Whitepaper: Digipass Authentication for Pulse Connect Secure

DIGIPASS Authentication for

Pulse Connect Secure

INTEGRATION GUIDE

1 DIGIPASS Authentication for Pulse Connect Secure

DIGIPASS Authentication for Pulse Connect Secure

Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document.

Copyright

Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD™™, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent

rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.



Table of Contents

Disclaimer ...................................................................................................................... 1

Table of Contents ........................................................................................................... 2

Reference guide ............................................................................................................. 4

1 Overview................................................................................................................... 5

2 Technical Concepts ................................................................................................... 6

2.1 Pulse Secure ......................................................................................................... 6

2.1.1 Pulse Connect Secure ...................................................................................... 6

2.2 VASCO ................................................................................................................. 6

2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance ................................... 6

3 Installation ............................................................................................................... 7

3.1 Pulse Connect Secure ............................................................................................ 7

3.2 IDENTIKEY Appliance ............................................................................................. 8

4 Setup without IDENTIKEY ....................................................................................... 14

4.1 Architecture ........................................................................................................ 14

4.2 Pulse Connect Secure Settings .............................................................................. 14

4.2.1 Authentication Servers ................................................................................... 14

4.2.2 User Realms ................................................................................................. 16

4.2.3 User Roles .................................................................................................... 17

4.2.4 Sign-in......................................................................................................... 18

4.3 Testing the Solution ............................................................................................. 19

5 Solution .................................................................................................................. 21

5.1 Architecture ........................................................................................................ 21



5.2.2 User Realms ................................................................................................. 22

5.2.3 Sign-in......................................................................................................... 24



5.3 IDENTIKEY Authentication Server Settings ............................................................. 25

5.3.1 Policies ........................................................................................................ 25

5.3.2 Client .......................................................................................................... 26

5.3.3 User ............................................................................................................ 27

5.3.4 DIGIPASS .................................................................................................... 28


6 Solution with Virtual DIGIPASS .............................................................................. 32

6.1 Architecture ........................................................................................................ 32



6.3 IDENTIKEY Authentication Server Settings ............................................................. 34

6.3.1 MDC Configuration ........................................................................................ 34

6.3.2 Policies ........................................................................................................ 35

6.3.3 DIGIPASS .................................................................................................... 36

6.3.4 User ............................................................................................................ 38




Reference guide

ID Title Author Publisher Date ISBN



1 Overview This whitepaper describes how to configure Pulse Connect Secure together with VASCO IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with two-factor authentication.



2 Technical Concepts 2.1 Pulse Secure

2.1.1 Pulse Connect Secure

Pulse Connect Secure offers setting up remote access to the company’s intranet through an SSL VPN solution, in a way that is easy to use though still flexible. The solution is available as a hardware appliance or a virtual appliance.

2.2 VASCO

2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance

IDENTIKEY Authentication Server is an off-the-shelf centralized server that provides two-factor authentication with DIGIPASS devices. It offers complete functionality and management features

without the need for significant budgetary or personnel investments.

IDENTIKEY Appliance is a standalone authentication appliance that offers the features of IDENTIKEY Authentication Server, being ready to be deployed right away.

The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar.



3 Installation 3.1 Pulse Connect Secure

Follow the installation steps on the console of the Pulse Connect Secure appliance.

Start the installation.

Configure the network settings.

Create an admin user.



Finalize the configuration with certificate information and a random string.

3.2 IDENTIKEY Appliance

Open the console of the IDENTIKEY appliance. Log on with ‘rescue’ for the basic configuration.

Choose n for network configuration.



Configure the IP address of the appliance by typing i.

Configure the gateway of the appliance by typing g.

Navigate to the appliance’s IP address using https, and open the configuration wizard by logging on with the default credentials ‘sysadmin’ – ‘sysadmin’.



Follow the configuration wizard, and configure the sysadmin password, network settings and certificate information.





Configure the license for the appliance. You can request a temporary license from the Vasco Customer Portal http://cp.vasco.com.



Finish the wizard with the IDENTIKEY configuration and an administrator user.



4 Setup without IDENTIKEY Before adding two-factor authentication to the sign-in, it is important to validate a standard configuration without a connection to IDENTIKEY Authentication Server. A standard authentication setup in Pulse Connect Secure will be configured, based on users that are added locally.

4.1 Architecture

4.2 Pulse Connect Secure Settings

Navigate to the administration interface of Pulse Connect Secure. This is hosted on https://[server IP address]/admin.

