ZyWALL OTP. One- Time Password Authentication. Support Notes

Similar documents
ZyWALL OTPv2 Support Notes

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

ASAS Management Plug-in for MS Active Directory English Only

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

QUANTIFY INSTALLATION GUIDE

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Upgrading from MSDE to SQL Server 2005 Express Edition with Advanced Services SP2

How To Industrial Networking

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

NSi Mobile Installation Guide. Version 6.2

Crystal Reports Installation Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Sage 200 Web Time & Expenses Guide

Global VPN Client Getting Started Guide

Configuring the OfficeConnect Secure Gateway for a remote L2TP over IPSec connection

Immotec Systems, Inc. SQL Server 2005 Installation Document

ADFS Integration Guidelines

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

V310 Support Note Version 1.0 November, 2011

CHARTER BUSINESS custom hosting faqs 2010 INTERNET. Q. How do I access my ? Q. How do I change or reset a password for an account?

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

System Administration Training Guide. S100 Installation and Site Management

ilaw Installation Procedure

Accessing the Media General SSL VPN

IIS, FTP Server and Windows

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

VPN Configuration of ProSafe Client and Netgear ProSafe Router:

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Baylor Secure Messaging. For Non-Baylor Users

Tufts VPN Client User Guide for Windows

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

How To Configure L2TP VPN Connection for MAC OS X client

DocAve Upgrade Guide. From Version 4.1 to 4.5

Rev 7 06-OCT Site Manager Installation Guide

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

COX BUSINESS ONLINE BACKUP

Technical Support Set-up Procedure

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Team Foundation Server 2013 Installation Guide

How to configure your Windows PC post migrating to Microsoft Office 365

WhatsUp Gold v16.3 Installation and Configuration Guide

Insight Video Net. LLC. CMS 2.0. Quick Installation Guide

Thirtyseven4 Endpoint Security (EPS) Upgrading Instructions

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

STEP BY STEP IIS, DotNET and SQL-Server Installation for an ARAS Innovator9x Test System

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

SonicWALL Global Management System Installation Guide Entry Edition. Version 2.1

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Getting Started - Client VPN

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

WhatsUp Gold v16.1 Installation and Configuration Guide

Hosted Microsoft Exchange Client Setup & Guide Book

AirStation VPN Setup Guide WZR-RS-G54

Juniper SSL VPN Authentication QUICKStart Guide

Installation Instruction STATISTICA Enterprise Small Business

Allworx Installation Course

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Richmond Systems. SupportDesk Quick Start Guide

How To Set Up Dataprotect

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Neoteris IVE Integration Guide

RSA SecurID Ready Implementation Guide

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

PREMIUM BUSINESS GATEWAY - DEVG2020 DIGITAL BUSINESS USER GUIDE

Release 2.0. Cox Business Online Backup Quick Start Guide

User guide. Business

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Chapter 6 Basic Virtual Private Networking

Easy Setup Guide for the Sony Network Camera

ECA IIS Instructions. January 2005

Using a VPN with Niagara Systems. v0.3 6, July 2013

WEBSERVER OPERATION MANUAL

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Installation Instruction STATISTICA Enterprise Server

Installing the Microsoft Network Driver Interface

ATTENTION: End users should take note that Main Line Health has not verified within a Citrix

PREMIUM MAIL USER GUIDE

How To Configure Apple ipad for Cyberoam L2TP

Introduction and Overview

Windows XP Exchange Client Installation Instructions

Zanibal Plug-in For Microsoft Outlook Installation & User Guide Version 1.1

Defender Token Deployment System Quick Start Guide

Installation Guidelines (MySQL database & Archivists Toolkit client)

Windows XP VPN Client Example

CIMHT_006 How to Configure the Database Logger Proficy HMI/SCADA CIMPLICITY

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

2X ApplicationServer & LoadBalancer Manual

How to Install a Network-Licensed Version of IBM SPSS Statistics 19

Neoteris IVE Integration Guide

Defender EAP Agent Installation and Configuration Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

Transcription:

ZyWALL OTP One- Time Password Authentication Support Notes Revision 1.00 September, 2007

INDEX 1. Introduction... 4 2. Authentication Server(ASAS) Management... 6 2.1. ASAS Installation... 6 2.2. Upgrading ASAS Database File... 16 2.3. Authentication Server(ASAS) Un-Installation... 19 3. OTP Authentication to an OTP - protected Network via SSL VPN over ZyWALL 1050/USG 300... 24 3.1. ZyWALL 1050/USG 300 Configuration... 24 3.2. ASAS Server Configuration... 28 3.3. Verify OTP via Login from the Remote PC... 33 4. OTP Authentication to an OTP - protected Network via SSL VPN over ZyWALL SSL10... 35 4.1. ZyWALL SSL 10 Configuration... 35 4.2. ASAS Server Configuration... 38 4.3. Verify OTP via Login from Remote PC... 45 5. OTP Authentication to an OTP - protected Network via IPSec VPN Client over the ZyWALL with ZLD Platform... 47 5.1. ZyWALL 1050/USG 300 Configuration... 47 5.2. ASAS Server Configuration... 51 5.3. ZyWALL IPSec VPN Client configuration... 57 5.4. Verify OTP via Login from the VPN Client... 60 6. OTP Authentication to an OTP - protected Network via IPSec VPN Client (SafeNet) over the ZyWALL with ZLD Platform... 63 6.1. ZyWALL 1050/USG 300 Configuration... 64 6.2. ASAS Server Configuration... 67 6.3. ZyWALL IPSec VPN Client configuration... 73 6.4. Verify OTP via Login from the VPN Client... 76 7. OTP Authentication to an OTP- protected Network via IPSec VPN Client over the ZyWALL with ZyNOS Platform... 78 7.1. ZyWALL 35 Configuration... 78 7.2. ASAS Server Configuration... 81 7.3. ZyWALL IPSec VPN Client configuration... 87 7.4. Verify OTP via Login from the VPN Client... 90 2

