8/3/2019 Apple VPN Service AuthMan7.1

1/12

1

Apple Computer, Inc.Apple VPN Service

RSA SecurID Ready Implementation Guide

Last Modified: September 10, 2008

Partner Information

Product InformationPartner Name Apple Computer, Inc.

Web Site www.apple.com

Product Name Apple VPN Service

Version & Platform Mac OS X Server 10.5

Product Description Mac OS X Server provides a Virtual Private Network (VPN) serviceallowing users to access their corporate network over the Internet.The VPN service currently supports L2TP/IPSec and PPTP protocols

Product Category Perimeter Defense

http://www.apple.com/http://www.apple.com/

8/3/2019 Apple VPN Service AuthMan7.1

2/12

Solution Summary

Virtual private network (VPN) access enables your users to take advantage of network services whiletheyre offsite and simultaneously prevent access by unauthorized individuals. Mac OS X Server 10.5supports standards-based L2TP/IPSec and PPTP tunneling protocols to provide encrypted VPNconnections for Mac and Windows systems and even Apples iPhone. These VPN services use secureauthentication methods, including RSA SecurID authentication.

Partner Integration Overview

Authentication Methods Supported Native RSA SecurID Authentication

List Library Version Used 5.0.3.2

RSA Authentication Manager Replica Support Full Replica Support

Secondary RADIUS Server Support N/A

RSA Authentication Agent Host Type for 6.1 UNIX

RSA Authentication Agent Host Type for 7.1 Standard AgentRSA SecurID User Specification All Users

RSA SecurID Protection of Administrative Users No

RSA Software Token and RSA SecurID 800 Automation No

Product Requirements

Partner Product Requirements: Apple VPN ServiceVersion 10.5.0 or greater

Operating SystemPlatform Required Patches

Mac OS X 10.5.0 or greater

Additional Software RequirementsApplication Additional Patches

Apple VPN Client 10.5.0 or greater

2

8/3/2019 Apple VPN Service AuthMan7.1

3/12

Agent Host Configuration

Important: Agent Host and Authentication Agent are synonymous.

Agent Host is a term used with the RSA Authentication Manager 6.xservers and below. RSA Authentication Manager 7.1 uses the termAuthentication Agent.

Important: All Authentication Agent types for 7.1 should be set toStandard Agent.

To facilitate communication between the Apple VPN Service and the RSA Authentication Manager / RSASecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database.The Agent Host record identifies the Apple VPN Service within its database and contains informationabout communication and encryption.

To create the Agent Host record, you will need the following information.

Hostname

IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Apple VPN Service as UNIX. This settingis used by the RSA Authentication Manager to determine how communication with the Apple VPN Serverwill occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurIDAppliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating,Modifying and Managing Agent Host records.

RSA SecurID filesRSA SecurID Authentication FilesFiles Location

sdconf.rec /var/ace/

Node Secret /var/ace/

sdstatus.12 /var/ace/

sdopts.rec /var/ace/

Note: Go to the appendix of this document to get detailed informationregarding these files.

3

8/3/2019 Apple VPN Service AuthMan7.1

4/12

Partner Product Configuration

Before You Begin

This section provides instructions for integrating the partners product with RSA SecurID Authentication.This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability toperform the tasks outlined in this section. Administrators should have access to the productdocumentation for all products in order to install the required components.

All vendor products/components must be installed and working prior to the integration. Perform thenecessary tests to confirm that this is true before proceeding.

Documenting the Solution

Apple VPN Service is part of a Mac OS X Server 10.5 installation. Server Admin may be used toconfigure standard VPN services, but Server Admin does not have an interface for choosing the RSASecurID authentication method. To designate the RSA SecurID authentication, the VPN configurationmust be done via the command line interface manually.

Enabling RSA SecurID in the Apple VPN Service

The Apple VPN Service is ready to use RSA SecurID authentication out of the box. In order to enableRSA SecurID support some files must first be copied to the Mac OS X Server. After the files have beencopied, the Apple VPN Service must be configured to use RSA SecurID.

