the authentication process is the following: username[@domain][;authentication_service] If the user does not belong to the default domain of the management server, [@domain] needs to be specified. If the user has more than one authentication service, it is necessary to specify [;authentication_service]. The variables pictured in square brackets are optional. The ability to set these parameters makes most general cases simple to specify while delivering run-time flexibility for expert users. Examples In a typical general (simple) case, an authentication window appears in the VPN Client in response to a firewall-initiated authentication request. Only one authentication service is set for John, a user belonging to the default domain* so he must enter the following data in the authentication window: User name: john Domain: Password: secret In a more complicated case, a user named Jack normally authenticates with a static password when he is local to the corporate network. He occasionally travels, and while on the road authenticates using a SecurID card. On the road (e.g.) with only a personal digital assistant, he uses Telnet to authenticate to firewall port 2543: SG login: jack@stonegizmo.com;ace HOW-TO GUIDELINES 36
Enter PASSCODE: 624982 Please enter the next code from your token: 863077 PASSCODE Accepted Access granted While he is in the office, he enters: SG login: jack@stonegizmo.com;ldap password on stonegizmo.com Password: secret2 Access granted * There may be several authentication domains, but only one is marked as the default domain. If a domain has not been specified for a user, the default domain is used. HOW-TO GUIDELINES 37
APPENDICES
APPENDIX A RSA ACE/Server Installation Start the RSA ACE/Server setup by installing the software and the patches. To install the RSA ACE/Server for Windows NT: 1. Insert the RSA ACE/Server CD (assume CD-ROM drive is d:\). Run the installation program d:\aceserver\nt_i386\setup.exe and follow the instructions provided in the installation shield. 2. The Welcome window of the RSA ACE/Server for Windows NT setup program opens. Click Next to continue. HOW-TO GUIDELINES 40
RSA ACE/Server Installation ILLUSTRATION A.45 RCA ACE/Server Windows NT Setup program Welcome window 3. The following window provides version information. Click Next to continue. ILLUSTRATION A.46 RSA ACE/Server 5.0 Welcome window 4. The License Agreement window opens. Read it through carefully. If you accept the agreement, click Yes to accept and continue. A 41 HOW-TO GUIDELINES
ILLUSTRATION A.47 License Agreement 5. The New Input Files window opens. On the Primary, insert the Primary Server License disk into drive A:\. Click Next to continue. ILLUSTRATION A.48 New Input Files 6. The Available Input Files window lists all the currently available input files. Click Next to continue. HOW-TO GUIDELINES A 42
RSA ACE/Server Installation ILLUSTRATION A.49 Available Input Files 7. In the Installation Directory window, enter the pathname to the destination directory. Use standard defaults to install the server to c:\ace5\. Click Next to continue. ILLUSTRATION A.50 Installation Directory 8. In the Installation Options window, select the items you want to install. A successful configuration requires at least a New Primary RSA ACE/Server. Click Next to continue. A 43 HOW-TO GUIDELINES
ILLUSTRATION A.51 Installation Options 9. The Start Copying Files window lists the current settings. Click Next to copy the files. ILLUSTRATION A.52 Start Copying Files 10. You must restart the computer before you can use the RSA ACE/Server you installed. In the Installation Complete window select the Yes, I want to restart my computer now radio button, remove all disks from the disk drives, and click the Finish button. If required, install the appropriate service pack for the RSA ACE/Server 5.0. HOW-TO GUIDELINES A 44
RSA ACE/Server Installation ILLUSTRATION A.53 Installation Complete A 45 HOW-TO GUIDELINES
APPENDIX B RSA ACE Client Setup Catool is a certificate utility tool provided with the ACE Client in order to create certificates and keys used by the Client when communicating with the RSA ACE/Server. Catool Installation Follow the steps below for Catool installation. To install Catool: 1. Intall the Catool that comes with the agent. Select Start > Programs > ACE Agent > RSA ACE Agent Certificate Utility. The Welcome window opens. Click Next to continue. HOW-TO GUIDELINES 46
RSA ACE Client Setup ILLUSTRATION B.54 RSA ACE/Agent Certificate Utility 2. The Software License Agreement window opens. Read it through carefully. If you accept the license agreement, click Yes to continue. ILLUSTRATION B.55 Software License Agreement B 47 HOW-TO GUIDELINES
Catool Installation 3. The Choose Destination Location window opens. Choose a folder and click Next to continue. ILLUSTRATION B.56 Choose Destination Location 4. In the Select Program Folder window, choose a program folder in which to store the program icons that will be added. Click Next to continue. ILLUSTRATION B.57 Select Program Folder HOW-TO GUIDELINES B 48
RSA ACE Client Setup 5. The Setup Complete window will inform you when the setup is complete. Exit the program by clicking Finish. ILLUSTRATION B.58 Setup Complete 6. Next, create a new root certificate and key. In the RSA ACE/Agent Certificate Utility dialog box, define the current directory (by default in C:\Program Files\SDTI\RSA ACE Agent..). Click the New Root Certificate and Keys button. ILLUSTRATION B.59 RSA ACE/Agent Certificate Utility 7. The Create New Certificate and Keys dialog box opens. B 49 HOW-TO GUIDELINES
NT Agent Installation ILLUSTRATION B.60 Create new Certificate and Keys 8. You will receive a notification when the root certificate and keys are successfully created. ILLUSTRATION B.61 RSA Security Inc. Certificate Tool NT Agent Installation Next, you need to install the NT agent. Installing the agent itself If you receive the warning displayed in illustration Figure B.62, check that the service RSA ACE/Server RADIUS daemon is started. ILLUSTRATION B.62 Warning HOW-TO GUIDELINES B 50
