Configuring Steel-Belted RADIUS Proxy to Send Group Attributes



Similar documents
Configuring the Palo Alto Firewall for use with Juniper Steel-Belted RADIUS.

Integration with IP Phones

IIS, FTP Server and Windows

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Configuring Infoblox DHCP

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

Configuring User Identification via Active Directory

Creating IBM Cognos Controller Databases using Microsoft SQL Server

Sophos Endpoint Security and Control standalone startup guide

Secure Agent Quick Start for Windows

Sophos Anti-Virus for NetApp Storage Systems startup guide

DIGIPASS Authentication for Check Point Connectra

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Sophos Enterprise Console server to server migration guide. Product version: 5.1 Document date: June 2012

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Multi-factor Authentication using Radius

Product Guide Addendum. SafeWord Check Point User Management Console Version 2.1

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Check Point Security Gateways

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Moving SQL Servers. Document version 3.2 Published December 2010

Video Administration Backup and Restore Procedures

Application Note VAST Network settings

Your Question. Net Report Answer

DIGIPASS Authentication for GajShield GS Series

Interact for Microsoft Office

Active Directory Authentication Integration

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Configuring IBM Cognos Controller 8 to use Single Sign- On

Managing Qualys Scanners

Avigilon Control Center System Integration Guide

Installation Troubleshooting Guide

Active Directory Provider User s Guide

Enabling Remote Management of SQL Server Integration Services

MadCap Software. Upgrading Guide. Pulse

Sophos Mobile Control Installation guide

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

Sophos Enterprise Console server to server migration guide. Product version: 5.2

BusinessObjects Enterprise XI Release 2

NetBeat NAC Version 9.2 Build 4 Release Notes

QUANTIFY INSTALLATION GUIDE

SafeNet Authentication Manager Express. Upgrade Instructions All versions

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

StarWind iscsi SAN & NAS: Configuring HA Storage for Hyper-V October 2012

Configuring a Windows 2003 Server for IAS

StarWind iscsi SAN & NAS: Configuring HA File Server on Windows Server 2012 for SMB NAS January 2013

netld External Authentication Setup Guide

Specops Command. Installation Guide

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Quick Start Guide For Ipswitch Failover v9.0

Basic Exchange Setup Guide

Sophos Computer Security Scan startup guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

V Series Rapid Deployment Version 7.5

For Active Directory Installation Guide

Security Assertion Markup Language (SAML) Site Manager Setup

StarWind iscsi SAN & NAS: Configuring HA Shared Storage for Scale- Out File Servers in Windows Server 2012 January 2013

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

Configuring the Watchguard Edge for RADIUS authentication

SSL VPN Setup for Windows

Active Directory integration with CloudByte ElastiStor

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

How to Configure Web Authentication on a ProCurve Switch

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

Basic Exchange Setup Guide

Aradial Installation Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Checkpoint firewall Quick Integration Guide. for PacketFence version 4.6.0

NetMotion + YubiRADIUS Quick Start Guide

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Virtual Web Appliance Setup Guide

ImageNow Cluster Resource Monitor

Hyper-V Server 2008 Setup and Configuration Tool Guide

Configuring Internet Authentication Service on Microsoft Windows 2003 Server

Creating Home Directories for Windows and Macintosh Computers

Feith Dashboard iq Server Version 8.1 Install Guide

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

How To Configure Windows Server 2008 as a RADIUS Server with MS-CHAP v2 Authentication

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

Management, Logging and Troubleshooting

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Configure your firewall for administrative access via RADIUS authentication

753 Broad Street Phone: Suite 200 Fax: Augusta, GA Copyrights

Microsoft IAS Configuration for RADIUS Authorization

Immotec Systems, Inc. SQL Server 2005 Installation Document

Using Apple Remote Desktop to Deploy Centrify DirectControl

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Installing Lumension Endpoint Management and Security Suite (L.E.M.S.S.) Using a Remote SQL Server

Configuring Global Protect SSL VPN with a user-defined port

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Transcription:

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Copyright 2007 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in retrieval system, or transmitted, in any form or by any means electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. All other product and company names are trademarks or registered trademarks of their respective owners. Document version 3.0 Published July 2007 2

Table of Contents About this Document...4 Configuring the Steel-Belted RADIUS Proxy...4 Using the Sophos NAC Agent...15 3