8. OTP Authentication to an OTP-protected Network via IPSec VPN Client (SafeNet) over the ZyWALL with ZyNOS Platform... 93 8.1. ZyWALL 35 Configuration... 93 8.2. ASAS Server Configuration... 96 8.3. ZyWALL IPSec VPN Client configuration... 102 8.4. Verify OTP via Login from the VPN Client... 105 3

1. Introduction Using Two-factor Authentication to Provide Stronger Password Security Two-Factor Authentication Two-factor authentication is an optimum security methodology, because it requires something you have (your ZyWALL OTP Token) and something you know (your secure password or PIN). A two-factor system is far more secure than using just a password, since many skilled hackers can quite easily access password-only protected computers and networks. ZyXEL OTP, which includes ASAS (Authenex Strong Authentication System) and the ZyWALL OTP Token, provides secure verification of identity to remote Virtual Private Network (VPN) and Local Area Network (LAN) users. One-Time Password (OTP) Authentication One-Time Password (OTP) is another optimum security technology that enables a server to authenticate you based on a password that is unique every time you try to access a protected network. ASAS Authenex Strong Authentication System (ASAS ) is a network security application, acts as a RADIUS authentication server that provides two-factor authentication for remote, VPN and web access. The ASAS Server resides on the network and is managed by your network administrator. ZyWALL OTP Token (Hybrid A-Keys) ASAS utilizes a chip-based token called an A-Key and an authentication server as the basis for an extremely secure solution for two-factor authentication. The A-Key is used both on the 4

client (end user) computer and ASAS (system administration). ZyWALL OTP Support Notes The ZyWALL OTP Token also contains a chip, which stores passwords for Challenge / Response Authentication. It also contains the capability to generate unique six digit numbers, which enables the ASAS server to verify your identity safely and securely, via One-time Password authentication. Assumptions: 1. In this document, we will refer to all ZyXEL One-time Password token as the ZyWALL OTP Token. 2. In the authentication server (ASAS server) web GUI, ZyWALL OTP Token will be referred to as the A-Key. Unique Six-Digit Numbers The Authenex Hybrid A-Key generates unique six-digit numbers on demand. As they are generated, you will send these numbers along with your PIN to the ASAS Server when you try to log on to your network via OTP authentication. OTP PIN A PIN is a fixed set of 4 to 24 alphanumeric characters that you use to help identify yourself during Onetime Password (OTP) authentication. Either you or your administrator decides what your PIN is and your administrator saves it on the ASAS Server. Your PIN is not stored on your A-Key: you must remember it, just as you remember the PIN for your ATM card. Depending on your company s policy, you can easily change a PIN at any time. However, PINs and A-Keys are not interchangeable you cannot borrow someone s A-Key and use it (along with your PIN) to access a protected network. One-Time Password Your PIN plus your unique six-digit value is your one-time password, since it is valid only once (because of its unique six-digit value). ZyXEL OTP Package The OTP package contains not only the authentication server installation CD but also a specific amount of ZyWALL OTP tokens. 5

2. Authentication Server(ASAS) Management ZyWALL OTP Support Notes 2.1. ASAS Installation The following example instructs on how to install Authenex Server on the Microsoft Windows 2003 Server. STEP 1: Insert the CD into your CD-ROM drive and click Install ASAS Server once the AutoPlay page comes up in order to start installation. 6

STEP 2: On the Welcome page, click Next. STEP 3: On the License Agreement page, check the I accept the terms of the license agreement radio button and click the Next button. 7

STEP 4: On the Setup Type page, leave it as default and click the Next button. STEP 5: On the Installation Summary page, click the Next button. 8

Now, the wizard will start installing ASAS. STEP 6: Database Import In this example, we are going to install a new database. Check the New Database radio button and click the Browse button to specify the data01.sql file, and then click the CONTINUE button. Note: By default, this file is located under the path: C:\ProgramFiles\Authenex\ASAS\Database\import\data01.sql 9

STEP 7: Click the Yes button when the warning message appears. 10

STEP 8: Token for Administration Assignment On the Designate Administrator A-Keys dialog, please select two or more ESNs to be assigned as administrator s ZyWALL OTP Tokens; in this example we will select 73010234 and 73010235, then click the Assign button. STEP 9: Once the Important Message window appears, click the Next button. 11

STEP 10: In the Assign PSS to License A-Keys window, enter a random string of 32 characters and click the ASSIGN PSS button. STEP 11: When the Congratulations window appears, click EXIT button. 12

13

STEP 12: Click the Finish button to restart the server and complete the installation. STEP 13: Testing Your ASAS Installation Launch browser and connect to the ASAS server. The port number is 8080 and the folder name is asas. In this example, the User ID will be admin73010234 and the second field will be PIN (0234) plus One Time Password (get OTP from your token). 14

You will see notification of successful login on the ASAS web management GUI. 15

2.2. Upgrading ASAS Database File The following example instructs you on the way to upgrade your ASAS database once you purchase a new ZyWALL OTP package with extra ZyWALL OTP tokens. STEP 1: Launching ASAS Initialization Launch the ASAS Initialization from Start > Programs > Authenex > ASAS_3.0 > DBImport. On the ASAS Initialization window, check the Upgrade Database radio button, and specify the database file by clicking the browse button. STEP 2: Data File Import Confirmation Click Yes button on the DBimport window. STEP 3: Completing Data File Import Click the OK button on the DB Import dialog box in order to complete license update. 16

Once the Congratulations window pops up, click the Exit button in order to complete the wizard. Now you can lunch the browser and navigate to the administration page at URL http://127.0.0.1:8080/asas in order to verify that the database file has been imported successfully. 17

