INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

Similar documents
DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Check Point Security Gateways

MIGRATION GUIDE. Authentication Server

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

DIGIPASS Authentication for Juniper ScreenOS

INTEGRATION GUIDE. General Radius Config

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

DIGIPASS Authentication for SonicWALL SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Identikey Server Getting Started Guide 3.1

Check Point FDE integration with Digipass Key devices

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

IDENTIKEY Appliance Administrator Guide

Hyper-V Installation Guide. Version 8.0.0

DIGIPASS as a Service. Google Apps Integration

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution for On-Demand Applications and SaaS

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

axsguard Gatekeeper Internet Redundancy How To v1.2

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Strong Authentication for Juniper Networks SSL VPN

Secure your business DIGIPASS BY VASCO. The world s leading software company specializing in Internet Security

axsguard Gatekeeper Open VPN How To v1.4

DIGIPASS Authentication for Windows Logon Product Guide 1.1

WHITE PAPER. Identikey Server 3.1 Strong Authentication solution against MITM Attacks for e-banking

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Internet Redundancy How To. Version 8.0.0

HOTPin Integration Guide: DirectAccess

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

IDENTIKEY Server Product Guide

Cisco VPN Concentrator Implementation Guide

IP Tunnels September 2014

Strong Authentication for Juniper Networks

Juniper SSL VPN Authentication QUICKStart Guide

Keeping your VPN protected

The 4 forces that generate authentication revenue for the channel

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Identikey Server Product Guide

axsguard Gatekeeper IPsec XAUTH How To v1.6

axsguard Gatekeeper Directory Services How To v1.2

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

axsguard Gatekeeper Reverse Proxy How To 1.5

Strong Authentication for Cisco ASA 5500 Series

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

IDENTIKEY Server Windows Installation Guide 3.1

Svn.spamsvn110. QuickStart Guide to Authentication. WebTitan Version 5

Two-Factor Authentication

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

IBM Tivoli Security using Two-Factor Authentication against PHISHING

Strong Authentication in details

Using Microsoft Active Directory Server and IAS Authentication

Juniper Networks SSL VPN Implementation Guide

SafeNet Authentication Service

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Identikey Server Windows Installation Guide 3.1

VERALAB LDAP Configuration Guide

NetMotion Mobility XE

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

Identikey Server Performance and Deployment Guide 3.1

IDENTIKEY Server Windows Installation Guide 3.2

Cisco ASA Authentication QUICKStart Guide

Radius Integration Guide Version 9

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Check Point FW-1/VPN-1 NG/FP3

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

SSL SSL VPN

VASCO Consulting Services

Defender EAP Agent Installation and Configuration Guide

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

DIGIPASS as a Service. Product Guide

Strong Authentication for Microsoft SharePoint

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

If you have questions or find errors in the guide, please, contact us under the following address:

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Sophos UTM. Remote Access via SSL Configuring Remote Client

Accessing the Media General SSL VPN

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

PaperClip. em4 Cloud Client. Manual Setup Guide

Installation Guide. SafeNet Authentication Service

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Defender Token Deployment System Quick Start Guide

Transcription:

INTEGRATION GUIDE DIGIPASS Authentication for F5 FirePass

Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.

Table of Contents DIGIPASS Authentication for F5 FirePass... 1 Disclaimer... 2 Table of Contents... 3 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 4 Technical Concept... 5 4.1 General overview... 5 4.2 F5 FirePass prerequisites... 5 4.3 IDENTIKEY Server Prerequisites... 5 5 F5 FirePass Configuration... 6 6 IDENTIKEY Server... 10 6.1 Policy configuration...10 6.2 Client configuration...13 7 F5 FirePass SSL/VPN test... 1 7.1 Response Only... 1 7.2 Challenge / Response... 2 8 About VASCO Data Security... 4

1 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server to work with a F5 FirePass device. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection. 2 Problem Description The basic working of the F5 FirePass is based on authentication to an existing media (LDAP, RADIUS, local authentication ). To use the IDENTIKEY Server with F5 FirePass, the external authentication settings need to be changed or added manually. 3 Solution After configuring IDENTIKEY Server and the F5 FirePass in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. The F5 FirePass gives you the ability of a combined SSL/VPN platform, it s possible to access your network from a web portal page and/or to create a SSL tunnel. Figure 1: Web portal Figure 2: SSL Tunnel

4 Technical Concept 4.1 General overview The main goal of the F5 FirePass is to perform authentication to secure all kind of VPN connections. As the F5 FirePass can perform authentication to an external service using the RADIUS protocol, we will place the IDENTIKEY Server as back-end service for the F5 FirePass appliance, to secure the authentication with our proven IDENTIKEY Server software. The users will now be checked first by IDENTIKEY Server that can be linked to Active Directory in the back-end. So we just place IDENTIKEY Server in between the F5 FirePass and the Active Directory. Figure 3: General overview 4.2 F5 FirePass prerequisites Please make sure you have a working setup of the F5 FirePass. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER. Currently all F5 FirePass devices use the same web config and CLI interface. This means our integration guide is suited for the complete product range of F5 FirePass devices. 4.3 IDENTIKEY Server Prerequisites In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features.

5 F5 FirePass Configuration By default the webconfig is reachable by https://<ip_or_name_f5_firepass>/admin/ In our case this becomes: https://10.10.1.110/admin/ Figure 4: F5 FirePass Configuration (1) On the lower left menu, select Users. Figure 5: F5 FirePass Configuration (2)

On the top left menu, now select Groups. Figure 6: F5 FirePass Configuration (3) In this case we are assuming that you already have some external authentication. (Active Directory, LDAP, RADIUS, ) Click on the group name that you want to change. As we were currently using the ADusers group to authenticate the users to Active Directory, we change this group. Figure 7: F5 FirePass Configuration (4)

In case the authentication method is already RADIUS, skip to Figure 10. Otherwise, click the Convert authentication method. Figure 8: F5 FirePass Configuration (5) Choose the RADIUS Authentication option. Figure 9: F5 FirePass Configuration (6)

Now fill in the details of the server where IDENTIKEY Server is installed. Figure 10: F5 FirePass Configuration (7) Click the Save Settings button to save the changes. We now configured the authentication to go the IDENTIKEY Server. You still need to configure the IDENTIKEY Server in order to have the same back-end as your application was using before. If the users were checked on Active Directory, RADIUS or any other back-end authentication service, you will need to setup IDENTIKEY Server with the same back-end authentication.

6 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 6.1 Policy configuration To add a new policy, select Policies Create. Figure 11: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies.

Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 12: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message.

In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 13: Policy configuration (3) The user details can keep their default settings. Figure 14: Policy configuration (4)

6.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 15: Client configuration (1)

As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 16: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working.

7 F5 FirePass SSL/VPN test 7.1 Response Only To start the test, browse to the public IP address or hostname of the F5 FirePass device. In our example this is https://10.10.1.110. Enter your Username and Password (One Time Password) and click the Logon button. Figure 17: Response Only (1) If all goes well, you will be authenticated and see the SSL/VPN portal page. Figure 18: Response Only (2)

7.2 Challenge / Response For the challenge response test, enter your Username and Password (challenge/response trigger). Click the Logon button. In our case the challenge/response trigger is the user s static password. Figure 19: Challenge / Response (1) You will be presented with a DP300 Challenge code. Use this challenge on your DIGIPASS 300 (keypad) to generate a response. Enter the response in the empty field and click Logon. Figure 20: Challenge / Response (2)

And if everything goes well, you will be shown the SSL/VPN portal page. Figure 21: Challenge / Response (3)

8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information