Application Note: Integrate Cisco IPSec or SSL VPN with Gemalto SA Server SASolutions@gemalto.com January 2008 www.gemalto.com
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and noninfringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 2
Table of contents Use case... 4 Overview... 5 Architecture... 7 Configure Cisco ASA 5510 using software version 7.2... 8 Configure Cisco VPN IPSec... 9 Launch Cisco VPN Wizard... 9 Modify the default RADIUS configuration... 20 Configure Cisco VPN SSL... 22 Introducing the two type of SSL VPN... 22 Create the RADIUS server group... 23 Create an IP Pool... 26 Create a Group Policy... 27 Configure the Tunnel Group... 30 Configure the SSL VPN Client... 33 Configure the interface with client machine... 35 Open the connection to the Intranet using SA Server... 36 IPSec VPN Client... 36 SSL VPN Client... 39 Appendix 1: Configure an IAS RADIUS Server with SA Server... 41 IAS RADIUS prerequisites... 41 Add a RADIUS Client... 42 Install and configure SA Server agent for IAS... 48 Restart IAS... 51 Appendix 2: Configure Juniper Steel-Belted RADIUS Server... 52 SBR pre-requisites... 52 Add RADIUS Client... 53 Install and configure SA Server agent for SBR... 54 Restart SBR... 57 Appendix 3: Configure Free RADIUS Server on Linux... 59 Free RADIUS pre-requisites... 59 Add RADIUS Client... 59 Install and configure SA Server agent for Free RADIUS... 59 Restart Free RADIUS... 60 Appendix 4: Active Directory configuration... 61 3
Use case To provide Mobile Users an access to their Corporate Network, it is usual to install a VPN Gateway. As only recognized users should be entitled to access to the Intranet, the gateway should be able to authenticate a Mobile Users. This is the main feature provided by the Gemalto SA Server. The link between the VPN Gateway and the SA Server is usually realized through the standard RADIUS protocol implemented by an AAA server. Mobile Users Corporate Network Internet VPN Gateway Authentication Authentication Radius Server Gemalto SA Server 4
Overview This document provides a deployment scenario to show you how it is possible to configure a Cisco IPSec VPN or a Cisco SSL VPN to use Gemalto SA Server to authenticate Mobile Users. The deployment scenario describes an example that has been tested by Gemalto. It is possible that other configurations will work equally well but you should bear in mind that these have not been tested. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. To provide SA Server authentication for Cisco IPSec VPN or Cisco SSL VPN, your system requires the following pre-requisites: A Cisco ASA 5510 appliance, In the following part, this appliance is supposed to be usable so a minimal installation must have been realized. The appliance hosts two physical interfaces and is able to act as a gateway from the Internal Network to the External Network. o <IP Cisco ASA 5510 Internal Address> represents the IP address of the physical interface visible from the Internal Network. This network is seen as a trusted network. In our laboratory <IP Cisco ASA 5510 Internal Address> was o 10.0.4.198/24 <IP Cisco ASA 5510 External Address> represents the IP address of the physical interface visible from the External Network The External Network is seen as an unsecured network. In our laboratory <IP Cisco ASA 5510 External Address> was 192.168.1.1/24 An AD Domain machine hosting an Active Directory LDAP and acting as domain controller. In our laboratory the domain hosted by AD Domain was gemalto.fr We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the Cisco ASA 5510. Their accounts must be configured to allow remote access control. A Gemalto SA Server, The server must be installed in mixed mode and connected to the AD Domain. It is supposed to be provisioned for devices and users. <Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was http://10.0.4.216:8080 A RADIUS Server, This server is the link between Cisco ASA 5510 and Gemalto SA Server. We have validated three configurations using o o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was 10.0.4.60 Juniper Steel-Belted RADIUS for which <IP SBR address> will be used to refer to Juniper Steel-Belted RADIUS server IP address. In our laboratory, <IP SBR address> was 10.0.4.87 o Free RADIUS for which <IP FreeR address> will be used to refer to Free RADIUS server IP address. In our laboratory, <IP FreeR address> was 10.0.4.192 Each RADIUS configuration is described in the appendices of this document. 5
In order to demonstrate a successful authentication, we also need: A client, We used a standard XP SP2 machine. 6
Architecture The following figure shows the architecture associated with the deployment scenarios described in this document. 7
Configure Cisco ASA 5510 using software version 7.2 This chapter describes the needed configuration for integration and configuration of Cisco IPSec VPN and Cisco SSL VPN with Gemalto SA Server. For our configuration, we chose to not use the local base from ASA 5510 and so there is no pre-check at login time. All requests are sent to the RADIUS server. To configure Cisco IPSEC VPN or Cisco SSL VPN, you have to use the ASDM graphical tool. You can download this tool the first time you connect on the management port using an SSL session. 8
