MIGRATION GUIDE RSA Authentication Manager to IDENTIKEY Authentication Server
Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY AUTHENTICATION, axsguard and DIGIPASS logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 RSA Authentication Manager to IDENTIKEY Authentication Server
Table of Contents 1 Introduction... 3 2 RSA Authentication Manager Architecture... 4 3 Migration architecture... 5 3.1 General overview... 5 3.2 RADIUS Authentication with IDENTIKEY Authentication Server and RSA Authentication Manager... 6 4 Final architecture... 7 4.1 General Overview... 7 4.2 RADIUS Authentication with IDENTIKEY Authentication Server... 7 5 RSA Authentication Manager Configuration... 8 5.1 User configuration... 8 5.2 RADIUS client and Authentication Agent... 9 6 IDENTIKEY Authentication Server configuration... 12 6.1 Set time and date... 12 6.2 Policy Configuration... 13 6.3 RADIUS Client configuration... 17 6.4 RADIUS Back-End configuration... 18 6.5 User Configuration... 20 6.6 DIGIPASS configuration... 23 7 Migration scenario details... 26 7.1 Dynamic User Registration (DUR)... 26 7.2 Migration results... 28 8 About VASCO Data Security... 29 2 RSA Authentication Manager to IDENTIKEY Authentication Server
1 Introduction In this White Paper we will describe the migration of an existing RSA Authentication Manager implementation, used in conjunction with a RADIUS enabled system (e.g. Firewall, VPN SSL/VPN, NAS), towards a VASCO solution, based upon IDENTIKEY Authentication Server and the DIGIPASS products. We have tested this migration with: RSA ACE Server 6.0 RSA Authentication Manager 7.1 (used in this guide) We assume that the person performing the migration has the required experience with installing RSA Authentication Manager and the IDENTIKEY Authentication Server. This document will guide you through the migration process, showing the different configuration steps. 3 RSA Authentication Manager to IDENTIKEY Authentication Server
2 RSA Authentication Manager Architecture Figure 1 illustrates a typically deployment solution architecture, with a VPN SSL/VPN system using RADIUS authentication in combination with the RSA Authentication Manager. Figure 1: RSA Authentication Manager Architecture The RSA Authentication Manager is typically setup with the built-in RADIUS Server. Through the RADIUS protocol, the VPN or SSL/VPN will check whether a certain user will be given access to the network, after entering a correct One Time Password, generated by the SecurID token. 4 RSA Authentication Manager to IDENTIKEY Authentication Server
3 Migration architecture 3.1 General overview The concept is very easy: the IDENTIKEY Authentication Server is installed as front-end of the RSA Authentication Manager. This means that the IDENTIKEY Authentication Server will intercept each RADIUS authentication request going to the RSA Authentication Manager. Initially the users will not exist on the IDENTIKEY Authentication Server and it will transparently forward the RADIUS Authentication request (using Back-End RADIUS authentication) to the RSA Authentication Manager, which will verify the users credentials such as the SecurID token. The Dynamic User Registration (DUR) feature of the IDENTIKEY Authentication Server will have to be enabled, assuring that users are created automatically in its own user database. As the SecurID token reaches its end of life, the authentication will no longer be sent to the back-end RSA Authentication Manager but handled locally and a DIGIPASS will be assigned to the user. Special features as DUR and Back-End authentication makes the VM a very easy deployable authentication server system. (Please see further). Figure 2: Migration architecture 5 RSA Authentication Manager to IDENTIKEY Authentication Server
3.2 RADIUS Authentication with IDENTIKEY Authentication Server and RSA Authentication Manager 1. A remote user initiates a VPN or SSL/VPN connection. 2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication Server. 3. The IDENTIKEY Authentication Server will perform a back-end authentication request to the RSA Authentication Manager. 4. The RSA Authentication Manager performs its verification and returns the results to the IDENTIKEY Authentication Server. 5. The IDENTIKEY Authentication Server forwards the results to the VPN box. 6. The VPN box takes an appropriate action based on the returned RADIUS results. 6 RSA Authentication Manager to IDENTIKEY Authentication Server
4 Final architecture 4.1 General Overview The authentication is now handled by the IDENTIKEY Authentication Server and will no longer go to the RSA Authentication Manager. A DIGIPASS will be assigned to the user so he can start using its DIGIPASS instead of the RSA token. This way the migration can be done very easy and without much hassle for the end-users as well as the administrators. Figure 3: Final architecture 4.2 RADIUS Authentication with IDENTIKEY Authentication Server 1. A remote user initiates a VPN or SSL/VPN connection. 2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication Server. 3. The IDENTIKEY Authentication Server performs the OTP verification. 4. The VPN box takes an appropriate action based on the returned RADIUS results. 7 RSA Authentication Manager to IDENTIKEY Authentication Server