18

2.3. Authentication Server(ASAS) Un-Installation ZyWALL OTP Support Notes The following example instructs on how to uninstall Authenex Server on the Microsoft Windows 2003 Server. ASAS is built with ASAS, Apache, and MS SQL. In order to uninstall ASAP, you have to uninstall those three packages one by one manually. STEP 1: Uninstall the ASAS from your Windows 2003 Open the Control Panel from your Windows and double click Add or Remove Programs. Select ASAS and then click on Remove in order to start program un-installation. Click Yes to confirm ASAS un-installation. 19

Check the No, I will restart my computer later radio button, and then click Finish. STEP 2: Uninstall the Web Server Apache Tomcat 5.5 Select Apache Tomcat 5.5 and follow the prompt to uninstall Apache Tomcat 5.5 by clicking Change/Remove. 20

STEP 3: Uninstall the Database Server Microsoft SQL Server Desktop Engine Select Microsoft SQL Server Desktop Engine and start to uninstall it by clicking Remove. Go through the set of prompts in order to remove MS SQL database server. Reboot the Windows server 2003 after MSDE is removed. 21

STEP 4: Remove the Unused Folders Manually After you restart Windows 2003, delete the following three folders manually under the Windows Program Files folder in order to complete ASAS un-installation: Apache Software Foundation Authenex MSDE 22

23

3. OTP Authentication to an OTP - protected Network via SSL VPN over ZyWALL 1050/USG 300 In the following example, we will employ 2 Factor Authentication (ZyXEL OTP pack) to enhance password security by using SSL VPN application provided by ZW1050/USG 300. In order to use this application, you are required to configure your ZyWALL and ASAS according to the following steps: 1. Install the ASAS server software on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2. For more details, please check the installation documentation included on the installation CD that comes with the ZyXEL OTP Pack.) 2. Create the user accounts on the ZyWALL and in the ASAS server. 3. Import each token s database file (located on the included CD) into the server. 4. Assign the users to the OTP tokens (on the ASAS server)/ 5. Configure the ASAS as a RADIUS server in the ZyWALL Object > AAA Server screens. 6. Give the OTP tokens to (local or remote) users. Note: ZyWALL OTP is a stand-alone product, which is not included in ZyWALL1050/USG 300. Network Topology In this example, we will have two tokens; the ESNs are 73010234 and 73010235 and we will create user Rex who will login to ZyWALL1050/USG 300 with OTP. 3.1. ZyWALL 1050/USG 300 Configuration 24

STEP 1: Configure Network Setting on the ZyWALL1050/USG 300 Open a browser window and connect your computer to the ZyWALL s web configurator via. LAN1 interface (ge1). Login into the ZyWALL1050/USG 300 and configure the LAN and WAN interfaces according to the network topology you plan to build. STEP 2: Create a User Account on the ZyWALL 1050/USG 300 1) Go to Object > User/Group and click the Add button to create a new user account. 2) Enter the user s name and select the user type Ext-User on the User Configuration page. 3) Click the OK button to finish the configuration on this page. STEP 3: Create the SSL Application(s) According to Your Needs Navigate to ZyWALL Object > SSL Application > Add button and create an SSL VPN Application object; for example, we create a web application named webserver-1. 25

STEP 4: Create the SSL VPN Access Policy 1) Navigate to ZyWALL > VPN > SSL VPN and click Add to create a SSL VPN Application policy. Select the newly created user according to the desired SSL VPN application. 2) Click the OK button to finish the configuration. STEP 5: Configure the AAA Server 1) Click ZyWALL > Object > AAA Server from the left panel and then navigate to the RADIUS page. 2) Enter the IP address of the ASAS Server in the Host and enter the Shared Secret in Key. 26

STEP 6: Configure the Authentication Method 1) Navigate to ZyWALL > Object > Auth. Method page and click edit to specify the default authentication method. 2) In the Method List dropdown list, change the authentication method to group radius. 27

3.2. ASAS Server Configuration Note: Due to the fact that we are testing with a ZyXEL OTP Starter Kit, which only contains 2 tokens and both were assigned to the administrators during ASAS installation. Therefore, we have to unassign one of the tokens manually before we can assign it to a new user. 1. Login to ASAS Management Console. 2. Click the Search button from Manage A-Keys > Search A-Keys. 3. Click the Unassign hyperlink for ESN number 73010234 4. Now, the 73010234 is unassigned, so we can assign this token to a new user. 28

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and create a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button in order to complete the configuration in this step. 29

STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP Token to the newly created user. 2) Pick up a ZyWALL OTP Token that is available from the right panel and click the Assign button to complete the authentication key assignment. STEP 3: Verify that the ZyWALL OTP Token is Properly Assigned to the User 1) Navigate to Manage Users > Search Users page, leave the input fields empty and click 30

Get Results button to retrieve the user & ZyWALL OTP Token binding list. 2) Ensure the ZyWALL OTP Token is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 1) Navigate to Manage A-Keys > Search A-Keys, leave the ESN field empty and click the Search button to browse the entire ZyWALL OTP Token list. 2) In the search result page, pick up the ZyWALL OTP Token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the Verify OTP PIN text field. 31

STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. 2) Fill in the ZyWALL s name, IP Address of the ZyWALL and the shared secret. 3) Click the Add button to finish the NAS Device configuration. 32

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users, leave all fields empty and click Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the ZyWALL device to Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 3.3. Verify OTP via Login from the Remote PC 1) Open a browser window and connect to the ZyWALL web GUI. 2) In the login page, enter the user name, password (OTP PIN) and the 6 digits One-Time Password generated from the token. 3) Select Log into SSL VPN checkbox and click the Login button to submit login information. 33

Once the OTP works correctly, you will see the welcome message pop-up as on the following screenshot. 34

