Upload
dangtuyen
View
280
Download
0
Embed Size (px)
Citation preview
1 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright © 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO®, Vacman®, IDENTIKEY AUTHENTICATION ®, aXsGUARD™ and
DIGIPASS® logo are registered or unregistered trademarks of VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data
Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under al l
title, rights and interest in VASCO Products, updates and upgrades thereof, including
copyrights, patent rights, trade secret rights, mask work rights, database rights and all other
intellectual and industrial property rights in the U.S. and other countries. Microsoft and
Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may
be trademarks of their respective owners.
2 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Table of Contents
1 Introduction.............................................................................................................. 3
2 RSA Authentication Manager Architecture ................................................................ 4
3 Migration architecture .............................................................................................. 5
3.1 General overview .................................................................................................. 5
3.2 RADIUS Authentication with IDENTIKEY Authentication Server and RSA Authentication
Manager ........................................................................................................................ 6
4 Final architecture ...................................................................................................... 7
4.1 General Overview .................................................................................................. 7
4.2 RADIUS Authentication with IDENTIKEY Authentication Server .................................... 7
5 RSA Authentication Manager Configuration .............................................................. 8
5.1 User configuration ................................................................................................. 8
5.2 RADIUS client and Authentication Agent ................................................................... 9
6 IDENTIKEY Authentication Server configuration ..................................................... 12
6.1 Set time and date ............................................................................................... 12
6.2 Policy Configuration ............................................................................................. 13
6.3 RADIUS Client configuration ................................................................................. 17
6.4 RADIUS Back-End configuration ............................................................................ 18
6.5 User Configuration .............................................................................................. 20
6.6 DIGIPASS configuration ....................................................................................... 23
7 Migration scenario details ....................................................................................... 26
7.1 Dynamic User Registration (DUR) .......................................................................... 26
7.2 Migration results ................................................................................................. 28
8 About VASCO Data Security .................................................................................... 29
3 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
1 Introduction In this White Paper we will describe the migration of an existing RSA Authentication Manager
implementation, used in conjunction with a RADIUS enabled system (e.g. Firewall, VPN –
SSL/VPN, NAS), towards a VASCO solution, based upon IDENTIKEY Authentication Server and the
DIGIPASS products.
We have tested this migration with:
RSA ACE Server 6.0
RSA Authentication Manager 7.1 (used in this guide)
We assume that the person performing the migration has the required experience with installing
RSA Authentication Manager and the IDENTIKEY Authentication Server. This document will guide
you through the migration process, showing the different configuration steps.
4 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
2 RSA Authentication Manager
Architecture Figure 1 illustrates a typically deployment solution architecture, with a VPN – SSL/VPN system
using RADIUS authentication in combination with the RSA Authentication Manager.
Figure 1: RSA Authentication Manager Architecture
The RSA Authentication Manager is typically setup with the built-in RADIUS Server. Through the
RADIUS protocol, the VPN or SSL/VPN will check whether a certain user will be given access to
the network, after entering a correct One Time Password, generated by the SecurID token.
5 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
3 Migration architecture 3.1 General overview
The concept is very easy: the IDENTIKEY Authentication Server is installed as front-end of the
RSA Authentication Manager.
This means that the IDENTIKEY Authentication Server will intercept each RADIUS authentication
request going to the RSA Authentication Manager. Initially the users will not exist on the
IDENTIKEY Authentication Server and it will transparently forward the RADIUS Authentication
request (using Back-End RADIUS authentication) to the RSA Authentication Manager, which will
verify the users’ credentials such as the SecurID token.
The Dynamic User Registration (DUR) feature of the IDENTIKEY Authentication Server will have to
be enabled, assuring that users are created automatically in its own user database. As the
SecurID token reaches its end of life, the authentication will no longer be sent to the back-end
RSA Authentication Manager but handled locally and a DIGIPASS will be assigned to the user.
Special features as DUR and Back-End authentication makes the VM a very easy deployable
authentication server system. (Please see further).
Figure 2: Migration architecture
6 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
3.2 RADIUS Authentication with IDENTIKEY Authentication
Server and RSA Authentication Manager
1. A remote user initiates a VPN or SSL/VPN connection.
2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication
Server.
3. The IDENTIKEY Authentication Server will perform a back-end authentication request to the
RSA Authentication Manager.
4. The RSA Authentication Manager performs its verification and returns the results to the
IDENTIKEY Authentication Server.
