Application Note: Integrate Juniper SSL VPN with Gemalto SA Server SASolutions@gemalto.com October 2007 www.gemalto.com
Table of contents Table of contents... 2 Overview... 3 Architecture... 5 Configure Juniper SSL VPN V5.5 on an SA 700... 6 Network interfaces configuration... 6 Authentication server configuration... 7 Role configuration... 8 Realm configuration... 10 Associate Realm with resource provider... 12 Open the connection to the Intranet using SA Server... 14 Appendix 1: Configure an IAS RADIUS Server with SA Server... 15 IAS RADIUS prerequisites... 15 Add a RADIUS Client... 16 Install and configure SA Server agent for IAS... 22 Restart IAS... 25 Appendix 2: Configure Juniper Steel-Belted RADIUS Server... 26 SBR pre-requisites... 26 Add RADIUS Client... 27 Install and configure SA Server agent for SBR... 28 Restart SBR... 31 Appendix 3: Configure Free RADIUS Server on Linux... 33 Free RADIUS pre-requisites... 33 Add RADIUS Client... 33 Install and configure SA Server agent for Free RADIUS... 33 Restart Free RADIUS... 34 Appendix 4: Active Directory configuration... 35 2
Overview This document provides a deployment scenario to show you how it is possible to configure a Juniper SSL VPN to use Gemalto SA Server to authenticate Mobile Users. The deployment scenario describes an example that has been tested by Gemalto. It is possible that other configurations will work equally well but you should bear in mind that these have not been tested. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. To provide SA Server authentication for Juniper SSL VPN, your system requires the following pre-requisites: A Juniper SSL VPN appliance SA 700, In the following part, this appliance is supposed to be usable so a minimal installation must have been realized using a serial link. During this installation, o Juniper V5.5 and the required license must be installed, o Administrator Account must be defined: Username and Password o <IP SA 700 Internal Address> represents the IP address of the physical interface visible from the Internal Network and must be defined. The appliance hosts two physical interfaces and is able to act as a gateway from the Internal Network to the External Network. o <IP SA 700 Internal Address> allows access to the Internal Network. This network is seen as a trusted network. In our laboratory <IP SA 700 Internal Address> was 10.0.4.198 o <IP SA 700 External Address> represents the IP address of the physical interface visible from the External Network. This address will be set during the appliance configuration. The External Network is seen as an unsecured network. In our laboratory <IP SA 700 External Address> was 192.168.1.1 An AD Domain machine hosting an Active Directory LDAP and acting as domain controller. In our laboratory the domain hosted by AD Domain was gemalto.fr We will use the term Mobile Users to refer to users who have an account in AD Domain and who will access from the External Network to the Internal Network through the Juniper SSL VPN. Their accounts must be configured to allow remote access control. A Gemalto SA Server, The server must be installed in mixed mode and connected to the AD Domain. It is supposed to be provisioned for devices and users. <Base URL SA Server> will be used to refer to the URL that should be used to access SA Server. In our laboratory <Base URL SA Server> was http://10.0.4.216:8080 3
A RADIUS Server, This server is the link between Juniper SSL VPN and Gemalto SA Server. We have validated three configurations using o IAS RADIUS for which <IP IAS address> will be used to refer to IAS RADIUS server IP address. In our laboratory, <IP IAS address> was 10.0.4.60 o Juniper Steel-Belted RADIUS for which <IP SBR address> will be used to refer to Juniper Steel-Belted RADIUS server IP address. In our laboratory, <IP SBR address> was 10.0.4.214 o Free RADIUS for which <IP FreeR address> will be used to refer to Free RADIUS server IP address. In our laboratory, <IP FreeR address> was 10.0.4.192 Each RADIUS configuration is described in the appendices of this document. In order to demonstrate a successful authentication, we also need: A resource provider using strong authentication for sensitive data, We used an HTTP Server to simulate this resource provider. It is located in the Internal Network. You can replace this server by any other resource provider as long as it is supported by Juniper SSL VPN. In our laboratory, the HTTP Server URL was https://10.0.4.60 (using standard port 80) A client, We used a standard XP SP2 machine. 4
Architecture The following figure shows the architecture associated with the deployment scenarios described in this document. 5
Configure Juniper SSL VPN V5.5 on an SA 700 This chapter describes the configuration needed for integration and configuration of Juniper SSL VPN with Gemalto SA Server. To configure Juniper SSL VPN through the appliance WEB interface: Start a browser on the following URL: https://<ip SA 700 Internal Address>/admin Enter the Administrator account credentials in Username and Password and click on [Sign In] Note: This Administrator account has been defined during the prerequisite installation phase. Network interfaces configuration To configure the appliance network interfaces: Select the Network option in the System menu of the Administrator Console Check, correct and complete the network tabs according to your own configuration. Different architectures are possible but we choose one o where the Internal Port is configured to be connected to the Internal Network (Intranet) and 6