4. OTP Authentication to an OTP - protected Network via SSL VPN over ZyWALL SSL10 In the following example, we will employ 2 Factor Authentication (ZyXEL OTP pack) to enhance password security by using SSL VPN application provided by ZyWALL. Network Topology In this example, we will have two tokens; the ESNs are 73010234 and 73010235, and we will create a user Rex who will use the OTP to login to SSL10. 4.1. ZyWALL SSL 10 Configuration STEP 1: Configure Network Setting on the ZyWALL SSL10 1. Launch browser window and connect your computer to the ZyWALL SSL10 s web configurator via. LAN1 interface. 2. Login into the ZyWALL SSL10 and configure the LAN and WAN interfaces according to the network topology you plan to build. 35

STEP 2: Create a Group on the ZyWALL SSL 10 1. Move to User/Group and click the Group tab and click the Add button to create a new group. 2. Enter the group s name as Authenex and check the Group in the AAA Server radio button. 3. Click the OK button to finish the configuration on this page. STEP 3: Create the SSL Application(s) According to Your Needs Navigate to Object > SSL Application > Add button and create an SSL VPN Application object; for example, we create a web application named WebServer1. 36

STEP 4: Create the SSL VPN Access Policy 1. Navigate to SSL > Policy and click Add to create a SSL VPN Application policy. 2. Enter the name in the field of Policy Name and select the new created group according to the desired SSL VPN application. 3. Click the OK button to finish the configuration. STEP 5: Configure the Access Control 1. Navigate to SSL > Access Control, and click Add to create a firewall policy for the group. 2. Check the Accept radio button and click OK to complete the configuration. 37

STEP 6: Configure the AAA Server 1) Click System > AAA Server in the left panel and select the RADIUS from the Server Type drop-down list. 2) Enter the IP address of the ASAS Server in the Server Address field and enter the Shared Secret in Server Secret and the Retype Server Secret fields. 4.2. ASAS Server Configuration Note: If you have only two tokens and all of them have been assigned to the administrators during the installation, then you will need to unassign one of them, before assigning it to a new user. Please do the following: 1. Login to ASAS Management Console 2. Manage A-Keys > Search A-Keys > Click the Search button. 3. Click the Unassign hyperlink for ESN number 73010235 38

4. Now, the 73010234 is not assigned, so we can assign this token to a new user. 39

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and add a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button to complete the configuration in this step. STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys to assign the specific token to the newly created user. 2) Pick up an ZyWALL OTP Token that is available from the right panel and click the Assign button to complete the authentication key assignment. 40

STEP 3: Verify that the ZyWALL OTP Token is Properly Assigned to the User 1) Navigate to Manage Users > Search Users page, leave the input fields empty and click Get Results button to retrieve the user & ZyWALL OTP Token binding list. 2) Ensure the ZyWALL OTP Token is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 1) Navigate to Manage A-Keys > Search A-Keys, leave the ESN field empty and click the Search button to browse the entire ZyWALL OTP Token list. 41

2) In the search result page, pick up the ZyWALL OTP Token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the Verify OTP PIN text field. STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. In this example, we named the NAS Device as SSL10. 2) Fill in the ZyWALL s name, IP Address of the ZyWALL and the shared secret. 3) Click the Add button to finish the NAS Device configuration. 42

STEP 6: Create a Group on ASAS 1) Login to the ASAS server as an administrator and add a group via Manage Users > Add/Edit Groups. 2) Fill in the group name in the Name field and click the Add button. In this example, we create group named Authenex. 3) Click View/Edit Group for the group we just created. 4) Move the SSL10 from Resource(s) Denied to Resource(s) Allowed and click the Update button. 43

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users, leave all fields empty and click Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the authenex to the Group(s) Selected list and add the ZyWALL device to Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 44

4.3. Verify OTP via Login from Remote PC 1) Open a browser window from the remote PC and connect to the ZyWALL SSL10 web GUI. 2) In the login page, enter the user name, password (OTP PIN) and the 6 digits One-Time Password generated from the token. Click the Login button to submit login information. Once the OTP works correctly, you will see the welcome message pop-up as on the following screenshot. 45

46

5. OTP Authentication to an OTP - protected Network via IPSec VPN Client over the ZyWALL with ZLD Platform In the following example, we will employ ZyXEL 2 Factor Authentication solution (ZyWALL OTP pack) to enhance password security by using IPSec VPN application provided by ZW1050/USG 300. In order to use this application, you are required to configure your ZyWALL and ASAS according to the following steps: 1. Install the ASAS authentication server on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2 or the installation documentation in electronic format comes with the ZyXEL OTP Pack installation CD.) 2. Create a user account on the ASAS server. 3. Import each token s database file from the ZyXEL OTP installation CD over into the ASAS authentication server. 4. Assign the OTP tokens to the users over the administration interface in the ASAS server. 5. Configure the ASAS as a RADIUS server in the ZyWALL administration GWUI Object > AAA. 6. Give the OTP tokens away to the users who will remote login into the ZyWALL. Note: ZyWALL OTP pack is a stand-alone product, which is not bundled with ZyWALL1050/ USG 300. Network Topology In this example, we evaluated by using the ZyWALL Starter Kit which only comes with two ZyWALL OTP Tokens. The ESN numbers are 73010234 and 73010235. We will create a new user Rex in order to login to ZyWALL with OTP. 5.1. ZyWALL 1050/USG 300 Configuration 47

STEP 1: Configure Network Setting on the ZyWALL1050/USG 300 Lunch a web browser window and logon into the ZyWALL s web configurator. Configure the LAN and WAN interfaces according to the application scenario and network topology you plan. STEP 2: Configure the External Authentication Server 1) Click ZyWALL > Object > AAA Server from the left panel and navigate to the RADIUS setting page. 2) Enter the ASAS Server IP address or URL in the Host and the Shared Secret in Key. STEP 3: Configure the Authentication Method 1) Navigate to ZyWALL > Object > Auth. Method page and click edit in order to specify the default authentication method. 48