4.2.1 Authentication Servers

An authentication server in Pulse Connect Secure configures a system that can handle the authentication for the SSL VPN sign-in.

In order to authenticate using local users on Pulse Connect Secure, we will use the authentication server called ‘System Local’ that is default configured.

Navigate to Authentication > Auth Servers > System Local



Create a local user in the System Local authentication server, to test the authentication. Open tab Users and click on New.



Username: userlocal Full Name: Local Test User Password: Test1234

Click on Save Changes.

4.2.2 User Realms

A User Realm is the central configuration for the SSL VPN sign-in, specifying how it will be handled exactly. The authentication server to be used will be selected in the user realm.

Navigate to the default user realm ‘Users’, which specifies the authentication based on System

Local.

Users > User Realms > Users



4.2.3 User Roles

User roles are managed in Pulse Connect Secure to specify what a user is allowed to do in the SSL VPN.

A default role ‘Users’ already exists with the most usual configuration for what regular users are allowed to. Any role can be configured specific to the needs of the environment, regardless of the authentication configuration.

Roles will be assigned to users based on the configured Role Mapping inside the user realm.

For the user realm Users, a default role mapping has been defined that assigns the Users role to all users for the realm.

Navigate to the tab ‘Role Mapping’ of the user realm.



4.2.4 Sign-in

A sign-in policy will link the sign-in URL to the user realm that will be used to authenticate users.

The default sign-in policy links the root URL to the Users user realm.

Navigate to Authentication > Sign-in Policies > */



4.3 Testing the Solution

Browse to the SSL VPN Web portal, hosted on the root URL of the Pulse Secure Connect’s IP address over https.

Authenticate with the test user userlocal and password Test1234. Check if you are redirected to the Pulse Secure Connect main user interface.





5 Solution When the basic setup is completed successfully, the solution is ready to be integrated with IDENTIKEY. This will secure the SSL VPN with two-factor authentication. The users and DIGIPASS will be managed in IDENTIKEY, and the authentication will use the RADIUS protocol.

5.1 Architecture


Navigate to the administration interface of Pulse Connect Secure. This is hosted on https://[server IP address]/admin.


To connect to IDENTIKEY, a new Authentication Server should be defined in Pulse Connect Secure. This will configure the RADIUS connection.

Navigate to Authentication > Auth Servers

Select Radius Server in the dropdown box and click New Server



Name: Identikey Radius Server: IP of the IDENTIKEY server Shared Secret: Choose a shared secret to secure the Radius connection Enable ‘Users authenticate using tokens or one-time passwords’

Click on Save Changes at the bottom of the page.

5.2.2 User Realms

Now we have to specify a new user realm where we will link the new Authentication Server.

Navigate to Users > User Realms > New



Name: Identikey Authentication: Identikey


Configure the Role Mapping for this user realm. For the setup, we will use a simple configuration to assign the ‘Users’ role to all users.

Navigate to the tab ‘Role Mapping’ of the user realm, and choose New Rule.



Name: All Users If username is: * Add role Users


5.2.3 Sign-in

The new user realm will have to be linked to the existing sign-in page. We will set this up in the Sign-in Policy.

Navigate to Authentication > Sign-in Policies > */



Enable the Identikey realm. Select Users and click Remove. Select Identikey and click Add.

It is possible to select multiple user realms. This will provide a list of the available realms on the sign-in page.

5.3 IDENTIKEY Authentication Server Settings

The incoming RADIUS connection needs to be configured in IDENTIKEY. With it, the required authentication process also needs to be set up.

5.3.1 Policies

In the Policy, the behavior of the authentication is defined. There are different specific settings

possible, which need to be set according to the requirements of the environment. For the test setup, only local authentication on IDENTIKEY will be performed, without any additional settings.

Navigate to the IDENTIKEY Web Administration. It is available on https://[IP of IDENTIKEY]/webadmin . Log on with the administrator account.



Navigate to Policies > Create.

Policy ID: Pulse Secure Integration Inherits From: Identikey Local Authentication

Click on Create.

If needed, specific settings can be modified in the policy details. However in this setup, the default settings inherited from Identikey Local Authentication will be fine.

5.3.2 Client

A client specifies which applications are allowed to connect to IDENTIKEY through which protocol. For the setup, a client will be registered to allow incoming RADIUS requests from Pulse Connect Secure.



Navigate to Clients > Register.

Client Type: RADIUS Client Location: The IP address of the Pulse Connect Secure server Policy ID: Pulse Secure Integration Protocol ID: RADIUS

Shared Secret: The shared secret that you chose when configuring the Authentication Server in Pulse Connect Secure. This secret has to be the same on both sides of the connection.