5. The IDENTIKEY Authentication Server forwards the results to the VPN box.
6. The VPN box takes an appropriate action based on the returned RADIUS results.
7 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
4 Final architecture 4.1 General Overview
The authentication is now handled by the IDENTIKEY Authentication Server and will no longer go
to the RSA Authentication Manager. A DIGIPASS will be assigned to the user so he can start using
its DIGIPASS instead of the RSA token. This way the migration can be done very easy and
without much hassle for the end-users as well as the administrators.
Figure 3: Final architecture
4.2 RADIUS Authentication with IDENTIKEY Authentication
Server
1. A remote user initiates a VPN or SSL/VPN connection.
2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication
Server.
3. The IDENTIKEY Authentication Server performs the OTP verification.
4. The VPN box takes an appropriate action based on the returned RADIUS results.
8 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
5 RSA Authentication Manager
Configuration 5.1 User configuration
On our system we have created a user vasco on the RSA Authentication Manager, with a RSA
SecurID Key fob assigned, which is configured to be used without a STATIC PIN/password.
Figure 4: vasco user in RSA Authentication Manager
9 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
5.2 RADIUS client and Authentication Agent
Adding the RADIUS client and the Authentication agent, can be done in one step.
Go to RADIUSRADIUS ClientsAdd New.
Figure 5: RADIUS client and Authentication Agent (1)
As the Client Name, fill in the FQDN of the IDENTIKEY Authentication Server hostname. Fill in
the IP Address and the Shared Secret. Now click the Save and Create Associated RSA
Agent.
Figure 6: RADIUS client and Authentication Agent (2)
10 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
You will now automatically enter the new Authentication Agent page. Select the RADIUS profile
that you would like to use.
Figure 7: RADIUS client and Authentication Agent (3)
Click Save to continue.
Figure 8: RADIUS client and Authentication Agent (4)
11 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
The IDENTIKEY Authentication Server will now have been added automatically to the
authentication agents.
Figure 9: RADIUS client and Authentication Agent (5)
12 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6 IDENTIKEY Authentication Server
configuration 6.1 Set time and date
Most DIGIPASS use a Time Based algorithm for generating the One Time Password. Those
DIGIPASS are created with the internal real time clock set to GMT. As such, it is important to set
the date, time and time zone of the server running the IDENTIKEY Authentication Server correctly
so that GMT can be derived correctly.
Figure 10: Setting correct date, time and time zone
You can also use the NTP settings to get the correct time provided through the internet.
Figure 11: Using NTP settings
13 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6.2 Policy Configuration
A RADIUS client needs a policy to specify the setting to work with. For now we create a new
policy starting from blank. Select PolicyCreate.
Figure 12: Policy Configuration (1)
Fill in the Policy ID and add an optional description. As we create a blank policy, set Inherits
from to None and click Create.
Figure 13: Policy Configuration (2)
14 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
You will now receive the message that the policy was created successfully so click on the Click
here to manage your policy.
Figure 14: Policy Configuration (3)
In the general Policy tab, click the Edit button.
Figure 15: Policy Configuration (4)
15 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Set Local Authentication to None,
Back-End Authentication to Always and
Back-End Protocol to RADIUS
Click the Save button.
Figure 16: Policy Configuration (5)
You will now see the changed settings appear in the next screen.
Select the Policy User tab (not the general USERS tab!) and click the Edit button.
Figure 17: Policy Configuration (6)
16 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Set Dynamic User Registration to Yes and click the Save button.
Figure 18: Policy Configuration (7)
That’s it for the policy; let’s use it in the RADIUS client now.
17 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6.3 RADIUS Client configuration
The RADIUS Client is where the calls originate from. The client in our test environment will be a
server running our VASCO RADIUS Simulator. Normally this will be a NAS, VPN or Web client.
Select ClientsRegister.
Figure 19: RADIUS Client configuration (1)
Client Type in this case will be RADIUS Client and the Location is the originating IP address
of the RADIUS call. Choose the correct Policy you created in the previous chapter and select
RADIUS as the Protocol ID. Finally fill in a shared secret and click the Create button.
Figure 20: RADIUS Client configuration (2)
18 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6.4 RADIUS Back-End configuration
The RADIUS back-end will be the RSA Authentication Manager. So create it with the details for
this server.
Select Back-EndRegister Radius Back-End.
Figure 21: RADIUS Back-End configuration (1)
Most required fields are Back-End Server ID (a name for this server), Domain Name (which
domain to use in IDENTIKEY Authentication Server), Authentication IP Address (IP address of
the RSA Authentication Manager), Authentication Port (RSA port) and Shared Secret. It’s
probably best to fill in Timeout and Retries also. Click the Create button to save the settings.