2) In the dropdown menu Method List, change the authentication method to group radius. STEP 4: Create an IP Address Object for VPN Client Navigate to ZyWALL > Object > Address and click Add in order to create an IP 0.0.0.0 for VPN Client. 0.0.0.0 represents for any IP Address. STEP 5: Configuring the IPSec VPN Gateway (Phase 1) on the ZyWALL 1) Navigate to ZyWALL > IPSec VPN> VPN Gateway and click Add in order to add a new IPSec VPN Gateway for VPN Client. 2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of remote client. 0.0.0.0 means that any IP address will be accepted. 49

STEP 6: Configuring the IPSec VPN Connection (Phase2) on the ZyWALL 1) Navigate to ZyWALL > IPSec VPN> VPN Connection and click Add in order to create a new IPSec VPN Connection for the remote VPN client. 2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of remote client. 0.0.0.0 means that any IP address will be accepted. 50

5.2. ASAS Server Configuration Note: Due to the fact that we are testing over a ZyXEL OTP Starter Kit, which only contains 2 tokens and both were assigned to the administrators during ASAS installation. Therefore, we have to un-assign one of the tokens manually before we can assign it to a new user. 1. Login to ASAS Management Console. 2. Click the Search button from Manage A-Keys > Search A-Keys. 3. Click the Unassign hyperlink over ESN number 73010234 51

4. Now, the 73010234 is unassigned and we can re-assign this token to a new user. 52

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and create a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button in order to complete the configuration in this step. STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP Token to the newly created user. 2) Pick up a ZyWALL OTP Token that is available from the right panel and click the Assign button to complete the authentication key assignment. 53

STEP 3: Verify that the A-Key is Properly Assigned to the User 3) Navigate to Manage Users > Search Users page, leave the input fields empty and click Get Results button in order to retrieve the user & A-Key binding list. 4) Ensure the ZyWALL OTP Token which is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 54

5) Navigate to Manage A-Keys > Search A-Keys, leave the ESN field empty and click the Search button in order to browse the entire ZyWALL OTP Token list. 6) In the search result page, pick up the ZyWALL OTP Token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the Verify OTP PIN text field. STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. 2) Give the ZyWALL a name, specify IP Address of the ZyWALL and the shared secret. 3) Click the Add button tin order to finish the NAS Device configuration. 55

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users, leave all fields empty and click Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the ZyWALL device to Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 56

5.3. ZyWALL IPSec VPN Client configuration STEP 1: Configuring the VPN Gateway (Phase 1) on Client 7) Launch the ZyWALL IPSec VPN Client, right click on Configuration and select New Phase1. 8) Enter the name and the IP address of Remote Gateway. 9) Enter the Pre-shared Key and ensure the number you just entered matches the one you entered on the ZyWALL in phase1 configuration. In this example, we employ the Preshared key 123456789. 10) Confirm that the encryption, authentication and key group match the settings on ZyWALL. 57

11) Click the Advanced Settings button and check the X-Auth checkbox to enable the extended authentication on VPN client. Ensure the Local and Remote ID reflecting to the settings on ZyWALL. 58

STEP 2: Configuring the VPN Tunnel (Phase 2) on Client 1) Right click on the Gateway1 and select Add Phase 2 in order to create a new tunnel. 2) Fill in all the required fields on this page, including Address type and all ESP fields. Ensure the encryption method, authentication method and mode match with the settings on ZyWALL. 3) Click Save & Apply in order to complete the setting. 59

5.4. Verify OTP via Login from the VPN Client STEP 1: IPSec VPN Tunnel Establishing 1) Launch the ZyWALL IPSec VPN client. 2) Right click the icon of VPN client from the system tray and select Connection Panel. 3) Click the Open button in advance to establish the VPN tunnel. 60

STEP 2: User Authentication via OTP 1) Click on the Open button and the Authentication window pops up. 2) Enter the login name and password. The password here is the combination of OTP pin + OTP for which we already made the OTP PIN as 1234 on the STEP 4 Update the OPT PIN in ASAS Server Configuration session. Once the OTP works correctly, you will see the welcome message pop-up as on the following screenshot. 3) Once the OTP works correctly, the IPSec VPN tunnel will be opened. 61

62

6. OTP Authentication to an OTP - protected Network via IPSec VPN Client (SafeNet) over the ZyWALL with ZLD Platform In the following example, we will employ ZyXEL 2 Factor Authentication solution (ZyWALL OTP pack) to enhance password security by using IPSec VPN application provided by ZW1050/ USG 300. In order to use this function, you are required to configure your ZyWALL and ASAS according to the following steps: 1. Install the ASAS authentication server on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2 or the installation documentation in electronic format, which comes with the ZyXEL OTP Pack installation CD.) 2. Create the user accounts on the ASAS server. 3. Import each token s database file from the ZyXEL OTP installation CD into the ASAS authentication server. 4. Assign the users to the OTP tokens through the administration interface of the ASAS server. 5. Configure the ASAS as a RADIUS server in the ZyWALL administration GWUI Object > AAA. 6. Give the OTP tokens away to the users who would remotely login into the ZyWALL. Note: ZyWALL OTP pack is a stand-alone product, which is not bundled with ZyWALL1050/ USG 300. Network Topology In this example, we work with the ZyWALL Starter Kit, which only comes with two ZyWALL OTP Tokens. The ESN numbers are 73010234 and 73010235. We will create a new user Rex in order to login to ZyWALL1050/USG 300 with OTP. 63

6.1. ZyWALL 1050/USG 300 Configuration ZyWALL OTP Support Notes STEP 1: Configure Network Setting on the ZyWALL1050/USG 300 Lunch a web browser window and login into the ZyWALL s web configurator. Configure the LAN and WAN interfaces according to your application scenario and the network topology you plan. STEP 2: Configure the External Authentication Server 1) Click ZyWALL > Object > AAA Server in the left panel and navigate to the RADIUS setting page. 2) Enter the ASAS Server IP address or URL in Host and the Shared Secret in Key. STEP 3: Configure the Authentication Method 1) Navigate to ZyWALL > Object > Auth. Method page and click edit in order to specify 64

the default authentication method. 2) In the dropdown menu Method List, change the authentication method to group radius. STEP 4: Create an IP Address Object for VPN Client Navigate to ZyWALL > Object > Address and click Add in order to create an IP 0.0.0.0 for VPN Client. 0.0.0.0 represents any IP Address. STEP 5: Configuring the IPSec VPN Gateway (Phase 1) on the ZyWALL 1) Navigate to ZyWALL > IPSec VPN> VPN Gateway and click Add in order to add a new IPSec VPN Gateway for VPN Client. 2) We will set 0.0.0.0 as Secure Gateway Address since we don t know the IP address of remote client. 0.0.0.0 means that any IP address will be accepted. 65

