Meeting CJIS Advanced Authentication using User Certificate and Strong Key Protection Presented by: Carlos Leon, Network Manager City of Palm Beach Gardens
Meeting CJIS Requirements CJIS security policy calls for the use of advanced authentication methods authentication based on additional factors beyond simple user name/password authentication. NetMotion Mobility XE supports industry standard infrastructure: RADIUS servers as the front-end for Microsoft's Active Directory Authentication and PKI (public key infrastructure) for provisioning and exchange of digital certificates. Other RADIUS / PKI solutions are supported if they are compatible with X.509v3 user certificates, standard Microsoft CAPI enabled access to those certificates, and the RADIUS EAP TLS or EAP TLS inside the PEAP protocol. In addition to strong authentication, CJIS security policy mandates the use of FIPS 140 2 validated encryption. NetMotion Mobility XE s use of validated/certified cryptographic libraries (NIST certificate numbers 237, 441 and 493) meets this requirement.
Strong Key Protection: Overview This process utilizes a user-based public key infrastructure (PKI) certificates X.509v3 secured by Microsoft Strong Key Protection which is stored on the user s hard drive. The certificate is then used by NetMotion VPN in a PEAP wrapper for EAP-TLS user authentication. VPN will request the certificate: Each time the employee reboots the computer After a time interval (13 hours is recommended) If employees bypasses NetMotion then connects If air card disconnects (drops), then reconnects, the password for the certificate will be not requested again.
Employee Logon Process Steps through the process for authentication and access to the network: Officers logon: Windows Network username & password to follow CJIS policy 5.6.2.1 Officers VPN client (NetMotion) calls the PKI which forces the user to type an individual password to access the individual certificate following CJIS policy 5.6.2.2 The VPN awaits the verification from the RADIUS server to allow for connection to the network. Officer will be prompted for certificate password every 13 hours.
Software Requirements for Solution Microsoft Windows Server 2008 R2 Enterprise or Datacenter: Microsoft Active Directory Certificate Services (AD CS) Microsoft Network Policy and Access Services (NPAS) Microsoft Active Directory Infrastructure NetMotion Mobility XE 9.21 Server NetMotion Mobility XE 9.x Client(s)
Today's Installation & Configuration Objectives Install and Configure simple deployment of Microsoft Certificate Services Install and Configure Network Policy and Access Services (RADIUS) NetMotion Mobility XE Server Configuration NetMotion XE Client Configuration Validating Client Connection
Installation & Configuration
Install Certificate Services Open Server Manager on the Windows 2008 R2 Server where you plan to install Certificate Services Click on Roles Click on Add Roles
Install Certificate Services Click Next Select Active Directory Certificate Services Click on Next
Install Certificate Services Click Next until you Complete the Wizard accepting all defaults as displayed NOTE: The values displayed for Common name for this CA: and Distinguished name suffix will be specific to your environment.
Configuring Certificate Services Open Server Manager on Certificate Services Server Expand out Roles Active Directory Certificate Services Servername Right click Certificate Templates and select Manage
Configuring Certificate Services Right Click the USER CERIFICATE A Duplicate Template dialog box may appear asking if this Certificate is for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise Select Windows 2008 Enterprise and click OK
Configuring Certificate Services Change the Template display name: In the screen shot we specified CJIS-NetMotion Click the Security tab and Select the Active Directory Group you wish to use
Configuring Certificate Services Set Extensions Application Polices Remove all but Client Authentication Certificate is only used by User Authentication Set Request Handing Prompt every time the certificate is used.
Configuring Certificate Services Now you need to issue the template Return to Server Manager Right click on Certificate Templates Select New Certificate Template to Issue
Configuring Certificate Services The template you just duplicated should now be listed under Certificate Templates
Configuring Active Directory
Configuring Active Directory to use Use Group Policies to enforce: Strong Key Policy Strong Key Protection User must enter a password each time they use a key 19
Configuring Active Directory to Deploy Certificates Open Group Policy Management Snap-In Note: This snap-in exists on the Domain Controller Right click on the Default Domain Policy Select Edit to open the Group Policy Management Editor 20
Configuring Active Directory Apply to officer laptops Organizational Unit or at Domain level Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Configuring Network Policy and Access Services (NPAS)
Configuring Network and Access Policy Services There are 3 things that should be defined in Network Policy and Access Services 1. Create the RADIUS Client 2. Create a Connection Request Policy 3. Create a Network Policy If you have more than one Mobility XE server in your pool you will need to create a RADIUS Client for each NetMotion Mobility XE server
Install and Configure Network Policy and Access Services
Install Network Policy & Access Services (NPS) Open Server Manager on the Windows 2008 R2 Server where you plan to install NPS Click on Roles Click on Add Roles
Install Network Policy & Access Services Select Network Policy and Access Services Click Next Select Network Policy Server Click Install to begin installation Click Close to complete the install 26
NPAS Create the RADIUS Client Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPS RADIUS Clients and Servers RADIUS Clients Right click RADIUS Clients and select New
NPAS Create a Connection Request Policy Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPAS Policies Connection Request Policies Right click Connection Request Policies and select New
NPAS - Connection Request Policy Set Specified Condition as NAS Identifier NetMotion
NPAS - Create a Network Policy Open Server Manager where NPAS was installed Expand out Roles Network Policy and Access Services NPS Policies Network Policies Right click Network Policies and select New
NPAS - Create a Network Policy Conditions»Windows Group form Active Directory»NAS Identifier to be used in Netmotion settings
NPAS - Create a Network Policy Constraints: Select Microsoft: Smart Card or other certificate and click OK NOTE: Selecting this option does NOT mean you must have Smart Cards
XE Server Installing NetMotion
Mobility XE Server install Note: Retain Password
Configuration NetMotion XE Server
Mobility XE Server Configuration Configure Mobility XE for RADIUS EAP and EAP-TLS Global Server Setting
Mobility XE Server Configuration Configure RADIUS Server List Global Server Setting NOTE: NAS ID: same as the NAS Identifier in NPAS
Mobility XE Server Configuration Configure User Logon Re-authentication Interval Global Client Setting
Installing User Certificate
Client Configuration Requirement: Laptop joined to domain NetMotion Client in bypass User must have local network access WIFI or Ethernet
Installing User Certificate User opens Certificate Console (Windows 7) Certmgr.msc
Installing User Certificate Start the process Expand Personal Right Click Certificates Click on Request New Certificate
Installing User Certificate Pick correct certificate Named CJIS- Netmotion during the Certificate install Type password that will be used to access certificate. Enforced by strong key protection and requirement on certificate. Password follows Domain password policy Finish
NetMotion XE Client configuration
NetMotion Client configuration Must configure client to use local personal user certificate Right Click Properties Status Configuration -> Client Certificate
Netmotion XE Client Connection
Client Connection First time XE client will ask for which certificate from the store to use:
Client Connection User asked to type in Password to access certificate which allows for connection
Renewing user Certificate
Renewing user Certificate Requirement: Laptop joined to domain User must have network access WIFI or Ethernet access NetMotion Connected or bypassed
Renewing user Certificate Open certificate store
Renewing user Certificate NOTE: User will need to know old password
Lost Password
Recover Certificate lost password Process to create a new certificate if user does NOT know the password for the certificate. Requirement: Laptop joined to domain NetMotion Client in bypass User must have network access WIFI or Ethernet access
Recover Certificate lost password User must delete old certificate and request new
QUESTIONS: Meeting CJIS Advanced Authentication using User Certificate and Strong Key Protection Presented by: Carlos Leon, Network Manager City of Palm Beach Gardens cleon@pbgfl.com 561-248-7373