Configure Cisco VPN IPSec We used the Cisco Wizard to configure the VPN. Launch Cisco VPN Wizard Using ADSM tool: Select the Wizards option in the menu bar Then Select VPN Wizard choice The VPN Wizard window is displayed. It defines the type of VPN we want to configure. o In VPN Tunnel Type: select Remote Access o In VPN Tunnel Interface: select outside Note: The Enable inbound IPSec box is checked by default. Note: According to the software version used by ASA 5510, this choice could be absent and so should be ignored. Click on [Next >] 9
The Remote Access Client window is displayed. It defines the type of client that will be used. We kept the default choice that is to use the Cisco VPN Client. Click on [Next >] 10
The VPN Client Tunnel Group Name and Authentication Method window is displayed. It defines a name for the VPN and the authentication method used with the client. Choose a name for Tunnel Group Name;, In our laboratory, we used tunnel_ias, tunnel_sbr and tunnel_free. This name will be used during the VPN Client configuration to select among the different choices proposed by the Gateway (See Page 37). Usually, the Gateway proposes on tunnel per authentication method. In our laboratory, we used this method to propose one tunnel per possible RADIUS Server. In Authentication section select Pre-shared Key, In Pre-shared Key enter a value that will secure the communication with the VPN Client, Note: You will have to enter the same value during the configuration of VPN Client (See Page 37). Click on [Next >] 11
The Client Authentication window is displayed. It defines the way Mobile Users will be authenticated. Select Authenticate using an AAA server group, Note: This choice is the one that allows using an external RADIUS Server. Click on [New ] 12
The New Authentication Server Group window is displayed. It defines the RADIUS server parameters. In Server Group Name: enter a name for the RADIUS Server. In our laboratory, we used RADIUS_IAS, RADIUS_SBR and RADIUS_FREE. In Authentication Protocol: select RADIUS In Server IP Address: enter the IP Address of the selected RADIUS Server. In our laboratory, use <IP IAS Address>, <IP SBR Address> and <IP FreeR Address>. In Interface: select the interface used by Cisco ASA 5510 to communicate with the selected RADIUS Server. In Server Secret Key: enter a value that will secure the communication with the RADIUS Server. You will have to enter the same value during the configuration of the selected RADIUS Server (Pages 42/54/59). In Confirm Server Secret Key: enter exactly the same value. Click on [OK] Click on [Next >] 13
The Address Pool window is displayed. It defines a set of IP address that will be allocated to VPN Clients. In Pool Name: enter a name for the pool. In our laboratory, we used client_vpn_pool. In Range Start Address: enter the first IP address dedicated to the pool. In our laboratory, we used 172.20.16.1. In Range End Address: enter the last IP address dedicated to the pool. In our laboratory, we used 172.20.16.254. In Subnet Mask (Optional): enter the network mask associated to the pool. In our laboratory, we used 255.255.255.0. Click on [Next >] 14
The Attribute Pushed to Client (Optional) window is displayed. It defines specific attributes that can be needed by application used through the VPN. In our laboratory, we didn t use any specific attribute and so we didn t fill any field. Click on [Next >] 15
The IKE Policy window is displayed. It defines some security protocols. In Encryption: select the chosen algorithm. In our laboratory, we used 3DES. In Authentication: select the chosen hash algorithm. In our laboratory, we used SHA. MD5 algorithm is still available but is considered as weak. In DH Group: select the chosen Key Sharing algorithm. In our laboratory, we used DH Group 2. DH Group 1 is still available but is considered as weak. DH Group 5 is also available but not compatible with old VPN Client versions. Click on [Next >] 16
The IPSec Encryption and Authentication window is displayed. It defines additional security protocols. In Encryption: select the chosen algorithm. In our laboratory, we used 3DES. In Authentication: select the chosen hash algorithm. In our laboratory, we used SHA. MD5 algorithm is still available but is considered as weak. Click on [Next >] 17
The Address Translation Exemption and Split Tunneling (Optional) window is displayed. It allows restricting visibility to all or a part of the Internal Network. This is part of the security policy and is not linked to the authentication mechanism. In our laboratory, we kept the default value and leave the selection list blank. Click on [Next >] 18
The summary window is displayed, Click on [Finish] to validate those choices. 19
