Network Policy Server (NPS) Remote Routing Access (RRAS)



Similar documents
Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

NetMotion Mobility XE

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

DualShield Authentication Platform

Microsoft Office 365 with ADFS

DualShield. for PAM RADIUS. Implementation Guide. (Version 5.4) Copyright 2012 Deepnet Security Limited

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

High Availability And Disaster Recovery

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

High Availability And Disaster Recovery

2 FACTOR + 2. Authentication WAY

2 factor + 2. Authentication. way

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

SafeNet Cisco AnyConnect Client. Configuration Guide

MIGRATION GUIDE. Authentication Server

DIGIPASS Authentication for GajShield GS Series

Strong Authentication for Juniper Networks

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco VPN Concentrator Implementation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for Cisco ASA 5500 Series

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Strong Authentication for Juniper Networks SSL VPN

Juniper Networks SSL VPN Implementation Guide

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Creating IBM Cognos Controller Databases using Microsoft SQL Server

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Installing the BlackBerry Enterprise Server Management Software on an administrator or remote computer

DIGIPASS Authentication for Check Point Connectra

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

DIGIPASS Authentication for Check Point Security Gateways

A Step-By-Step Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Omniquad Exchange Archiving

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

2X ApplicationServer & LoadBalancer Manual

Defender EAP Agent Installation and Configuration Guide

INTEGRATION GUIDE. General Radius Config

Sage 200 Web Time & Expenses Guide

Defender Token Deployment System Quick Start Guide

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

LepideAuditor Suite for File Server. Installation and Configuration Guide

DIGIPASS Authentication for SonicWALL SSL-VPN

HOTPin Integration Guide: DirectAccess

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Check Point FW-1/VPN-1 NG/FP3

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

SecureW2 Client for Windows User Guide. Version 3.1

ATTENTION: End users should take note that Main Line Health has not verified within a Citrix

Agent Configuration Guide

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

SafeNet Authentication Service

DIGIPASS Authentication for Juniper ScreenOS

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

SafeNet Authentication Service

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Verint Nextiva Review and Control Center Clients

Identikey Server Getting Started Guide 3.1

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Endpoint Security VPN for Windows 32-bit/64-bit

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

NetMotion + YubiRADIUS Quick Start Guide

How to Create a Basic VPN Connection in Panda GateDefender eseries

Archiving User Guide Outlook Plugin. Manual version 3.1

Juniper SSL VPN Authentication QUICKStart Guide

Application Note. Citrix Presentation Server through a Citrix Web Interface with OTP only

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Strong Authentication for Microsoft SharePoint

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Strong Authentication for Microsoft TS Web / RD Web

RealShot Manager Compression Server software

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Quick Start Guide for Zone Director Controller

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

BlackShield ID Best Practice

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

ScriptLogic File System Auditor User Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Installing the BlackBerry Enterprise Server Management console with a remote database

Setup and Configuration Guide for Pathways Mobile Estimating

Strong Authentication for Cisco ASA 5500 Series

Netop Remote Control Security Server

Implementation Guide for protecting

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

EMC Physical Security Enabled by RSA SecurID Two-Factor Authentication with Genetec Omnicast Client Applications

Radius Integration Guide Version 9

Hyper-V Installation Guide. Version 8.0.0

Sample Configuration: Cisco UCS, LDAP and Active Directory

IDENTIKEY Appliance Administrator Guide

Transcription:

Network Policy Server (NPS) & Remote Routing Access (RRAS) Implementation Guide (Version 5.7) Copyright 2013 Deepnet Security Limited Copyright 2013, Deepnet Security. All Rights Reserved. Page 1

Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Building 3 North London Business Park Oakleigh Road South London N11 1GN United Kingdom Tel: +44(0)20 3668 1580 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2013, Deepnet Security. All Rights Reserved. Page 2

Table of Contents 1. Overview... 4 2. Prerequisites... 5 3. DualShield Configuration... 6 3.1 Create a RADIUS logon procedure... 6 3.2 Create a RADIUS application... 7 3.3 Register Network Policy Server as a Radius Client... 7 4. NPS Configuration... 9 4.1 Create a RADIUS Client... 9 4.2 Create a Remote RADIUS Server Group... 9 4.3 Create a Connection Request Policy... 10 4.4 Create a Network Policy... 12 5. RAS Configuration... 15 6. Dial-up Client Configuration... 16 7. Authentication Test... 17 Copyright 2013, Deepnet Security. All Rights Reserved. Page 3

1. Overview This document describes how to integrate the Microsoft Windows Routing and Remote Access Service via Network Policy Server with the DualShield unified authentication platform in order to add two-factor authentication while access to the internal corporate network. DualShield unified authentication platform includes a fully compliant RADIUS server DualShield Radius Server. DualShield provides a wide selection of portable OTP tokens in a variety of form factors, ranging from hardware tokens, software tokens, and mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to support the one-time password, DualShield also supports on-demand password for RADIUS authentication. The produce that provides on-demand passwords in DualShield platform is Deepnet T-Pass. Deepnet T-Pass in an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: DualShield Authentication Server DualShield Radius Server Microsoft Network Policy Server VPN Gateway VPN Client Copyright 2013, Deepnet Security. All Rights Reserved. Page 4