Here is a brief overview of the configuration steps required to activate RSA SecurID authentication:

Prepare for RSA SecurID authentication by coping files from the RSA Authentication Manager Server.

Select a VPN protocol, either L2TP or PPTP or both and configure the Apple VPN Service accordingly.

Start the Apple VPN Service (or restart if the service had already been running).

Preparing for RSA SecurID AuthenticationIn order to configure RSA SecurID authentication for the Apple VPN Service, first copy the sdconf.rec filefrom your RSA Authentication Manager Server to a new directory on your Mac OS X Server named/var/ace.

There are several ways you could do this. These steps illustrate one method:

1. At your server, open the Terminal (/Applications/Utilities/).2. Type: sudo mkdir /var/ace3. Press Return.4. Enter your administrator password, and press Return.5. Click the Finder icon in the Dock.6. From the Go menu, choose Go to Folder.7. Type: /var/ace

8. Click Go.9. Copy the sdconf.rec file from your RSA Authentication Manager server into the "ace" folder.10. You will see a dialog indicating that the "ace" folder cannot be modified. Click the Authenticate button to

allow the copy.

Now configure the VPN service on Mac OS X Server to enable RSA EAP-SecurID authentication for thedesired protocols.

4

8/3/2019 Apple VPN Service AuthMan7.1

5/12

Configuring the Apple VPN Service

1. Open Server Admin (/Applications/Server/Server Admin).2. Expand the server node for the desired host.3. Click on Settings > Access and configure the VPN access.

Note: By default the Apple VPN Service is configured to allow allservices access from all users and groups. In order for a user to beauthorized to connect to the VPN after authentication they must be grantedaccess. If the RSA user does not already exist on the Mac OS X Server a

user account must be created.

4. Select the VPN service.

Configuring Apple VPN Service for L2TP

1. Open a Terminal (/Applications/Utilities/Terminal) and execute the following commands to configure the VPNservice to use RSA SecurID with L2TP:

# sudo serveradmin settingsvpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index: 0 ="EAP-RSA"

# sudo serveradmin settingsvpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP"

2. Return to Server Admin, Click on Settings > L2TP.3. Check the box for Enable L2TP over IPsec.

5

8/3/2019 Apple VPN Service AuthMan7.1

6/12

4. Enter an IP Address range for the VPN Service to assign to clients.5. Configure a Shared Secret for IPsec Authentication.6. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).

Configuring Apple VPN Service for PPTP

1. Open a Terminal (/Applications/Utilities/Terminal) and execute the following commands to configure the VPNservice to use RSA SecurID with PPTP:

# sudo serveradmin settingsvpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index: 0 ="EAP-RSA"

# sudo serveradmin settingsvpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP"

2. Return to Server Admin, Click on Settings > PPTP.3. Check the box for Enable PPTP.

6

8/3/2019 Apple VPN Service AuthMan7.1

7/12

4. Enter an IP Address range for the VPN Service to assign to clients.5. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).

Enabling RSA SecurID in the Apple VPN Client

The Apple VPN Client is installed by default during a normal installation of Mac OS X Client. Follow theinstructions below to enable the Apple VPN Client to connect using RSA SecurID authentication.

Here is a brief overview of the configuration steps required to activate RSA SecurID authentication:

Add an interface for the RSA SecurID enabled Apple VPN.

Select a VPN protocol, either L2TP or PPTP or both and configure the Apple VPN Client accordingly.

Adding an Interface for RSA SecurID Apple VPN

1. Open the Network Preferences (System Preferences > Network).2. Click on the + symbol to add a new interface.3. Select VPN from the drop-down menu on Interface.4. Select the type of VPN created at the server (either L2TP or PPTP) from the drop-down menu on VPN

Type.5. Add a Service Name and click Create.

7

8/3/2019 Apple VPN Service AuthMan7.1

8/12

Configuring the Client for L2TP

1. Select the L2TP interface created above and click Authentication Settings.

2. Under User Authentication select the radio button for RSA SecurID.

3. Enter the Shared Secret configured at the server.4. Click the button labeled OK.

8

8/3/2019 Apple VPN Service AuthMan7.1

9/12

Configuring the Client for PPTP

1. Select the PPTP interface created above and click Authentication Settings.

2. Under User Authentication select the radio button for RSA SecurID.

3. Click OK.

Connecting to the Apple VPN Service

1. Click on the picture of the RSA SecurID token.2. Select Connect next to the VPN Interface name created earlier in the Apple VPN Client section of the guide.