Modify the default RADIUS configuration We now have to configure the ports used by the Cisco ASA 5510 to dialog with the RADIUS Servers as the default value comes from an old standard. Using ADSM tool: Select the Configuration option in the main tool bar Select the Properties option in the second level tool bar Select the AAA Setup element in the tree Select the AAA Server element in the sub-tree In Server Groups, select the targeted RADIUS Server, In Servers in Selected Group, select the relevant entry and click on [Edit] 20
The Edit AAA Server window is displayed. In Server Authentication Port: from the section RADIUS Parameters, enter the value 1812. This is the standard value used by RADIUS Server today. The value 1645 was used before this standard. If IAS RADIUS and Juniper Steel-Belted RADIUS are able to use both ports for compatibility with old standard, it is mandatory to use port 1812 with Free RADIUS. Note: Don t modify others parameters. Some of them are associated to the accounting feature but we didn t use this feature in our laboratory. 21
Configure Cisco VPN SSL Cisco offers two ways to implement the VPN SSL. After having introduced them, we will describe step by step how to configure a VPN SSL. This description will be applicable to both presented solutions. Introducing the two type of SSL VPN Hereafter is described the characteristics of the two possible implementations. The Web Page based solution The first solution is based on a home web page generation. This home page is the entry point for authenticated users. It offers a set of functions as A link to an internal WEB server, A link to open a telnet session on an internet server, A link to a mail server, A link to access to Microsoft shared directories, Etc. This mode is usable only with applications for which Cisco has developed a specific interface. It has also some technical restrictions that forbid the use of some applications. For example, it is not possible to dynamically open a TCP port. The Virtual Driver based solution This solution uses a virtual network driver that should be downloaded on the client machine during the first connection. This ActiveX called VPN SSL Client will encapsulate the entire flow dedicated to the Internal Network in an SLL tunnel (https). As a result, the protection is similar to an IPSec VPN except there is prior installation of any client software. Selecting the chosen solution Those two modes can cohabitate in the gateway but a user cannot use both at the same time. The mode is selected by the parameter Use VPN SSL Client (See Page 29). In the following parts, VPN SSL Client is deactivated. To activate this mode, you just have to set the parameter Use VPN SSL Client to Always or Optional (See Page 29). 22
Create the RADIUS server group Before configuring the SSL VPN, we have to create a specific object to manage the RADIUS Server. This main object is a RADIUS Server Group in which we will have a single RADIUS Server object. Note: During the configuration of IPSec tunnel, we already created RADIUS Server groups. It is of course possible to re-use them for the SSL VPN. Using ADSM tool: Select the Configuration option in the main tool bar Select the Properties option in the second level tool bar Select the AAA Setup element in the tree Select the AAA Server element in the sub-tree In Server Groups, click on [Add] 23
The Edit AAA Server window is displayed. In Server Group: enter the name for the RADIUS Server Group. In our laboratory, we used RADIUS_IAS, RADIUS_SBR and RADIUS_FreeR. In Protocol: select RADIUS. Click on [OK]. 24
You now have to go back to AAA Server element in the sub-tree, In Server Groups section select the previously created group then In Servers in Selected Group click on [Add] The Add AAA Server window is displayed. In Interface Name: select the interface used by ASA 5510to communicate with the RADIUS Server. In our laboratory, we used the inside interface as the RADIUS Server is located in the Internal Network. In Server Name or IP Address: enter the RADIUS Server IP Address. In our laboratory, we used <IP IAS Address>, <IP SBR Address> and <IP FreeR Address>. In Server Authentication Port: enter 1812 to replace the default 1645 value that is linked to an old standard. In Server Secret Key: enter a value that will secure the communication with the RADIUS Server. You will have to enter the same value during the configuration of the selected RADIUS Server (Pages 42/54/59). Note: all other parameters are options set to their default values. 25
Create an IP Pool We have to create a set of IP addresses that will be attributed to the connected client machines. This is called IP Pool. Note: During the configuration of IPSec VPN, we already created a pool. It is of course possible to re-use it for the SSL VPN. Using ADSM tool: Select the Configuration option in the main tool bar Select the VPN option in the second level tool bar Select the IP Address Manager element in the tree Select the IP Pools element in the sub-tree Click on [Add] The Add IP Pool window is displayed. It defines a set of IP address that will be allocated to VPN Clients. o In Pool Name: enter a name for the pool. In our laboratory, we used ippool. o In Range Start Address: enter the first IP address dedicated to the pool. In our laboratory, we used 172.20.16.1. o In Range End Address: enter the last IP address dedicated to the pool. In our laboratory, we used 172.20.16.254. o In Subnet Mask (Optional): enter the network mask associated to the pool. In our laboratory, we used 255.255.255.0. Click on [OK]. 26