5 RSA Authentication Manager Configuration 5.1 User configuration On our system we have created a user vasco on the RSA Authentication Manager, with a RSA SecurID Key fob assigned, which is configured to be used without a STATIC PIN/password. Figure 4: vasco user in RSA Authentication Manager 8 RSA Authentication Manager to IDENTIKEY Authentication Server
5.2 RADIUS client and Authentication Agent Adding the RADIUS client and the Authentication agent, can be done in one step. Go to RADIUS RADIUS Clients Add New. Figure 5: RADIUS client and Authentication Agent (1) As the Client Name, fill in the FQDN of the IDENTIKEY Authentication Server hostname. Fill in the IP Address and the Shared Secret. Now click the Save and Create Associated RSA Agent. Figure 6: RADIUS client and Authentication Agent (2) 9 RSA Authentication Manager to IDENTIKEY Authentication Server
You will now automatically enter the new Authentication Agent page. Select the RADIUS profile that you would like to use. Figure 7: RADIUS client and Authentication Agent (3) Click Save to continue. Figure 8: RADIUS client and Authentication Agent (4) 10 RSA Authentication Manager to IDENTIKEY Authentication Server
The IDENTIKEY Authentication Server will now have been added automatically to the authentication agents. Figure 9: RADIUS client and Authentication Agent (5) 11 RSA Authentication Manager to IDENTIKEY Authentication Server
6 IDENTIKEY Authentication Server configuration 6.1 Set time and date Most DIGIPASS use a Time Based algorithm for generating the One Time Password. Those DIGIPASS are created with the internal real time clock set to GMT. As such, it is important to set the date, time and time zone of the server running the IDENTIKEY Authentication Server correctly so that GMT can be derived correctly. Figure 10: Setting correct date, time and time zone You can also use the NTP settings to get the correct time provided through the internet. Figure 11: Using NTP settings 12 RSA Authentication Manager to IDENTIKEY Authentication Server
6.2 Policy Configuration A RADIUS client needs a policy to specify the setting to work with. For now we create a new policy starting from blank. Select Policy Create. Figure 12: Policy Configuration (1) Fill in the Policy ID and add an optional description. As we create a blank policy, set Inherits from to None and click Create. Figure 13: Policy Configuration (2) 13 RSA Authentication Manager to IDENTIKEY Authentication Server
You will now receive the message that the policy was created successfully so click on the Click here to manage your policy. Figure 14: Policy Configuration (3) In the general Policy tab, click the Edit button. Figure 15: Policy Configuration (4) 14 RSA Authentication Manager to IDENTIKEY Authentication Server
Set Local Authentication to None, Back-End Authentication to Always and Back-End Protocol to RADIUS Click the Save button. Figure 16: Policy Configuration (5) You will now see the changed settings appear in the next screen. Select the Policy User tab (not the general USERS tab!) and click the Edit button. Figure 17: Policy Configuration (6) 15 RSA Authentication Manager to IDENTIKEY Authentication Server
Set Dynamic User Registration to Yes and click the Save button. Figure 18: Policy Configuration (7) That s it for the policy; let s use it in the RADIUS client now. 16 RSA Authentication Manager to IDENTIKEY Authentication Server
6.3 RADIUS Client configuration The RADIUS Client is where the calls originate from. The client in our test environment will be a server running our VASCO RADIUS Simulator. Normally this will be a NAS, VPN or Web client. Select Clients Register. Figure 19: RADIUS Client configuration (1) Client Type in this case will be RADIUS Client and the Location is the originating IP address of the RADIUS call. Choose the correct Policy you created in the previous chapter and select RADIUS as the Protocol ID. Finally fill in a shared secret and click the Create button. Figure 20: RADIUS Client configuration (2) 17 RSA Authentication Manager to IDENTIKEY Authentication Server
6.4 RADIUS Back-End configuration The RADIUS back-end will be the RSA Authentication Manager. So create it with the details for this server. Select Back-End Register Radius Back-End. Figure 21: RADIUS Back-End configuration (1) Most required fields are Back-End Server ID (a name for this server), Domain Name (which domain to use in IDENTIKEY Authentication Server), Authentication IP Address (IP address of the RSA Authentication Manager), Authentication Port (RSA port) and Shared Secret. It s probably best to fill in Timeout and Retries also. Click the Create button to save the settings. Figure 22: RADIUS Back-End configuration (2) 18 RSA Authentication Manager to IDENTIKEY Authentication Server
