Implementation Guide for protecting a. WatchGuard Firebox. with. BlackShield ID

Similar documents
Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Cisco ASA Authentication QUICKStart Guide

Strong Authentication for Cisco ASA 5500 Series

Implementation Guide for protecting

BlackShield ID Agent for Remote Web Workplace

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Juniper Networks SSL VPN Implementation Guide

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

Cisco VPN Concentrator Implementation Guide

Juniper SSL VPN Authentication QUICKStart Guide

Strong Authentication for Juniper Networks

Check Point FW-1/VPN-1 NG/FP3

Fireware How To Authentication

Strong Authentication for Juniper Networks SSL VPN

SafeNet Cisco AnyConnect Client. Configuration Guide

Strong Authentication for Microsoft SharePoint

How do I set up a branch office VPN tunnel with the Management Server?

Strong Authentication for Microsoft TS Web / RD Web

Configuring the Watchguard Edge for RADIUS authentication

BlackShield ID Best Practice

Apache Server Implementation Guide

BlackShield ID MP Token Guide. for Java Enabled Phones

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Integration Guide. Swivel Secure Authentication

DIGIPASS Authentication for Cisco ASA 5500 Series

Defender EAP Agent Installation and Configuration Guide

VPN Tracker for Mac OS X

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Authentication Node Configuration. WatchGuard XTM

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

LDAP Synchronization Agent Configuration Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Microsoft IAS and NPS Agent Configuration Guide

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Accessing the Media General SSL VPN

VPN Configuration Guide WatchGuard Fireware XTM

Agent Configuration Guide

Astaro User Portal: Getting Software and Certificates Astaro IPsec Client: Configuring the Client...14

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web App. Technical Manual Template

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

Integration Guide. Duo Security Authentication

A brief on Two-Factor Authentication

Product Guide Addendum. SafeWord Check Point User Management Console Version 2.1

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

University of Central Florida UCF VPN User Guide UCF Service Desk

LDAP Synchronization Agent Configuration Guide for

Remote Logging Agent Configuration Guide

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Fireware How To Network Configuration

Integration Guide. SafeNet Authentication Service. Using RADIUS and LDAP Protocols for Cisco Secure ACS

Network/VPN Overlap How-To with SonicOS 2.0 Enhanced Updated 9/26/03 SonicWALL,Inc.

Configuring Global Protect SSL VPN with a user-defined port

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Scenario: IPsec Remote-Access VPN Configuration

H3C SSL VPN RADIUS Authentication Configuration Example

Configuring Check Point VPN-1/FireWall-1 and SecuRemote Client with Avaya IP Softphone via NAT - Issue 1.0

DIS VPN Service Client Documentation

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Check Point Security Gateways

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Cisco ASA

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

If you have questions or find errors in the guide, please, contact us under the following address:

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring IBM Cognos Controller 8 to use Single Sign- On

Using etoken for Securing s Using Outlook and Outlook Express

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

IIS, FTP Server and Windows

WatchGuard Mobile User VPN Guide

SOHO 6 Wireless Installation Procedure Windows 95/98/ME with Internet Explorer 5.x & 6.0

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

BlackShield Authentication Service

SSL SSL VPN

Aventail Connect Client with Smart Tunneling

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

MadCap Software. Upgrading Guide. Pulse

Configuring Single Sign-on for WebVPN

CRYPTOLogon Agent. for Windows Domain Logon Authentication. Deployment Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved.

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

Using RADIUS Agent for Transparent User Identification

Agent Configuration Guide for Microsoft Windows Logon

DIGIPASS Authentication for GajShield GS Series

Transcription:

Implementation Guide for protecting a WatchGuard Firebox with BlackShield ID Copyright 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Copyright Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com. Publication History Date Changes Version January 26, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 BlackShield ID implementation guide for WatchGuard Firebox i

Table of Contents Overview... 1 Applicability... 1 Assumptions... 1 Operation... 2 Preparation and Prerequisites... 2 Configuring the WatchGuard Firebox... 2 Step 1: Enable RADIUS Authentication...2 Step 2: Add a Firebox group for Mobile VPN Users (IPSec or SSL)...3 Step 3: Add a RADIUS Filter-Id to the RADIUS Server...4 Internet Authentication Service (IAS) with BlackShield Agent enabled...4 Network Policy Server (NPS) with BlackShield Agent enabled...4 Troubleshooting... 6 Failed Logons...6 BlackShield ID implementation guide for WatchGuard Firebox ii

Overview By default the WatchGuard Firebox requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a onetime password generated by a CRYPTOCard token using the provided instructions below. BlackShield ID Pro works in conjunction with the WatchGuard Firebox to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: 1. Using the Firebox MUVPN Client, the user establishes a connection using his/her logon name and CRYPTOCard token-generated one-time password. 2. The WatchGuard Firebox passes the authentication information via RADIUS to the BlackShield ID Pro Internet Authentication Service (IAS) or Network Policy Server (NPS) agent configured to communicate to the BlackShield ID Pro Server. 3. The BlackShield ID Pro Server verifies the username and password and an Access- Accept message is returned to the WatchGuard Firebox, allowing the user to access the network. Applicability This integration guide is applicable to: Security Partner Information Security Partner Product Name and Version Protection Category WatchGuard WatchGuard Firebox Remote Access CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ Assumptions BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. BlackShield ID implementation guide for WatchGuard Firebox 1