Figure 22: RADIUS Back-End configuration (2)
19 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Once the RADIUS settings are done, it might be a good time to test the original configuration
before changing any user details or migrating to a DIGIPASS.
This is explained in chapter 7.1 Dynamic User Registration.
20 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6.5 User Configuration
The following steps will only work once the user is known through the DUR (Dynamic User
Registration) procedure. This means the user needs to have authenticated once to IDENTIKEY
Authentication Server. This way the user will be created on IDENTIKEY Authentication Server.
They are necessary once a user has to be migrated from a RSA token to a DIGIPASS. These
settings need to be changed per user, as we need to overrule the policy values.
Select Users and click the User you want to migrate.
Figure 23: User Configuration (1)
Under the User Account settings click the Edit button.
21 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Figure 24: User Configuration (2)
22 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Select Local Authentication as Digipass/Password and set
Back-End Authentication to None; click Save to continue.
Figure 25: User Configuration (3)
The user is now been setup to work with a DIGIPASS, so let’s assign one to this user.
23 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
6.6 DIGIPASS configuration
In the same user detail settings, go to the Assigned Digipass tab and click the Assign button.
Figure 26: DIGIPASS configuration (1)
If you have not that many DIGIPASS imported on your system, the easiest way is just to change
the On Clicking Next value to: Search now to select Digipass to assign and click Next.
Otherwise you will have to search for a part of the serial number of do a search for a certain type
of application or a certain type of DIGIPASS.
Figure 27: DIGIPASS configuration (2)
Now select the DIGIPASS you want to assign and click Next.
24 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
Figure 28: DIGIPASS configuration (3)
You could now change the grace period if you want and click Assign to complete these steps.
Figure 29: DIGIPASS configuration (4)
25 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
The DIGIPASS is now assigned to the user and can be used. Click Finish to return to the first
screen.
Figure 30: DIGIPASS configuration (5)
26 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
7 Migration scenario details 7.1 Dynamic User Registration (DUR)
We will test the vasco user with the VACMAN RADIUS Client Simulator from Vasco.
The VACMAN RADIUS Client Simulator is a program that simulates RADIUS Authentication and
Accounting processing in a similar fashion to RADIUS enabled NAS and Firewall devices. The
simulator can be used to test user (and static-password) authentication, (DIGIPASS) Digipass
password authentication, estimate RADIUS server performance, system overload, and assist in
detection of resource (memory, handle, etc.) leakage.
When we open the simulator we have to change some things first. Server IP should be the same
IP of the IDENTIKEY Authentication Server. The Auth. Port should be define as 1812 and the
Acct. port as 1813. These are the default values, if you would have changed these values during
the installation of your IDENTIKEY Authentication Server, you should fill in your ports. Next fill in
the Shared secret.
Click one of the yellow ports, allowing you to enter User ID and password.
Figure 31: RADIUS Client Simulator configuration
27 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
In the User ID field you enter vasco (the test user we have created.).
In the password field you give the RSA SecurID PASSCODE (One Time Password).
Click Login to test the authentication for this user. Also notice the returned RADIUS attributes.
Figure 32: Successful logon with original users
When the user vasco logged in successfully, he will be created automatically in the IDENTIKEY
Authentication Server (Dynamic User Registration). From now on you can follow the steps written
at 6.5 User configuration.
28 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
7.2 Migration results
Once the user’s properties and settings are changed to work with a DIGIPASS you will see that
the authentication returns no RADIUS attributes. This proofs the authentication has been
performed by IDENTIKEY Authentication Server.
Figure 33: Migration results
From now on, users can be migrated to a DIGIPASS one at the time when their SecurID token
gets end of life or sooner.
29 RSA Authentication Manager to IDENTIKEY Authentication Server
RSA Authentication Manager to IDENTIKEY Authentication Server
8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products
for e-Business and e-Commerce.
VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which
are small “calculator” hardware devices, or in a software format on mobile phones, other portable
devices, and PC’s.
At the server side, VASCO’s IDENTIKEY products guarantee that only the designated DIGIPASS
user gets access to the application.
VASCO’s target markets are the applications and their several hundred million users that utilize
fixed password as security.
VASCO’s time-based system generates a “one-time” password that changes with every use, and
is virtually impossible to hack or break.
VASCO designs, develops, markets and supports patented user authentication products for the
financial world, remote access, e-business and e-commerce. VASCO’s user authentication
software is delivered via its DIGIPASS hardware and software security products. With over 25
million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for
strong User Authentication with over 500 international financial institutions and almost 3000
blue-chip corporations and governments located in more than 100 countries.