Create a Group Policy We have to create a Group Policy that will be used to define the way Mobile Users have access to the Internal Network. Using ADSM tool: Select the Configuration option in the main tool bar Select the VPN option in the second level tool bar Select the General element in the tree Select the Group Policy element in the sub-tree In Group Policy section, click on [Add ] and select Internal Group Policy 27
The Edit Internal Group Policy: window is displayed. In our laboratory, the default name was GroupPolicy1. Select General tab In Tunneling Protocols: check only the WebVPN option Note: all other parameters are options set to their default values. 28
Select WebVPN tab Select the SSL VPN Client sub-tab In Use SSL VPN Client: select Never. Note: Setting the parameter to Never, the SSL VPN Client will not be used as stated in section Cohabitation Page 22. To activate this feature, you have to select Always or Optional. When Optional is selected, the user can choose the mode, Web page based or Driver base. In Keep Installer on Client System: select Yes In Renegotiation Method: of Key Renegotiation Settings, select SSL Note: All other parameters are options set to their default values. Click on [OK] 29
Configure the Tunnel Group We have to configure a Tunnel Group to associate the IP Pool and the RADIUS Group to our VPN SSL. Using ADSM tool: Select the Configuration option in the main tool bar Select the VPN option in the second level tool bar Select the General element in the tree Select the Tunnel Group element in the sub-tree In TunnelGroup section select DefaultWEBVPNGroup element. Click on [Edit] 30
In General tab, select the Client Address Assignment sub-tab In Address Pools section, select the previously created IP Pool presented in Available Pools Click on [Add >>] Note: The selected pool will be used to provide an IP address to the SSL VPN client if this feature is activated. 31
In General tab, select the Authentication sub-tab Note: This sub-tab is named AAA with software version 7.1! In Authentication Server Group: select the previously created RADIUS Group. In our laboratory, we used RADIUS_IAS, RADIUS_SBR and RADIUS_FreeR. Click on [OK] 32
Configure the SSL VPN Client We have to validate the SSL VPN Client version that is uploaded on the client machines. Using ADSM tool: Select the Configuration option in the main tool bar Select the VPN option in the second level tool bar Select the WebVPN element in the tree Select the SSL VPN Client element in the sub-tree Check Enable SSL VPN Client box Validate an image is available in SSL VPN Client images. In our laboratory, the default image stored in the flash memory with software version 7.2 was named sssclient-win-1.1.0.154.pkg If no image is available, click on [Add] 33
The Add SSL VPN Client Image popup is displayed. Click on [Browse Flash ] Select the chose image Click on [OK] 34
Configure the interface with client machine We finally have to select the interface that will be used by client machines. Using ADSM tool: Select the Configuration option in the main tool bar Select the VPN option in the second level tool bar Select the WebVPN element in the tree Select the WebVPN Access element in the sub-tree In WebVPN Access section, select the outside interface Click on [Enable] Note: all other parameters are options set to their default values. Click on Save option in the main tool bar to activate the VPN SSL. 35
Open the connection to the Intranet using SA Server Here is how a Mobile User accesses to the Internal Network using the CISCO ASA 5510 and Gemalto SA Server. We previously described two configurations: VPN IPSec and VPN SSL. From the client side, we have also two different configurations. IPSec VPN Client To connect to IPSec VPN, you have to use the Cisco Systems VPN Client version 4.6.02.0011. Note: You can also use the Cisco System Version 4.8 or 5.0. Their configuration is similar to the one described hereafter. Note: Client installation is not described in this document. Please, refer to the Cisco documentation. To create a new VPN Client configuration, launch this product: In Start, select Program then Cisco Systems VPN Client Click on VPN Client Click on in the main tool bar to create a new entry 36
The VPN Client window is displayed. Configure the client by filling the following fields: o In Connection Entry: enter a name. In our laboratory, we used 192.168.1.1. o In Host: enter the <IP Cisco ASA 5510 External Address>. This is the only address that is visible on the External Network. o In Authentication tab, select Group Authentication In Name: enter the Tunnel Group name you previously created (See Page 11) In Password: and in Confirm Password: enter the value you gave previously for the Pre-shared key (See page 11) o Click on [Save] The new configuration is now available in VPN Client. 37