o where the External Port is used; this is why we select Enabled in the Use Port? section, and configure it to be connected to the External Network used by Mobile Users. Authentication server configuration To configure a new authentication server: Select the Auth. Servers option in the Authentication menu of the Administrator Console. Select Radius Server then click on [New Server ] 7
Complete the fields with the configuration of the selected RADIUS Server: o In Name enter a label to identify the RADIUS Server. We used for example IAS, SBR or FreeR. o In Radius Server enter the IP address of the selected RADIUS Server. We used for example <IP IAS address>, <IP SBR address> or <IP FreeR address>. o In Shared Secret enter a value that will secure the communication with the RADIUS Server. You will have to enter the same value during the configuration of the selected RADIUS Server (Pages 16/28/33). o Check Users authenticate using tokens or one-time passwords in order to avoid having to enter a password for SSO. In our case, the entered password is made up of OTP + LDAP Password and cannot be used directly with the LDAP! Note: all other parameters are options set to their default values: o Authentication Port is 1812, this is the default port used by RADIUS Server. You have to check that this value has not been modified on your own RADIUS Server. o Accounting Port and NAS-IP-Address are used in the accounting process. As this feature doesn t take place in the authentication process, we have them as their default values. o Timeout is set to 30s; this is the timeout value to wait for a RADIUS Server answer. o Retries is 0; this defines the number of tries to connect to the RADIUS Server. Click on [Save Changes]. Role configuration To configure the available roles used to define accessible resources, Select the User Roles option in the Users menu of the Administrator Console. Then click on New Role Complete the following fields: o In Name enter a label to identify the role. In our laboratory, we called it gemalto o Check the Web box in the Access features section. This enables web access to all users associated to this role and authenticated through Juniper SSL VPN. 8
Note: all other parameters are options set to their default values: o Source IP is unchecked; this is used to send the traffic toward specific sites according to the role, o Session Options is checked; this allows setting timeout parameters about the session, o UI Options is checked; this allows personalizing the home page for this role. Click on [Save Changes] This displays 0 Bookmarks Options links. Click on the 0 Bookmarks link, then click on [New Bookmark] 9
Complete the following fields: o In Name enter a label to identify the bookmark. This is the bookmark that will be presented to authenticated users (Page 14). In our laboratory, we called it Intranet. o URL receives the entry point for the sensitive data. In our laboratory, this was the home page of the HTTP server. o Check Auto-allow Bookmark; this allows the system to create a resource access policy automatically. o Select Everything under this URL; this allows authenticated users to access all the pages under this URL. Click on [Save Changes] Realm configuration To configure a Realm used to associate roles with authenticated users, Select the User Realms option in the Users menu of the Administrator Console. Then click on New Realm 10
Complete the following fields: o In Name enter a label to identify the Realm. In our laboratory, we used IAS, SBR and FreeR according to the used RADIUS server. o Select the RADIUS Server name defined in the previous Authentication server configuration section (Page 8) of this document in Authentication field of the Servers section. This allows all authentication requests from Mobile Users to be directed to the selected RADIUS Server. Note: The check box When editing, start on the Role Mapping page allows you to automatically select the Role Mapping tab when editing the user realm. This is simply a short cut! Click on [Save Changes] Then Select Role Mapping tab. Click on [New Rule ] This rule will associate a role with a set of users. In our example, we want to associate the previously defined gemalto role with all authenticated Mobile Users in the Realm. Do this as follows: o In Rule based on, choose Username o In Rule: If username choose is in the list and enter a * in the second field to denote a wildcard. o In then assign these roles, select gemalto and click [Add ->] to move the role to the Selected Roles: list. The windows should resemble the previous figure. 11
Click on [Save Changes] Associate Realm with resource provider We now have to associate the created Realm with the HTTP server. Select the Signing In option in the Authentication menu of the Administrator Console. Select the Sign-in Policies tab 12
Click on */ in the User URLs section Note: The Sign-in URL is the URL that will be used for user authentication. The default value is */ and means users have to enter https://<ip SA 700 Internal Address>/ to access this URL. For example, defining */AuthRequest means user must enter https://<ip SA 700 Internal Address>/AuthRequest Select the previously defined Realm in Available realms: and Click on [Add ->]. The previously defined Realm should now be available in Selected realms: Click on [Save Changes] 13
