DIGIPASS Authentication for Fortigate SSL-VPN

Similar documents
DIGIPASS Authentication for Cisco ASA 5500 Series

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS Authentication for Juniper ScreenOS

MIGRATION GUIDE. Authentication Server

DIGIPASS Authentication for SonicWALL SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. General Radius Config

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Identikey Server Getting Started Guide 3.1

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

IDENTIKEY Appliance Administrator Guide

Hyper-V Installation Guide. Version 8.0.0

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

axsguard Gatekeeper Open VPN How To v1.4

Cisco VPN Concentrator Implementation Guide

Strong Authentication for Juniper Networks SSL VPN

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Check Point FDE integration with Digipass Key devices

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

DIGIPASS Authentication for Windows Logon Product Guide 1.1

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

axsguard Gatekeeper Internet Redundancy How To v1.2

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Check Point FW-1/VPN-1 NG/FP3

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

DIGIPASS as a Service. Google Apps Integration

Sophos UTM. Remote Access via SSL Configuring Remote Client

OVERVIEW. DIGIPASS Authentication for Office 365

Juniper Networks SSL VPN Implementation Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

axsguard Gatekeeper IPsec XAUTH How To v1.6

Two-Factor Authentication

Sophos UTM. Remote Access via PPTP Configuring Remote Client

Configuring Global Protect SSL VPN with a user-defined port

Configuring Infoblox DHCP

Juniper SSL VPN Authentication QUICKStart Guide

Internet Redundancy How To. Version 8.0.0

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Strong Authentication for Juniper Networks

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Strong Authentication for Cisco ASA 5500 Series

Defender EAP Agent Installation and Configuration Guide

NetMotion + YubiRADIUS Quick Start Guide

NetMotion Mobility XE

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

HOTPin Integration Guide: DirectAccess

Keeping your VPN protected

Setting Up Scan to SMB on TaskALFA series MFP s.

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

How to Secure a Groove Manager Web Site

Agent Configuration Guide

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Fireware How To Authentication

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

Connecting an Android to a FortiGate with SSL VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Installation Guide. SafeNet Authentication Service

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

Strong Authentication in details

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Using Microsoft Active Directory Server and IAS Authentication

GRAVITYZONE HERE. Deployment Guide VLE Environment

BlackShield ID Agent for Remote Web Workplace

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

MadCap Software. Upgrading Guide. Pulse

If you have questions or find errors in the guide, please, contact us under the following address:

F-Secure Messaging Security Gateway. Deployment Guide

Contents Notice to Users

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

RouteFinder. IPSec VPN Client. Setup Examples. Reference Guide. Internet Security Appliance

Transcription:

DIGIPASS Authentication for Fortigate SSL-VPN With IDENTIKEY Server / Axsguard IDENTIFIER 2010 VASCO Data Security. All rights reserved. Page 1 of 20 Integration Guidelines

Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2010 VASCO Data Security. All rights reserved. 2010 VASCO Data Security. All rights reserved. Page 2 of 20

Table of Contents DIGIPASS Authentication for Fortigate SSL-VPN... 1 Disclaimer... 2 Table of Contents... 3 1 Reader... 4 2 Overview... 4 3 Problem Description... 4 4 Solution... 4 5 Technical Concept... 5 5.1 General overview... 5 5.2 Fortigate prerequisites... 5 5.3 IDENTIKEY SERVER Prerequisites... 5 6 Fortigate Configuration... 6 6.1 SSL/VPN configuration... 6 6.2 RADIUS configuration... 8 6.3 Group configuration... 9 6.4 Firewall configuration... 10 8 IDENTIKEY Server... 12 8.1 Policy configuration... 12 8.2 Client configuration... 15 9 Fortigate SSL/VPN test... 17 9.1 Response Only... 17 9.2 Challenge / Response... 18 10 About VASCO Data Security... 20 2010 VASCO Data Security. All rights reserved. Page 3 of 20

1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products. Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default. Within this document, VASCO Data Security, provides the reader guidelines for configuring the partner product with this specific configuration in combination with VASCO Server and Digipass. Any change in the concept might require a change in the configuration of the VASCO Server products. The product name`identikey SERVER`will be used throughout the document keeping in mind that this document applies as well to the Axsguard IDENTIFIER. 2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER to work with a Fortigate device. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection. 3 Problem Description The basic working of the Fortigate is based on authentication to an existing media (LDAP, RADIUS, local authentication ). To use the IDENTIKEY SERVER with Fortigate, the external authentication settings need to be changed or added manually. 4 Solution After configuring IDENTIKEY SERVER and Fortigate in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. In this integration guide we will make use of a Fortigate 50A. This combines a firewall, an IPSec, PPTP or SSL/VPN and a UTM suite in one. For authentication, we focused on the SSL/VPN part. Figure 1: Solution 2010 VASCO Data Security. All rights reserved. Page 4 of 20