Operation BlackShield ID Pro works in conjunction with the WatchGuard Firebox to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: 1. Using the Firebox MUVPN Client, the user establishes a connection using his/her logon name and CRYPTOCard token-generated one-time password. 2. The WatchGuard Firebox passes the authentication information via RADIUS to the BlackShield ID Pro Internet Authentication Service (IAS) or Network Policy Server (NPS) agent configured to communicate to the BlackShield ID Pro Server. 3. The BlackShield ID Pro Server verifies the username and password and an Access- Accept message is returned to the WatchGuard Firebox, allowing the user to access the network. Preparation and Prerequisites The following must be installed and operational prior to configuring the WatchGuard Firebox to use CRYPTOCard authentication: 1. Ensure end users can authenticate through the WatchGuard Firebox with a static password before configuring the WatchGuard Firebox to use RADIUS authentication. 2. BlackShield Pro server installed and a user account assigned with a CRYPTOCard token. 3. BlackShield Agent for Internet Authentication Service (IAS) or Network Policy Server (NPS). Configuring the WatchGuard Firebox Configuring the WatchGuard Firebox consists of 3 steps: Step 1: Enable RADIUS authentication Step 2: Add a Firebox group Step 3: Add a RADIUS Filter-Id to the RADIUS Server Step 1: Enable RADIUS Authentication 1. Connect to the Firebox System Status page, type https:// in a web browser followed by the IP address of the Firebox trusted interface. 2. Select Firebox Users, Settings. BlackShield ID implementation guide for WatchGuard Firebox 2

3. Select the RADIUS tab then place a checkmark in Enable RADIUS Authentication. 4. In the RADIUS server IP address field, type the IP address of the RADIUS server. In the RADIUS server port enter 1812. In the RADIUS server secret enter the shared secret between the Firebox and RADIUS server. In RADIUS timeout enter 10 seconds. The shared secret between the Firebox and RADIUS server is casesensitive. Step 2: Add a Firebox group for Mobile VPN Users (IPSec or SSL) Once RADIUS authentication has been enabled and a Firebox group must been added to the WatchGuard Firebox setup so users can properly authenticate using a CRYPTOCard token. 1. Connect to the Firebox System Status page, type https:// in a web browser followed by the IP address of the Firebox trusted interface. 2. Select Firebox Users, New Group. 3. In the Settings tab, type the Account Name for the group. 4. Select the MUVPN tab, click Enable Mobile VPN with IPSec or Enable Mobile VPN with SSL. 5. Type a shared key in the Shared key field. The Shared key is used to encrypt the.wgx file for the MUVPN clients. It is not the Shared Secret used between the Firebox and RADIUS server. 6. If necessary, select All traffic uses tunnel if the remote client sends all traffic through the VPN tunnel. 7. Enter a starting and ending IP Address in the Virtual IP address range. 8. Click Submit. BlackShield ID implementation guide for WatchGuard Firebox 3

Step 3: Add a RADIUS Filter-Id to the RADIUS Server A Filter-Id in must be added to the RADIUS server configuration so users can properly authenticate using a CRYPTOCard token. Internet Authentication Service (IAS) with BlackShield Agent enabled 1. Under Administrative Tools launch Internet Authentication Service. 2. Expand Connection Request Processing then highlight Connection Request Policies. 3. Right click on the BlackShield entry (by default Allow all users to authenticate with BlackShield) and select Properties. 4. Click Edit Profile then select the Advanced tab. 5. Click Add. In the Add Attribute dialog, highlight Filter-Id then select Add. 6. In the Attribute Values section select Add. 7. Select String beside Enter the attribute value in: 8. In the text box enter the WatchGuard Firebox MUVPN group name. 9. Click OK to apply the setting. Network Policy Server (NPS) with BlackShield Agent enabled 1. Under Administrative Tools launch Network Policy Server. 2. Expand Policies then highlight Connection Request Policies. 3. Right click on the BlackShield entry (by default Allow all users to authenticate with BlackShield) and select Properties. 4. Select the Settings tab, highlight RADIUS Attributes Standard then select Add. 5. Under Access type select All. In the Attributes section highlight Filter-Id then click Add. 6. In the Attribute Information dialog select Add. BlackShield ID implementation guide for WatchGuard Firebox 4

7. Select String below Enter the attribute value in: 8. In the text box enter the WatchGuard Firebox MUVPN group name. 9. Click OK to apply the setting. BlackShield ID implementation guide for WatchGuard Firebox 5

Troubleshooting When troubleshooting issues setting up RADIUS authentication on a WatchGuard Firebox, it may be helpful to refer to the Firebox logs or the WatchGuard Log Server. Refer to the Firebox documentation for details. All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. All logging information for the BlackShield IAS\NPS agent can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory. Failed Logons The following is an explanation of the logging messages that may appear in the event viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server. Error Message: Solution: Packet DROPPED: A RADIUS message was received from an invalid RADIUS client. Verify a RADIUS client entry exists on the RADIUS server. Error Message: Solution: Authentication Rejected: Unspecified This will occur when one or more of the following conditions occur: The username does not correspond to a user on the BlackShield Server. The CRYPTOCard password does not match any tokens for that user. The shared secret entered in Cisco Secure ACS does not match the shared secret on the RADIUS server Error Message: Solution: Authentication Rejected: The request was rejected by a third-party extension DLL file. This will occur when one or more of the following conditions occur: The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server. The Pre-Authentication Rules on the BlackShield server do not allow incoming requests from the BlackShield Agent for IAS\NPS. The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on the BlackShield Server. The username does not correspond to a user on the BlackShield Server The CRYPTOCard password does not match any tokens for that user. BlackShield ID implementation guide for WatchGuard Firebox 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information