To connect to the Internal Network: Double-click on this configuration or click on Connect option in the main tool bar to start the connection. A pop-up is displayed: o In Username: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). o In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. Click on [OK] If you authentication is successful, you are connected to the Internal Network and you can see the windows bar the following icon:. 38
SSL VPN Client To connect to SSL VPN, you just need a WEB browser. Note: We used a standard computer using XP SP2. The used account was a standard user account without administrator privileges. To connect to the Internal Network: Launch your preferred WEB browser (IE, FireFox, etc.) In the address field, enter https:// <IP Cisco ASA 5510 External Address> In Username: enter the name associated to a Mobile User as it is defined in the LDAP (Active Directory). In Password: enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. Click on [Login] 39
If you authentication is successful, you are connected. You have access the SSL VPN home page. This page can be customized through the ASA 5510 configuration tool. Note: The following icons are always visible in the browser and provide some shortcut to usual operations. 40
Appendix 1: Configure an IAS RADIUS Server with SA Server We used the IAS server version embedded in Windows Server 2003 SP1. IAS RADIUS prerequisites The IAS RADIUS installation is not described in this document. It is presumed to be already done. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. You can check IAS RADIUS and AD Domain are part of the same domain using the following process: Right click on My Computer and Select Properties Check in Computer Name tab that the computer is in a domain. You can modify those parameters if needed. Access to IAS administration You have to: Click on Start and Select Administrative Tools Select Internet Authentication Service 41
Add a RADIUS Client You now have to add the Cisco ASA 5510 as a RADIUS client: Right click on RADIUS Clients and Select New RADIUS Client In Friendly name enter a name for Cisco ASA 5510, In Client address (IP or DNS) enter <IP Cisco ASA 5510 Internal Address>. Click on [Next >] Select RADIUS Standard for Client-Vendor: Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the Cisco ASA 5510 ( Server Secret Key Pages 13 and 25). Click on [Finish] to validate those parameters. 42
Configure Access Policies You have to add a new remote access policy: Right click on Remote Access Policies and Select New Remote Access Policy Click on [Next >] in the wizard windows Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. Click on [Next >] Click on [Add ] in Policy Conditions window 43
Select Client-IP-Address in Attribute types: and click on [Add ] Enter <IP Cisco ASA 5510 Internal Address> in Type a word or a wild card (for example, abc.*): and click on [OK] Click on [Next >] 44
Select Grant remote access permission in If a connection request matches the specified conditions: and click on [Next >]. Click on [Edit Profile ] in the profile window Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP) Select Encryption tab 45
Check only the No encryption box. Then click on [OK] In the Profile window, click on [Next >] In the New Remote Access Policy Wizard window, click on [Finish] The new policy is now available. 46
Configure Connection Request Policies You have to add a new connection request policy: In Connection Request Processing, Right click on Connection Request and Select New Connection Request Policy Click on [Next >] in the wizard window Select A custom policy, Enter a name in Policy name and Click on [Next >] In the Policy conditions windows, click on [Add ], Select Client-IP-Address, Click on [Add ], Enter <IP Cisco ASA 5510 Internal Address>, Click on [OK] and Click on [Next >] In the Request Processing Method, click on [Edit Profile] In the Authentication tab, select Authenticate requests on this server and Click on [OK] In the Request Processing Method window, click on [Next >] In the New Connection Request Policy Wizard window, click on [Finish] 47
The new policy is now available. Install and configure SA Server agent for IAS You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server. Double-click on IAS_AgentSetup.exe on the IAS RADIUS server, Click on [Next >] 48
Select I accept the terms in the license agreement and click on [Next >] You now have to enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. Click on [Next >] 49
Click on [Install] Click on [Finish] 50
Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS. Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. 51
Appendix 2: Configure Juniper Steel-Belted RADIUS Server We used the Juniper Steel-Belted RADIUS V6.01 on a Windows Server 2003 SP1. SBR pre-requisites Juniper Steel-Belted RADIUS installation is not described in this document. Launch SBR admin portal To open Juniper Steel-Belted RADIUS admin portal: Start a browser on the following URL: https:// <IP SBR address>:1812 Click on Launch link. A login window is displayed. You have to fill User Name and Password using an account with administrator privileges on the Juniper Steel-Belted RADIUS server. Port is automatically filled with the default 1813 value. Click on [Login] 52