5 Technical Concept 5.1 General overview The main goal of the Fortigate is to perform authentication to secure all kind of VPN connections. As the Fortigate can perform authentication to an external service using the RADIUS protocol, we will place the IDENTIKEY SERVER as back-end service, to secure the authentication with our proven IDENTIKEY SERVER software. 5.2 Fortigate prerequisites Please make sure you have a working setup of the Fortigate. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER. Currently all Fortigate devices use the same web config and CLI interface. This means our integration guide is suited for the complete product range of Fortigate devices. 5.3 IDENTIKEY SERVER Prerequisites In this guide we assume you already have IDENTIKEY SERVER installed and working. If this is not the case, make sure you get IDENTIKEY SERVER working before installing any other features. 2010 VASCO Data Security. All rights reserved. Page 5 of 20

6 Fortigate Configuration The Fortigate device is configured by web config or by CLI, there is even a CLI window available in the web config screen. By default the web config is reachable by https://<ip_or_name_fortigate>. In our case this becomes: https://fortigate 6.1 SSL/VPN configuration In the web config menu, select the VPN main category. Figure 2: SSL/VPN configuration (1) 2010 VASCO Data Security. All rights reserved. Page 6 of 20

Select the SSL sub category. Select the Enable SSL-VPN box. If necessary you can select another Server Certificate or a Tunnel IP Range, if you want to allow client to create a VPN-tunnel. Click Apply to continue. Figure 3: SSL/VPN configuration (3) 2010 VASCO Data Security. All rights reserved. Page 7 of 20

6.2 RADIUS configuration Go to the User main category and select RADIUS as sub category. Click the Create New button to add a new RADIUS connection. Figure 4: RADIUS configuration (1) Fill in the Name and Primary Server Name/IP and Primary Server Secret. If you necessary you can add a secondary server as well, but this is not required to continue. Click OK to create the RADIUS server. Figure 5: RADIUS configuration (2) 2010 VASCO Data Security. All rights reserved. Page 8 of 20

6.3 Group configuration We will now create a group to use in the firewall rules. Click on the User main category, select User Group as sub category and click the Create New button. Figure 6: Group configuration (1) Enter a Name and select SSL VPN as type. Select in the left column the RADIUS server you created earlier and click on the button to get in the right column. If necessary click on the SSL-VPN User Group Options for more options. Here you can enable tunneling options and enable web applications. Click OK to create this group. Figure 7: Group configuration (2) 2010 VASCO Data Security. All rights reserved. Page 9 of 20

6.4 Firewall configuration To enable SSL-VPN we have to create also a firewall policy allowing connection from the VPN side to the internal network. To do so, click the Firewall main category and select Policy as sub category. Click the Create New button. Figure 8: Firewall configuration (1) 2010 VASCO Data Security. All rights reserved. Page 10 of 20

The following settings are used for an SSL-VPN connection: Source Interface/Zone external Source Address all Destination Interface/Zone internal Destination Address LocalNetwork Shedule always Service ANY Action SSL-VPN From the Available Groups window, select the RADIUS group and click the button to transfer the group to the Allowed window. To finish, click on the OK button in the bottom of the screen. Figure 9: Firewall configuration (2) This concludes the configuration of the Fortigate device. The incoming request from the SSL-VPN service will now be handled by the IDENTIKEY SERVER. In the next chapters we will show how to configure IDENTIKEY SERVER and how to assign a DIGIPASS to a user. In the chapter after those we will test the Fortigate setup with a response only and a challenge/response DIGIPASS. 2010 VASCO Data Security. All rights reserved. Page 11 of 20

8 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 8.1 Policy configuration To add a new policy, select Policies Create. Figure 10: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies. 2010 VASCO Data Security. All rights reserved. Page 12 of 20

Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 11: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message. 2010 VASCO Data Security. All rights reserved. Page 13 of 20

In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 12: Policy configuration (3) The user details can keep their default settings. Figure 13: Policy configuration (4) 2010 VASCO Data Security. All rights reserved. Page 14 of 20

8.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 14: Client configuration (1) 2010 VASCO Data Security. All rights reserved. Page 15 of 20

As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 15: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working. 2010 VASCO Data Security. All rights reserved. Page 16 of 20

9 Fortigate SSL/VPN test By default the Fortigate configures the SSL/VPN service on port 10443. 9.1 Response Only To start the test, browse to the public IP address or hostname of the Fortigate device. In our example this is https://fortigate.labs.vasco.com:10443. Enter your Name and Password (One Time Password) and click the Login button. Figure 16: Response Only (1) If all goes well, you will be authenticated and see the SSL/VPN portal page. Figure 17: Response Only (2) 2010 VASCO Data Security. All rights reserved. Page 17 of 20

9.2 Challenge / Response For the challenge response test, enter your Name and Password (challenge/response trigger). Click the Login button. In our case the challenge/response trigger is the user s static password. Figure 18: Challenge / Response (1) You will be presented with a DP300 Challenge code. Enter the response in the Answer field and click OK. Figure 19: Challenge / Response (2) 2010 VASCO Data Security. All rights reserved. Page 18 of 20

And if everything goes well, you will be shown the SSL/VPN portal page. Figure 20: Challenge / Response (3) 2010 VASCO Data Security. All rights reserved. Page 19 of 20

10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 2010 VASCO Data Security. All rights reserved. Page 20 of 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information