2. Prerequisites It is expecting the Network Policy Server and Remote Routing Access Service have already been setup and operating. You must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administrator of the DualShield Authentication and Radius server, please refer to the following documents: DualShield Authentication Platform - Installation Guide DualShield Authentication Platform - Quick Start Guide DualShield Authentication Platform - Administration Guide DualShield Radius Server Installation Guide Copyright 2013, Deepnet Security. All Rights Reserved. Page 5

3. DualShield Configuration 3.1 Create a RADIUS logon procedure 1. Login to the DualShield Management Console 2. In the main menu, select "Authentication Logon Procedure" 3. Click the "Create" button on the toolbar 4. Enter a name and select "RADIUS" as the type 5. Click "Save" 6. Click the context menu icon of the newly create logon procedure, select "Logon steps" 7. In the popup window, click the "Create" button on the toolbar 8. Select the desire authenticator, e.g. "static password + one-time password" 9. Click "Save" Copyright 2013, Deepnet Security. All Rights Reserved. Page 6

3.2 Create a RADIUS application 1. In the main menu, select "Authentication Applications" 2. Click the "Create" button on the toolbar 3. Enter a name and select a realm 4. Select the newly created logon procedure 5. Click "Save" 6. Click the Context menu of the newly created application, select "Agent" Select your DualShield Radius Server, e.g. "win2004x86-radius" 7. Click "Save" and use the "Self-Test" function to verify that the application is correctly set up and ready. 3.3 Register Network Policy Server as a Radius Client 1. In the main menu, select "RADIUS Client" 2. Click the "Register" button on the toolbar Copyright 2013, Deepnet Security. All Rights Reserved. Page 7

3. Select the application that was created in the previous steps. 4. Enter Network Policy Server s IP in the IP address field 5. Enter the Share Secret which will be used in Network Policy Server 6. Click "Save" Copyright 2013, Deepnet Security. All Rights Reserved. Page 8

4. NPS Configuration 4.1 Create a RADIUS Client 1. Click "New" on the Radius Clients Context Menu 2. Enter the RRAS s IP in the IP address filed, e.g. "192.168.1.104" 3. Enter the Shared secret password 4. Click "OK" 4.2 Create a Remote RADIUS Server Group 1. Click "New" on the Remote RADIUS Server Group Context Menu 2. Create the Remote RADIUS Server Group, e.g. "DualShield Radius Server Group" 3. Enter the name or IP address of the DualShield Radius Server Copyright 2013, Deepnet Security. All Rights Reserved. Page 9

4. Select "Authentication/Accounting" tab on the Radius Clients Context Menu, enter the shared secret password 5. Select "Load Balancing" tab, allocate the weight and click "OK" 4.3 Create a Connection Request Policy 1. Create the connection request policies, e.g. "DualShield Radius Connection Policy" 2. Change type of network access server to "Remote Access Server (VPN-Dial up)" and click "Next" Copyright 2013, Deepnet Security. All Rights Reserved. Page 10

3. Add a new condition "Day and Time Restrictions" and select "Permitted" to allow certain time of connection and press "OK" and "Next" 4. Select "Forward requests to the following remote RADIUS server group for authentication" and select the newly server group "DualShield Radius Server Group" Copyright 2013, Deepnet Security. All Rights Reserved. Page 11

5. Click "Next" and "Finish" 4.4 Create a Network Policy 1. Create Network Policies, e.g. "DualShield Radius Network Policy" 2. Change type of network access server to "Remote Access Server (VPN-Dial up)" and click "Next" Copyright 2013, Deepnet Security. All Rights Reserved. Page 12

3. Add a new condition "Day and Time Restrictions" and select "Permitted" to allow certain time of connection and press "OK" and "Next" 4. Specify Access Permission and click "Next" Copyright 2013, Deepnet Security. All Rights Reserved. Page 13

5. Select the authentication methods 6. Click "Next" and "Finish" Copyright 2013, Deepnet Security. All Rights Reserved. Page 14

5. RAS Configuration 1. Select "Routing and Remote Access", right click and select "Properties" 2. Select the "Security" tab and click "Authentication methods", select the authentication methods and click "OK" 3. Click the "Configure", and the Server IP address which is the host name or IP address of NPS Server, e.g. "192.168.1.108" and shared secret password. 4. Click "OK" Copyright 2013, Deepnet Security. All Rights Reserved. Page 15

6. Dial-up Client Configuration 1. Launch the Remote Access Client 2. Click the "Properties", and select the "Security" tab 3. Select the "Data Encryption" option from the dropdown list 4. Check the "PAP" option Copyright 2013, Deepnet Security. All Rights Reserved. Page 16

7. Authentication Test 1. Enter the Username, e.g. "demo.test" 2. Enter the password, e.g. "Password123456" Note CHAP and MS-CHAP.v2 is not supported when the passcode consists of the AD password (Static Password). In other words, if the User Directory or Identity Source of a VPN application is an external AD or LDAP server, and the passcode is "Static Password", "One-Time Password + Static Password" or "Static Password + One-Time Password", then CHAP and MS-CHAP.v2 cannot be supported. If you have to use CHAP and MS-CHAP.v2, then the passcode should not include AD password, or the User Directory or Identity Source of the VPN application is created in the internal SQL Server. ===END=== Copyright 2013, Deepnet Security. All Rights Reserved. Page 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information