Add RADIUS Client You now have to add the Cisco ASA 5510 as a RADIUS client: Right click on RADIUS Clients 53
and Select Add: Complete the following fields: o In Name: enter a friendly name for Cisco ASA 5510, o In IP Address: enter <IP Cisco ASA 510 Internal Address>, o In Shared secret: enter the same value you entered when you configured the Cisco ASA 5510 (Server Secret Key Paged 13 and 25). o Make sure you select - Standard Radius in Make or model: Click on [OK] Install and configure SA Server agent for SBR You now have to install the SA Server SBR agent on the Juniper Steel-Belted RADIUS server. This component will forward all authentication requests received by the SBR to SA Server. 54
Double-click on SBR_AgentSetup.exe on Juniper Steel-Belted RADIUS server, Click on [Next >] Select I accept the terms in the license agreement and click on [Next >] 55
Select the Service folder in the SBR installation directory so that it appears in Folder name: Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius Click on [Next >] Enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. 56
Click on [Next >] Click on [Install] Click on [Finish] Restart SBR To launch the installed agent, you now have to re-start SBR service. Select Start, Select Control Panel, Select Administrative Tools Select Services 57
Then, Right Click on Steel-Belted Radius And choose Restart Check agent integration To check the installed agent is running, Start the Steel-Belted Radius Administrator (as presented in the Launch SBR admin portal section) Select Authentication Policies then Order of Methods Check that Protiva SBR Agent is in Active Authentication Methods: Note: Other authentication methods can be present in both columns according to the SBR configuration. 58
Appendix 3: Configure Free RADIUS Server on Linux We used the Free RADIUS V1.1.0-19.2 on a Suse Linux Enterprise 10. Free RADIUS pre-requisites Free RADIUS installation is not described in this document. It is already pre-installed on this distribution and configured for some pre-defined RADIUS clients. Add RADIUS Client You now have to add the Cisco ASA 5510 as a RADIUS client: Log on to the Linux server as root Open clients.conf usually located in /etc/raddb/ directory with a text editor Add a new section: client <IP CISCO ASA 5510 Internal Address> { secret = xxxxxxxxx shortname = CiscoASA5510 } and give secret the same value as the one you entered when you configured the Cisco ASA 5510 ( Server Secret Key Pages 13 and 25) and give shortname a label; this is an optional field. Install and configure SA Server agent for Free RADIUS You now have to install the SA Server Free RADIUS agent on the Free RADIUS Server. This component will forward all authentication requests received by Free RADIUS to SA Server. Log on to the Linux server as root Open a Terminal console Move to the directory where SA Server agent.rpm is located Stop Free RADIUS using the command: radiusd stop Here is a screen shot from our laboratory machine If needed, install openssl library to use an HTTPS link with SA Server. Here is a screen shot from our laboratory machine Start agent installation using the command : rpm ivh rlm_protiva-1.2.0-1.586.rpm Here is a screen shot from our laboratory machine Note: On a 64-bit system, you have to use rlm_protiva-1.2.0-1.x86_64.rpm. 59
Open radiusd.conf usually located in /etc/raddb/ directory with a text editor Look for the modules section and add the following elements: #SA Server authentication module protiva { # host: the host port to connect to host = <Base URL SA Server> # url: path to the servlet on the host machine url = /saserver/servlet/userrequestservlet #securitylevel: security level to be used # 1 = no SSL # 2 = with SSL securitylevel = 1 # certfile: certivicat file to be used #you must specify a certfile if using SSL certfile = /usr/local/etc/raddb/tomcat.pem # openssl time out in seconds openssltimeout = 5 } Here is a screen shot from our laboratory machine Look for the authenticate section and add the following element: Auth-Type protiva { protiva } Save radiusd.conf Open users usually located in /etc/raddb/ directory with a text editor Look for the following section: DEFAULT Auth-Type = System Fall-Through = 1 Add an additional Auth-Type before those line to obtain: DEFAULT Auth-Type = protiva Fall-Through = Yes DEFAULT Auth-Type = System Fall-Through = 1 Restart Free RADIUS Then restart Free RADIUS using the command: radiusd start Here is a screen shot from our laboratory machine 60
Appendix 4: Active Directory configuration Mobile Users must be part of the AD Domain. You can check this is done using the following process: Click on Start, Select Control Panel and Select Administrative Tools Select Active Directory Users and Computers Mobile Users must also have the Remote Access Permission. You can check this is done using the following process: Click on Users, right click on the target user and select Properties Select Dial-in tab and check the box Allow access in Remote Access Permission section. 61