Open the connection to the Intranet using SA Server Here is how a Mobile User accesses the HTTP Server using the Juniper SSL VPN and Gemalto SA Server. Note: We will not install any particular software on the client. This means we will not use the Network Connect feature that installs a virtual driver on the client dedicated to encapsulate packet in an SLL tunnel. To access the Juniper SSL VPN: Start a browser on the following URL: https:// <IP SA 700 External Address>/ from the External Network. Complete the following fields: o In Username enter the User ID of a Mobile User as it is defined in the LDAP. o In Password enter a value made by the concatenation of the 6 OTP digits with the LDAP Password. o Realm can be set to the right value if the default one is not the right one. Click on [Sign In] When authenticated, the Mobile User has access to his or her personalized web page. In our laboratory, we were able to see the Intranet bookmark we defined in the Role configuration section (Page 10). 14
Appendix 1: Configure an IAS RADIUS Server with SA Server We used the IAS server version embedded in Windows Server 2003 SP1. IAS RADIUS prerequisites The IAS RADIUS installation is not described in this document. It is presumed to be already done. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. You can check IAS RADIUS and AD Domain are part of the same domain using the following process: Right click on My Computer and Select Properties Check in Computer Name tab that the computer is in a domain. You can modify those parameters if needed. Access to IAS administration You have to: Click on Start and Select Administrative Tools Select Internet Authentication Service 15
Add a RADIUS Client You now have to add the Juniper SSL VPN as a RADIUS client: Right click on RADIUS Clients and Select New RADIUS Client In Friendly name enter a name for Juniper SSL VPN, In Client address (IP or DNS) enter <IP SA 700 Internal Address>. Click on [Next >] Select RADIUS Standard for Client-Vendor: Enter the chosen shared secret in Shared secret: and in Confirm shared secret:. This must be the same value as the one you entered when you configured the Juniper SSL VPN ( Shared secret in the Authentication server configuration section Page 8). Click on [Finish] to validate those parameters. 16
Configure Access Policies You have to add a new remote access policy: Right click on Remote Access Policies and Select New Remote Access Policy Click on [Next >] in the wizard windows Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. Click on [Next >] Click on [Add ] in Policy Conditions window 17
Select Client-IP-Address in Attribute types: and click on [Add ] Enter <IP SA 700 Internal Address> in Type a word or a wild card (for example, abc.*): and click on [OK] Click on [Next >] 18
Select Grant remote access permission in If a connection request matches the specified conditions: and click on [Next >]. Click on [Edit Profile ] in the profile window Select Authentication tab and uncheck all boxes except Unencrypted authentication (PAP, SPAP) Select Encryption tab 19
Check only the No encryption box. Then click on [OK] In the Profile window, click on [Next >] In the New Remote Access Policy Wizard window, click on [Finish] The new policy is now available. 20
Configure Connection Request Policies You have to add a new connection request policy: In Connection Request Processing, Right click on Connection Request and Select New Connection Request Policy Click on [Next >] in the wizard window Select A custom policy, Enter a name in Policy name and Click on [Next >] In the Policy conditions windows, click on [Add ], Select Client-IP-Address, Click on [Add ], Enter <IP SA 700 Internal Address>, Click on [OK] and Click on [Next >] In the Request Processing Method, click on [Edit Profile] In the Authentication tab, select Authenticate requests on this server and Click on [OK] In the Request Processing Method window, click on [Next >] In the New Connection Request Policy Wizard window, click on [Finish] 21
The new policy is now available. Install and configure SA Server agent for IAS You now have to install the SA Server IAS agent on the IAS RADIUS server. This component will forward all authentication requests received by IAS to SA Server. Double-click on IAS_AgentSetup.exe on the IAS RADIUS server, Click on [Next >] 22
Select I accept the terms in the license agreement and click on [Next >] You now have to enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. Click on [Next >] 23
Click on [Install] Click on [Finish] 24
Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS. Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. 25
Appendix 2: Configure Juniper Steel-Belted RADIUS Server We used the Juniper Steel-Belted RADIUS V6.01 on a Windows Server 2003 SP1. SBR pre-requisites Juniper Steel-Belted RADIUS installation is not described in this document. Launch SBR admin portal To open Juniper Steel-Belted RADIUS admin portal: Start a browser on the following URL: https:// <IP SBR address>:1812 Click on Launch link. A login window is displayed. You have to fill User Name and Password using an account with administrator privileges on the Juniper Steel-Belted RADIUS server. Port is automatically filled with the default 1813 value. Click on [Login] 26