STEP 6: Configuring the IPSec VPN Connection (Phase2) on the ZyWALL 1) Navigate to ZyWALL > IPSec VPN> VPN Connection and click Add in order to create a new IPSec VPN Connection for the remote VPN client. 2) We will set 0.0.0.0 as Secure Gateway Address since we don t know the IP address of remote client. 0.0.0.0 means that any IP address will be accepted. 66

6.2. ASAS Server Configuration Note: Due to the fact that we are performing the testing using a ZyXEL OTP Starter Kit, which only contains 2 tokens and both were assigned to the administrators during ASAS installation, we have to un-assign one of the tokens manually before we can assign it to a new user. 1. Login to ASAS Management Console. 2. Click the Search button from Manage A-Keys > Search A-Keys. 3. Click the Unassign hyperlink over ESN number 73010234. 67

4. Now, the 73010234 is unassigned and we can re-assign this token to a new user. 68

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and create a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button in order to complete the configuration in this step. STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP Token to the newly created user. 2) Pick up ZyWALL OTP Token that is available from the right panel and click the Assign button to complete the authentication key assignment. 69

STEP 3: Verify that the A-Key is Properly Assigned to the User 1) Navigate to Manage Users > Search Users page, leave the input fields empty and click Get Results button in order to retrieve the user & A-Key binding list. 2) Make sure the ZyWALL OTP Token is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 1) Navigate to Manage A-Keys > Search A-Keys, leave the ESN field empty and click the Search button in order to browse the entire ZyWALL OTP Token list. 70

2) In the search result page, pick up the ZyWALL OTP Token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters in length. 5) Re-enter the password in the Verify OTP PIN text field. STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. 2) Give the ZyWALL a name, specify the IP Address of the ZyWALL and the shared secret. 3) Click the Add button in order to finish the NAS Device configuration. 71

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users, leave all fields empty and click Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the ZyWALL device to the Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 72

6.3. ZyWALL IPSec VPN Client configuration STEP 1: Configuring New Connection on VPN Client 1) Launch the ZyWALL IPSec VPN Client and right click on My Connections and select Add > Connection, enter the name for this connection. 2) Check the Only Connect Manually and Use checkbox 3) Select the IP Type and define the remote network range. 4) Select Secure Gateway Tunnel from the Use drop-down menu and select the correct ID Type and Gateway IP Address. Make sure these settings are matching with ZyWALL s. 73

STEP 2: Configuring My Identity on VPN Client 1) Double click on the new connection to expend it, and select My Identity. 2) Make sure the ID Type matches with ZyWALL, and that the Internet interface and the IP address are correct. 3) Enter the Pre-shared Key by clicking the Pre-Shared Key button, and make sure the number you just entered is matching with the one you entered in ZyWALL during phase 1 configuration. In this example, we employ the Pre-shared key 123456789. 74

STEP 3: Configuring Authentication (Phase 1) on VPN Client 1) Double click on Security Policy and double click on Authentication (Phase 1), then select Proposal1. 2) Select Pre-Shared Key, Extended Authentication from the Authentication Method drop-down list. 3) Confirm that all encryption, authentication and key group match the settings on ZyWALL 75

STEP 4: Configuring Key Exchange (Phase 2) on VPN Client Double click on Key Exchange (Phase 2) and select Proposal 1. Check the Encapsulation Protocol (ESP) checkbox to specify what kind of protocol you want to use. In this example we are going to use ESP. Confirming the encryption algorithm, hash algorithm and encapsulation to match the settings on ZyWALL. 6.4. Verify OTP via Login from the VPN Client STEP 1: IPSec VPN Tunnel Establishing 1) Launch the ZyWALL IPSec VPN client. 2) Right click the icon of VPN client from the system tray, select Connect then select the new connection to establish the VPN tunnel. STEP 2: User Authentication via OTP 1) After selecting the new connection, the user authentication for this connection dialog will appears. Enter the username and password to login. 2) Enter the login name and the password. The password here is the combination of OTP pin + OTP. The OTP PIN was set to 1234 during the STEP 4 Update the OPT PIN of the ASAS Server Configuration session. 76

Once the OTP works correctly, the IPSec VPN tunnel will be opened. 77

7. OTP Authentication to an OTP- protected Network via IPSec VPN Client over the ZyWALL with ZyNOS Platform In the following example, we will employ the ZyXEL 2 Factor Authentication solution (ZyWALL OTP pack) to enhance password security by using the IPSec VPN application provided by ZW35. In order to use this application, you are required to configure your ZyWALL and ASAS according to the following steps: 1. Install the ASAS authentication server on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2 or the installation documentation in electronic format comes with the ZyXEL OTP Pack installation CD.) 2. Create a user account on the ASAS server. 3. Import each token s database file from the ZyXEL OTP installation CD over into the ASAS authentication server. 4. Assign the users to the OTP tokens over the administration interface in the ASAS server. 5. Configure the ASAS as a RADIUS server in the ZyWALL administration GUI Security > Auth Server > RADIUS 6. Give the OTP tokens away to the users who will remote login into the ZyWALL. Note: ZyWALL OTP pack is a stand-alone product, which is not bundled with the ZyWALL series. Network Topology In this example, we evaluated by using the ZyWALL Starter Kit which only comes with two ZyWALL OTP tokens. The ESN numbers are 73010234 and 73010235. We will create a new user Rex in order to login to ZyWALL with OTP. 7.1. ZyWALL 35 Configuration 78