3. Enter the SecurID User Name and PASSCODE.

9

8/3/2019 Apple VPN Service AuthMan7.1

10/12

4. Click the button labeled OK.5. Establish a PIN for the user (when in New PIN mode).

6. Click the button labeled OK.

10

8/3/2019 Apple VPN Service AuthMan7.1

11/12

Certification Checklist For RSA Authentication Manager v6.x

Date Tested: January 11, 2008

Certification EnvironmentProduct Name Version Information Operating System

RSA Authentication Manager 6.1.2 Microsoft Windows 2003 Server

Apple VPN Server 10.5.0 Mac OS X Server 10.5.0

Mandatory FunctionalityRSA Native Protocol RADIUS Protocol

New PIN Mode

Force Authentication After New PIN Force Authentication After New PIN N/A

System Generated PIN System Generated PIN N/A

User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A

User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/AUser Selectable User Selectable N/A

Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A

Deny Alphanumeric PIN Deny Alphanumeric PIN N/A

Passcode

16 Digit Passcode 16 Digit Passcode N/A

4 Digit Password 4 Digit Password N/A

Next Tokencode Mode

Next Tokencode Mode Next Tokencode Mode N/A

Load Balancing / Reliability Testing

Failover (3-10 Replicas) Failover N/A

Name Locking Enabled Name Locking Enabled

No RSA Authentication Manager No RSA Authentication Manager N/A

Additional FunctionalityRSA Software Token Automation

System Generated PIN N/A System Generated PIN N/A

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A

User Selectable N/A User Selectable N/A

Next Tokencode Mode N/A Next Tokencode Mode N/A

RSA SecurID 800 Token Automation

System Generated PIN N/A System Generated PIN N/A

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A

User Selectable N/A User Selectable N/A

Next Tokencode Mode N/A Next Tokencode Mode N/A

Credential Functionality

Determine Cached Credential State N/A Determine Cached Credential State

Set Credential N/A Set Credential

Retrieve Credential N/A Retrieve Credential

BSD = Pass = Fail N/A = Non-Available Function

11

8/3/2019 Apple VPN Service AuthMan7.1

12/12

Certification Checklist For RSA Authentication Manager 7.x

Date Tested: September 06, 2008

Certification EnvironmentProduct Name Version Information Operating System

RSA Authentication Manager 7.1 Microsoft Windows 2003 Server

Apple VPN Service 10.5.4 Mac OS X Server 10.5.4

Mandatory FunctionalityRSA Native Protocol RADIUS Protocol

New PIN Mode

Force Authentication After New PIN Force Authentication After New PIN N/A

System Generated PIN System Generated PIN N/A

User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A

User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A

Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A

Deny Alphanumeric PIN Deny Alphanumeric PIN N/A

Deny Numeric PIN Deny Numeric PIN N/A

PIN Reuse PIN Reuse N/A

Passcode

16 Digit Passcode 16 Digit Passcode N/A

4 Digit Fixed Passcode 4 Digit Fixed Passcode N/A

Next Tokencode Mode

Next Tokencode Mode Next Tokencode Mode N/A

Load Balancing / Reliability Testing

Failover (3-10 Replicas) Failover N/A

No RSA Authentication Manager No RSA Authentication Manager N/A

Additional FunctionalityRSA Software Token AutomationSystem Generated PIN N/A System Generated PIN N/A

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A

Next Tokencode Mode N/A Next Tokencode Mode N/A

RSA SecurID 800 Token Automation

System Generated PIN N/A System Generated PIN N/A

User Defined (8 Digit Numeric) N/A User Defined (8 Digit Numeric) N/A

Next Tokencode Mode N/A Next Tokencode Mode N/A

BSD = Pass = Fail N/A = Non-Available Function

12