Once the RADIUS settings are done, it might be a good time to test the original configuration before changing any user details or migrating to a DIGIPASS. This is explained in chapter 7.1 Dynamic User Registration. 19 RSA Authentication Manager to IDENTIKEY Authentication Server
6.5 User Configuration The following steps will only work once the user is known through the DUR (Dynamic User Registration) procedure. This means the user needs to have authenticated once to IDENTIKEY Authentication Server. This way the user will be created on IDENTIKEY Authentication Server. They are necessary once a user has to be migrated from a RSA token to a DIGIPASS. These settings need to be changed per user, as we need to overrule the policy values. Select Users and click the User you want to migrate. Figure 23: User Configuration (1) Under the User Account settings click the Edit button. 20 RSA Authentication Manager to IDENTIKEY Authentication Server
Figure 24: User Configuration (2) 21 RSA Authentication Manager to IDENTIKEY Authentication Server
Select Local Authentication as Digipass/Password and set Back-End Authentication to None; click Save to continue. Figure 25: User Configuration (3) The user is now been setup to work with a DIGIPASS, so let s assign one to this user. 22 RSA Authentication Manager to IDENTIKEY Authentication Server
6.6 DIGIPASS configuration In the same user detail settings, go to the Assigned Digipass tab and click the Assign button. Figure 26: DIGIPASS configuration (1) If you have not that many DIGIPASS imported on your system, the easiest way is just to change the On Clicking Next value to: Search now to select Digipass to assign and click Next. Otherwise you will have to search for a part of the serial number of do a search for a certain type of application or a certain type of DIGIPASS. Figure 27: DIGIPASS configuration (2) Now select the DIGIPASS you want to assign and click Next. 23 RSA Authentication Manager to IDENTIKEY Authentication Server
Figure 28: DIGIPASS configuration (3) You could now change the grace period if you want and click Assign to complete these steps. Figure 29: DIGIPASS configuration (4) 24 RSA Authentication Manager to IDENTIKEY Authentication Server
The DIGIPASS is now assigned to the user and can be used. Click Finish to return to the first screen. Figure 30: DIGIPASS configuration (5) 25 RSA Authentication Manager to IDENTIKEY Authentication Server
7 Migration scenario details 7.1 Dynamic User Registration (DUR) We will test the vasco user with the VACMAN RADIUS Client Simulator from Vasco. The VACMAN RADIUS Client Simulator is a program that simulates RADIUS Authentication and Accounting processing in a similar fashion to RADIUS enabled NAS and Firewall devices. The simulator can be used to test user (and static-password) authentication, (DIGIPASS) Digipass password authentication, estimate RADIUS server performance, system overload, and assist in detection of resource (memory, handle, etc.) leakage. When we open the simulator we have to change some things first. Server IP should be the same IP of the IDENTIKEY Authentication Server. The Auth. Port should be define as 1812 and the Acct. port as 1813. These are the default values, if you would have changed these values during the installation of your IDENTIKEY Authentication Server, you should fill in your ports. Next fill in the Shared secret. Click one of the yellow ports, allowing you to enter User ID and password. Figure 31: RADIUS Client Simulator configuration 26 RSA Authentication Manager to IDENTIKEY Authentication Server
In the User ID field you enter vasco (the test user we have created.). In the password field you give the RSA SecurID PASSCODE (One Time Password). Click Login to test the authentication for this user. Also notice the returned RADIUS attributes. Figure 32: Successful logon with original users When the user vasco logged in successfully, he will be created automatically in the IDENTIKEY Authentication Server (Dynamic User Registration). From now on you can follow the steps written at 6.5 User configuration. 27 RSA Authentication Manager to IDENTIKEY Authentication Server
7.2 Migration results Once the user s properties and settings are changed to work with a DIGIPASS you will see that the authentication returns no RADIUS attributes. This proofs the authentication has been performed by IDENTIKEY Authentication Server. Figure 33: Migration results From now on, users can be migrated to a DIGIPASS one at the time when their SecurID token gets end of life or sooner. 28 RSA Authentication Manager to IDENTIKEY Authentication Server
8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s IDENTIKEY products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 29 RSA Authentication Manager to IDENTIKEY Authentication Server