STEP 1: Configure Network Setting on the ZyWALL 35 Lunch a web browser window and logon into the ZyWALL35 s web configurator. Configure the LAN and WAN interfaces according to your application scenario and network topology you plan. STEP 2: Configure the External Authentication Server 1. Click Security > Auth Server from the left panel and navigate to the RADIUS setting page. 2. Enter the ASAS Server IP address in the Server IP Address and the Shared Secret in Key. STEP 3: Configuring the IPSec VPN Gateway (Phase 1) on the ZyWALL 35 1) Navigate to Security > VPN > and click Add in order to add a new IPSec VPN Gateway for VPN Client. 79

2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of the remote client. 0.0.0.0 represents for any IP address will be accepted. 3) Check the Enable Extended Authentication checkbox. STEP 4: Configuring the IPSec VPN Connection (Phase2) on the ZyWALL 1) Navigate to Security > VPN, and click Add in order to create a new IPSec VPN Connection for the remote VPN client. 2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of the remote client. 0.0.0.0 represents for any IP address will be accepted. 80

7.2. ASAS Server Configuration Note: Due to the fact that we are testing over a ZyXEL OTP Starter Kit, which only contains 2 tokens and both were assigned to the administrators during ASAS installation. Therefore, we have to un-assign one of the tokens manually before we can assign it to a new user. 1. Login to ASAS Management Console. 2. Click the Search button from Manage A-Keys > Search A-Keys. 3. Click the Unassign hyperlink over ESN number 73010234 81

4. Now, the 73010234 is unassigned and we can re-assign this token to a new user. 82

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and create a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button in order to complete the configuration in this step. STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP Token to the newly created user. 2) Pick up a ZyWALL OTP token that is available from the right panel and click the Assign button to complete the authentication key assignment. 83

STEP 3: Verify that the A-Key is Properly Assigned to the User 1) Navigate to Manage Users > Search Users page; leave the input fields empty and click the Get Results button in order to retrieve the user & A-Key binding list. 2) Ensure the ZyWALL OTP token is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 1) Navigate to Manage A-Keys > Search A-Keys; leave the ESN field empty and click the Search button in order to browse the entire ZyWALL OTP token list. 84

2) In the search result page, pick up the ZyWALL OTP token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the Verify OTP PIN text field. STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. 2) Give the ZyWALL a name, specify the IP Address of the ZyWALL and the shared secret. 3) Click the Add button in order to finish the NAS Device configuration. 85

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users; leave all fields empty and click the Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the ZyWALL device to Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 86

7.3. ZyWALL IPSec VPN Client configuration STEP 1: Configuring the VPN Gateway (Phase 1) on Client 1) Launch the ZyWALL IPSec VPN Client and right click on Configuration and select New Phase1. 2) Enter the name and the IP address of Remote Gateway. 3) Enter the Pre-shared Key and ensure the number you just entered is matched with the one you entered on the ZyWALL in phase1 configuration. In this example, we employ the Preshared key 123456789. 4) Confirming the encryption, authentication and key group to match the settings on ZyWALL. 87

5) Click the Advanced Settings button and check the X-Auth checkbox to enable the extended authentication on VPN client. Ensure the Local and Remote ID are reflecting to the settings on ZyWALL. 88

STEP 2: Configuring the VPN Tunnel (Phase 2) on Client 1) Right click on the Gateway1 and select Add Phase 2 in order to create a new tunnel. 2) Fill in all the required fields on this page, including Address type and all ESP fields. Ensure the encryption method, authentication method, and mode are matched with the settings on ZyWALL. 3) Click Save & Apply in order to complete the setting. 89

7.4. Verify OTP via Login from the VPN Client STEP 1: IPSec VPN Tunnel Establishing 1) Launch the ZyWALL IPSec VPN client. 2) Right click the icon of VPN client from the system tray and select Connection Panel. 3) Click the Open button in advance to establish the VPN tunnel. 90

STEP 2: User Authentication via OTP 1) Click on the Open button and the Authentication window pops up. 2) Enter the login name and password. The password here is the combination of OTP pin + OTP for which we already manipulated the OTP PIN as 1234 on the STEP 4 Update the OPT PIN in the ASAS Server Configuration session. Once the OTP works correctly, you will see the welcome message pop-up as on the following screenshot. 91

Once the OTP works correctly, the IPSec VPN tunnel will be opened. ZyWALL OTP Support Notes 92

8. OTP Authentication to an OTP-protected Network via IPSec VPN Client (SafeNet) over the ZyWALL with ZyNOS Platform In the following example, we will employ the ZyXEL 2 Factor Authentication solution (ZyWALL OTP pack) to enhance password security by using the IPSec VPN application provided by ZW35. In order to use this application, you are required to configure your ZyWALL and ASAS according to the following steps: 1. Install the ASAS authentication server on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2 or the installation documentation in electronic format comes with the ZyXEL OTP Pack installation CD.) 2. Create a user account on the ASAS server. 3. Import each token s database file from the ZyXEL OTP installation CD over into the ASAS authentication server. 4. Assign the users to the OTP tokens over the administration interface in the ASAS server. 5. Configure the ASAS as a RADIUS server in the ZyWALL administration GUI Security > Auth Server > RADIUS 6. Give the OTP tokens away to the users who will remote login into the ZyWALL. Note: ZyWALL OTP pack is a stand-alone product, which is not bundled with the ZyWALL series. Network Topology In this example, we evaluated by using the ZyWALL Starter Kit which only comes with two ZyWALL OTP tokens. The ESN numbers are 73010234 and 73010235. We will create a new user Rex in order to login to ZyWALL with OTP. 8.1. ZyWALL 35 Configuration 93