Add RADIUS Client You now have to add the Juniper SSL VPN as a RADIUS client: Right click on RADIUS Clients 27
and Select Add: Complete the following fields: o In Name: enter a friendly name for Juniper SSL VPN, o In IP Address: enter <IP SA 700 Internal Address>, o In Shared secret: enter the same value you entered when you configured the Juniper SSL VPN (Shared secret in the Authentication server configuration section Page 8). o Make sure you select - Standard Radius in Make or model: Click on [OK] Install and configure SA Server agent for SBR You now have to install the SA Server SBR agent on the Juniper Steel-Belted RADIUS server. This component will forward all authentication requests received by the SBR to SA Server. 28
Double-click on SBR_AgentSetup.exe on Juniper Steel-Belted RADIUS server, Click on [Next >] Select I accept the terms in the license agreement and click on [Next >] 29
Select the Service folder in the SBR installation directory so that it appears in Folder name: Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius Click on [Next >] Enter <Base URL SA Server>/saserver/servlet/UserRequestServlet in Protiva Authentication Servlet URL: Caution: During the installation, you have to replace localhost by the real IP address of SA Server. You also have to set the port if this is not the standard port 80. Don t forget to replace the proposed protiva path by saserver as it is now the default choice used during SA Server installation. 30
Click on [Next >] Click on [Install] Click on [Finish] Restart SBR To launch the installed agent, you now have to re-start SBR service. Select Start, Select Control Panel, Select Administrative Tools Select Services 31
Then, Right Click on Steel-Belted Radius And choose Restart Check agent integration To check the installed agent is running, Start the Steel-Belted Radius Administrator (as presented in the Launch SBR admin portal section) Select Authentication Policies then Order of Methods Check that Protiva SBR Agent is in Active Authentication Methods: Note: Other authentication methods can be present in both columns according to the SBR configuration. 32
Appendix 3: Configure Free RADIUS Server on Linux We used the Free RADIUS V1.1.0-19.2 on a Suse Linux Enterprise 10. Free RADIUS pre-requisites Free RADIUS installation is not described in this document. It is already pre-installed on this distribution and configured for some pre-defined RADIUS clients. Add RADIUS Client You now have to add the Juniper SSL VPN as a RADIUS client: Log on to the Linux server as root Open clients.conf usually located in /etc/raddb/ directory with a text editor Add a new section: client <IP SA 700 Internal Address> { secret = xxxxxxxxx shortname = JuniperSslVpn } and give secret the same value as the one you entered when you configured the Juniper SSL VPN ( Shared secret in the Authentication server configuration section Page 8) and give shortname a label; this is an optional field. Install and configure SA Server agent for Free RADIUS You now have to install the SA Server Free RADIUS agent on the Free RADIUS Server. This component will forward all authentication requests received by Free RADIUS to SA Server. Log on to the Linux server as root Open a Terminal console Move to the directory where SA Server agent.rpm is located Stop Free RADIUS using the command: radiusd stop Here is a screen shot from our laboratory machine If needed, install openssl library to use an HTTPS link with SA Server. Here is a screen shot from our laboratory machine Start agent installation using the command : rpm ivh rlm_protiva-1.2.0-1.586.rpm Here is a screen shot from our laboratory machine Note: On a 64-bit system, you have to use rlm_protiva-1.2.0-1.x86_64.rpm. 33
Open radiusd.conf usually located in /etc/raddb/ directory with a text editor Look for the modules section and add the following elements: #SA Server authentication module protiva { # host: the host port to connect to host = <Base URL SA Server> # url: path to the servlet on the host machine url = /saserver/servlet/userrequestservlet #securitylevel: security level to be used # 1 = no SSL # 2 = with SSL securitylevel = 1 # certfile: certivicat file to be used #you must specify a certfile if using SSL certfile = /usr/local/etc/raddb/tomcat.pem # openssl time out in seconds openssltimeout = 5 } Here is a screen shot from our laboratory machine Look for the authenticate section and add the following element: Auth-Type protiva { protiva } Save radiusd.conf Open users usually located in /etc/raddb/ directory with a text editor Look for the following section: DEFAULT Auth-Type = System Fall-Through = 1 Add an additional Auth-Type before those line to obtain: DEFAULT Auth-Type = protiva Fall-Through = Yes DEFAULT Auth-Type = System Fall-Through = 1 Restart Free RADIUS Then restart Free RADIUS using the command: radiusd start Here is a screen shot from our laboratory machine 34
Appendix 4: Active Directory configuration Mobile Users must be part of the AD Domain. You can check this is done using the following process: Click on Start, Select Control Panel and Select Administrative Tools Select Active Directory Users and Computers Mobile Users must also have the Remote Access Permission. You can check this is done using the following process: Click on Users, right click on the target user and select Properties Select Dial-in tab and check the box Allow access in Remote Access Permission section. 35