RSA ACE Client Setup To install the agent: 1. Before you start the agent installation, copy c:\ace5\data\sdconf.rec from the RSA ACE/Server machine to c:\winnt\system32\ of the Agent machine. If the RSA ACE/ Server is UNIX, copy /ace5/data/sdconf.rec from the RSA ACE/Server machine to c:\winnt\system32\ of the Agent machine. This file record contains information about the RSA ACE/Server configuration that the ACE client uses when establishing the contact with the RSA ACE/Server. 2. Insert the SecurSight Agent CD. 3. Run the SecurSight Agent installation program d:\acecint\nti386\agent.exe. 4. The RSA ACE/Agent for Windows NT setup program Welcome window is displayed. Click Next to continue. ILLUSTRATION B.63 Welcome window 5. The Software License Agreement window opens. Read the license through carefully. If you accept it, click Yes to continue. B 51 HOW-TO GUIDELINES
NT Agent Installation ILLUSTRATION B.64 Software License Agreement 6. In the Select Components window, select Network Access Authentication (Client). Click Next to continue. ILLUSTRATION B.65 Select Components HOW-TO GUIDELINES B 52
RSA ACE Client Setup 7. In the Location of Root Certificate window, enter the path of the sdroot.crt file previously created with Catool. Click Next to continue. ILLUSTRATION B.66 Location of the Root Certificate sdroot.crt 8. In the Select Root Cert dialog box, select the root certificate and click Open. ILLUSTRATION B.67 Select Root Cert 9. In the Location of Root Certificate sdroot.crt window, click Next to continue. B 53 HOW-TO GUIDELINES
NT Agent Installation ILLUSTRATION B.68 Location of Root Certificate sdroot.crt 10. In the following window, enter the path to your RSA ACE/Server configuration record and click Next to continue. This file was created earlier as depicted in Illustration 1.4, RSA ACE/ Server Configuration Management, on page 7 and it is now copied to this location. ILLUSTRATION B.69 Location of RSA ACE/Server configuration record sdconf.rec HOW-TO GUIDELINES B 54
RSA ACE Client Setup 11. Follow the program registration instructions in this window. Click Next to continue. ILLUSTRATION B.70 RSA ACE/Agent Registration 12. In the Setup Complete window, click Yes, I want to restart my computer now, remove all disks from disk drives, and click Finish to complete the setup. B 55 HOW-TO GUIDELINES
NT Agent Installation ILLUSTRATION B.71 Setup complete HOW-TO GUIDELINES B 56
APPENDIX C First Contact with Casual ACE Agent Next, contact the Ace Agent. This is the initial contact and there is no need to do this separately for each user. Later on, the users will connect using the Authentication Client. Note: If you have engine version 774 or higher, this operation can be performed directly from the first authentication using the Telnet 2543 or Authentication Client connection using the StoneGate VPN Client. 1. After reboot, start the Log Monitor on the RSA ACE/Server from Start>Programs>RSA ACE>Log Monitor. The Log Monitor assists you in configuring and troubleshooting. Complete the definitions and click OK to continue. HOW-TO GUIDELINES 58
First Contact with Casual ACE Agent ILLUSTRATION C.72 Log Monitor Selection Criteria 2. An empty window will open. This window will display a note confirming whether or not the authentication has been accepted. C 59 HOW-TO GUIDELINES
ILLUSTRATION C.73 RSA ACE/Server Log Monitor 3. From the client, run Start>Programs> RSA ACE>Authentication test. 4. When starting the client on Win2000 Professional, you may see the following warning. Click OK to continue. ILLUSTRATION C.74 RSA ACE/Agent Authentication Test 5. The RSA SecurID Authentication Information window opens. HOW-TO GUIDELINES C 60
First Contact with Casual ACE Agent ILLUSTRATION C.75 RSA SecurID Authentication Information 6. Click the RSA ACE/Server Test Directly button. This will connect to the local RSA ACE/Server (IP address 0.0.0.0) because the client is currently running on the same machine as the RSA ACE/Server. 7. The RSA SecurID Authentication dialog box opens. ILLUSTRATION C.76 RSA SecurID Authentication 8. Enter here the UserName and first passcode entered when defining the user. Click OK to continue. C 61 HOW-TO GUIDELINES
9. The RSA ACE/Server Log Monitor window opens. This window contains information about the authentication attempt of the user called userpwd. Click Exit to continue. ILLUSTRATION C.77 RSA ACE/Server Log Monitor 10. A New PIN dialog box opens. Because this was the first successful authentication, the user is asked to change the PIN code. 11. Enter a new PIN code and its confirmation. Click OK to continue. ILLUSTRATION C.78 New PIN HOW-TO GUIDELINES C 62
First Contact with Casual ACE Agent 12. The RSA ACE/Agent Authentication Test dialog box opens. It confirms whether the new PIN has been accepted. Click OK to continue. ILLUSTRATION C.79 RSA ACE/Agent Authentication Test 13. The RSA ACE/Server Log Monitor window opens. It now contains information about the authentication. Illustration C.80 depicts the situation for user userpwd. Click OK to continue. ILLUSTRATION C.80 RSA ACE/Server Log Monitor 14. Next, perform steps 7-13 with user userkeyfob. First, enter the UserName and the first passcode entered when defining the user. 15. You are asked to change the PIN code. Enter a new PIN code. C 63 HOW-TO GUIDELINES
ILLUSTRATION C.81 New PIN 16. A dialog box confirms whether or not the authentication has been successful. ILLUSTRATION C.82 RSA ACE/Agent Authentication Test 17. Using the RSA ACE/Server Log Monitor, check that the actions you have taken have been accepted. See Illustration C.83 on page 65. HOW-TO GUIDELINES C 64
First Contact with Casual ACE Agent ILLUSTRATION C.83 RSA ACE/Server Log Monitor C 65 HOW-TO GUIDELINES