STEP 1: Configure Network Setting on the ZyWALL 35 Lunch a web browser window and logon into the ZyWALL35 s web configurator. Configure the LAN and WAN interfaces according to your application scenario and network topology you plan. STEP 2: Configure the External Authentication Server 1) Click Security > Auth Server from the left panel and navigate to the RADIUS setting page. 2) Enter the ASAS Server IP address in the Server IP Address and the Shared Secret in Key. STEP 3: Configuring the IPSec VPN Gateway (Phase 1) on the ZyWALL 35 1) Navigate to Security > VPN > and click Add in order to add a new IPSec VPN Gateway for VPN Client. 94

2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of the remote client. 0.0.0.0 represents for any IP address will be accepted. 3) Check the Enable Extended Authentication checkbox. STEP 4: Configuring the IPSec VPN Connection (Phase2) on the ZyWALL 1) Navigate to Security > VPN, and click Add in order to create a new IPSec VPN Connection for the remote VPN client. 2) We will assign 0.0.0.0 for the Secure Gateway Address since we don t know the IP address of the remote client. 0.0.0.0 represents for any IP address will be accepted. 95

8.2. ASAS Server Configuration Note: Due to the fact that we are testing over a ZyXEL OTP Starter Kit, which only contains 2 tokens and both were assigned to the administrators during ASAS installation. Therefore, we have to un-assign one of the tokens manually before we can assign it to a new user. 1. Login to ASAS Management Console. 2. Click the Search button from Manage A-Keys > Search A-Keys. 3. Click the Unassign hyperlink over ESN number 73010234 96

4. Now, the 73010234 is unassigned and we can re-assign this token to a new user. 97

STEP 1: Create a User Account on ASAS 1) Login to the ASAS server as an administrator and create a new user via Manage Users > Add User. 2) Fill in the user name in the Login ID field. 3) Click the Add button in order to complete the configuration in this step. STEP 2: Assign an ZyWALL OTP Token to the New User 1) Navigate to Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP Token to the newly created user. 2) Pick up a ZyWALL OTP token that is available from the right panel and click the Assign button to complete the authentication key assignment. 98

STEP 3: Verify that the A-Key is Properly Assigned to the User 1) Navigate to Manage Users > Search Users page; leave the input fields empty and click the Get Results button in order to retrieve the user & A-Key binding list. 2) Ensure the ZyWALL OTP token is correctly assigned to the user account you created. STEP 4: Update the OPT PIN 1) Navigate to Manage A-Keys > Search A-Keys; leave the ESN field empty and click the Search button in order to browse the entire ZyWALL OTP token list. 99

2) In the search result page, pick up the ZyWALL OTP token you want to update the PIN code of. 3) Select PIN Set Mode from the OPT Mode dropdown list. 4) Enter the password in the OTP PIN text field with 4-24 alphanumeric characters length. 5) Re-enter the password in the Verify OTP PIN text field. STEP 5: Configure the NAS Devices 1) Click Server Configuration > NAS Entries > Add NAS Entry in order to specify which device will be given access to the authentication server. 2) Give the ZyWALL a name, specify the IP Address of the ZyWALL and the shared secret. 3) Click the Add button in order to finish the NAS Device configuration. 100

STEP 6: Restart the ASAS Service Select Start > Programs > Authenex > ASAS Server > Restart Services to reboot the ASAS Server and apply the configuration. STEP 7: Assign Resources to User 1) Click Manage Users > Search Users; leave all fields empty and click the Get Results button to retrieve the user account list. 2) Click on the user account you created first and the Update User page will appear. 3) Add the ZyWALL device to Resource(s) Allowed list. 4) Click the Update User button to complete the entire ASAS setting. 101

8.3. ZyWALL IPSec VPN Client configuration STEP 1: Configuring New Connection on VPN Client 1) Launch the ZyWALL IPSec VPN Client and right click on My Connections and select Add > Connection; enter the name for this connection. 2) Check the Only Connect Manually and Use checkbox 3) Select the IP Type and define the remote network range. 4) Select Secure Gateway Tunnel from Use drop-down menu and select the correct ID Type and Gateway IP Address; ensure these settings are match with ZyWALL. 102

STEP 2: Configuring My Identity on VPN Client 1) Double click on the new connection to expand it, and select My Identity. 2) Ensure the ID Type matches with ZyWALL, and the Internet interface and IP address are correct. 3) Enter the Pre-shared Key by click the Pre-Shared Key button, and ensure the number you just entered is matched with the one you entered on the ZyWALL in phase1 configuration. In this example, we employ the Pre-shared key 123456789. 103

STEP 3: Configuring Authentication (Phase 1) on VPN Client 1) Double click on Security Policy and double click on the Authentication (Phase 1), then select Proposal1. 2) Select Pre-Shared Key, Extended Authentication from Authentication Method dropdown list. 3) Confirm the encryption, authentication, and key group match the settings on ZyWALL 104

STEP 4: Configuring Key Exchange (Phase 2) on VPN Client 1) Double click on Key Exchange (Phase 2) and select Proposal 1. 2) Check the Encapsulation Protocol (ESP) checkbox to specify what kind of protocol you want to use. In this example we are going to use ESP. 3) Confirm the encrypt algorithm, hash algorithm, and encapsulation match the settings on ZyWALL. 8.4. Verify OTP via Login from the VPN Client STEP 1: IPSec VPN Tunnel Establishing 1) Launch the ZyWALL IPSec VPN client. 2) Right click the icon of VPN client from the system tray, select Connect and then select the new connection to establish the VPN tunnel. STEP 2: User Authentication via OTP 1) After selecting the new connection, the user authentication for this connection dialog will appea; enter the username and password to login. 2) Enter the login name and password. The password here is the combination of OTP pin + OTP for which we already manipulated the OTP PIN as 1234 on the STEP 4 Update the OPT PIN in the ASAS Server Configuration session 105

Once the OTP works correctly, the IPSec VPN tunnel will be opened 106

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information