About this Document The purpose of this document is to configure Steel-Belted RADIUS to pull group information from a remote directory server and forward that information to Sophos NAC so that the group can be given a Sophos NAC policy without the Sophos NAC application server having a direct connection to Active Directory or LDAP. This document requires you to already configured IAS for Remote Proxy as described in the Post-Installation Requirements in the Sophos NAC Installation Guide. This document also assumes that Steel-Belted RADIUS is already setup and installed on the server and is running on ports 1812, 1813, 1645 and 1646 (default ports for Steel-Belted RADIUS). If it is not setup/running on these ports, you must modify these instructions to accommodate for the changes. If you plan on using Steel-Belted RADIUS to connect to an Active Directory Domain Controller to pull user/group information, make sure the Steel-Belted RADIUS server is on the domain or is in a trusted domain for the account/group information it will be pulling from. Also, make sure to use an account that is a member of the Domain Admins Group so that you will have access to pull user/group information from AD. Configuring the Steel-Belted RADIUS Proxy 1. Go to http://localhost:1812 and click the Launch link to start Steel-Belted RADIUS. 4

2. Login to Steel-Belted RADIUS. 3. Right-click RADIUS Clients and select Add. 5

4. Type the appropriate information in the fields. Name (1) Description (2) IP Address for the remote RADIUS client (3) (IP of the Sophos NAC application server) Shared Secret (4) (This must be the same password that was used in IAS when setting up the RADIUS Proxy.) 5. Select Standard RADIUS from the Make or model (5) list box. 6. Click OK (6) to save your changes. 6

7. Select RADIUS Clients to verify the new entry. 8. Open c:\program files\juniper Networks\Steel-Belted RADIUS\Service. This is the default location for radius.dct file. 9. Open the radius.dct file. 7

10. In the radius.dct file, add the following lines for the following Sophos Dictionary attributes. ################################################################### # SOPHOS.dct SOPHOS Dictionary File @radius.dct MACRO ENDFORCE-VSA(t,s) 26 [vid=5428 type1=%t% len1=+2 data=%s%] ATTRIBUTE EF-GroupResponse ENDFORCE-VSA(20, string) r ################################################################### You can add all of the vendor-specific attributes, as shown below, but the one Sophos requires for configuration is shown in this step. 11. Save the radius.dct file. 12. Restart the Steel-Belted RADIUS Service for the changes to take effect. 8

13. Log into the Steel-Belted RADIUS Admin application. 14. Right-click Profiles and select Add. 15. Type a name (1) and description (2) for the profile in the appropriate fields. a 9

16. Click the Return List tab (3). Note: You complete this step because you want RADIUS to send back the group attribute to the Sophos NAC application server. 17. Click Add (4). 18. Locate and select the EF-Group Response (5). 19. Type in the group name that you want to pull for this profile (6), and click Add to add the Return List Attribute 20. Click Close. Note: That attribute is not a Multi-valued Attribute. Sophos NAC Advanced only supports single-valued attributes. 21. Verify that your new Return List Attribute displays, and click OK. 22. Verify that the new profile displays in the profiles section. 10

23. Map the new profile to the domain group that the users are apart of in Active Directory. To do this, expand the Users section, right-click Domains and click Add. 24. Click Browse to look for the possible users/groups to add (1). 11

25. Select the domain (2). 26. Click the Groups tab (3). 27. Select the appropriate group from the list (4) and click OK (5) to add the new group. 28. Verify that the Domain (1), User (2), and Name (3) are correct. 29. Type a description (4), and select the Use Profile check box (5). 12

30. Select the name of the profile you just created from the list box (6), and click OK (7). Note: You can see the added Group and its corresponding profile. By configuring groups/profiles in this manner, you can apply policies to whole groups of users, and then send the group attribute back to the Sophos NAC application server using IAS so that a NAC policy can be applied to that group. 31. Open the radius.ini file located in c:\program files\juniper Networks\Steel-Belted RADIUS\Service and add authenticate only=0 in the configuration settings. Note: This step forces Steel-Belted RADIUS to pass the attributes you created back to IAS. 13

32. Remove the null termination in the radius.ini file by setting the NoNullTermination = 1. Note: Null termination must be turned off for NAC to map the policy with the group correctly. 33. Restart the Steel-Belted RADIUS service for the changes to take effect. 14

Using the Sophos NAC Agent When you use the Sophos NAC Agent with a valid username and password that exists in the domain users group in Active Directory, an entry for this user appears in the Manage > Endpoints area of the Sophos NAC Web interface. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information