Confirm Shared Secret: repeat the shared secret

Click on Create.

5.3.3 User

A user has to be configured to test the authentication.

Navigate to Users > Create.



User ID: user1 Domain: master

Click on Create.

5.3.4 DIGIPASS

The DIGIPASS record will be able to check the one-time password that is submitted by the user during authentication. This DIGIPASS is unique and identified by its serial number. It will be assigned to the user account, so the correct link is established between the user ID and the DIGIPASS.

To be able to use a DIGIPASS, the records should be imported into IDENTIKEY. For testing purposes, demo DIGIPASS licenses can be used. The import happens by following the wizard DIGIPASS > Import.

For assigning the DIGIPASS to user1, navigate to the user account. Select the tab Assigned DIGIPASS.



Click Assign and follow the wizard.

Select ‘Search now to select DIGIPASS to assign’ to select the required DIGIPASS in the next step. Click Next.



Select the correct DIGIPASS and click Next.

Select a grace period of 0 days, and click Assign.

The DIGIPASS is now assigned to the user and ready for use. Click on Finish.


Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .



Username: user1 Password: OTP generated by the DIGIPASS assigned to user1

Click on Sign In.

In case of success, you will be redirected to the SSL VPN homepage.



6 Solution with Virtual DIGIPASS The solution is now secured with one-time passwords generated by a DIGIPASS. In another setup, Pulse Connect Secure can also handle authentications by a virtual DIGIPASS. The virtual DIGIPASS generates OTP’s on the server and these are delivered to the user through email, SMS or phone calls.

The SSL VPN sign-in will now consist of two steps. The first step is to request the OTP from the server, and the next step to submit the OTP for authentication.

An SMS gateway has to be configured to send the virtual OTP over SMS.

6.1 Architecture



In order to authenticate using a virtual DIGIPASS, we have to modify the settings of the Authentication Server in Pulse Connect Secure.

An extra authentication rule will specify that a second step needs to be added to the authentication, if the RADIUS server notifies that a virtual OTP is generated.

Navigate to Authentication > Authentication Servers > Identikey



Click ‘New Radius Rule’ in the edit screen of the authentication server.

Name: Virtual Digipass Response Packet Type: Access Challenge Attribute criteria:

Reply-Message matches the expression Enter One-Time Password Show Next Token page

Click Add next to the attribute criteria.


When a virtual OTP is requested from IDENTIKEY through RADIUS, it will send a special value in the RADIUS Reply-Message attribute. This value is exactly equal to ‘Enter One-Time Password’.



6.3 IDENTIKEY Authentication Server Settings

6.3.1 MDC Configuration

Navigate to the IDENTIKEY Appliance configuration, on https://[IP of IDENTIKEY]/application.

For an IDENTIKEY Authentication Server installation, the MDC configuration is in a separate tool. The software is located at VASCO > IDENTIKEY Server >Virtual DIGIPASS MDC Configuration.

Log on with a system administrator account.



Navigate to Authentication Server > Message Delivery Component

Enable the Message Delivery Component. Then configure an SMS gateway with its specific connection details. Enable that gateway and click Save.

6.3.2 Policies

To test the virtual DIGIPASS, the setup has to be completed to allow for this scenario.

The policy defines how the virtual OTP is requested.

Open the IDENTIKEY web administration.



Navigate to Policies and open the policy Pulse Secure Integration.

Open the tab Virtual DIGIPASS.

All default values inherited from the IDENTIKEY Local Authentication policy are already correct for the setup.

Delivery Method: SMS MDC Profile: empty Request Method: Password

This means that the user will request an OTP from the server, by providing his static password. Another option would be to request an OTP by a specific keyword.

6.3.3 DIGIPASS

The user will need a virtual DIGIPASS serial number to be assigned.

The specific DIGIPASS records should be imported by using the wizard DIGIPASS > Import.

Navigate to the user account and open the tab Assigned DIGIPASS.



Click on Assign and follow the wizard.

Choose a DIGIPASS type that is a virtual DIGIPASS, in this case DPVTL. Let IDENTIKEY automatically select an available virtual DIGIPASS.



Click on Assign, and on Finish on the next page. A virtual DIGIPASS is now assigned to the user, and ready to be used.

6.3.4 User

A password has to be set for the user, to request a virtual OTP. The mobile phone number also has to be added, so the virtual OTP will be sent to that number.

Navigate to Users and select the user1 account.



Click on Set Password and choose a static password for the user.

Type the password and repeat it for confirmation. Click on Save.

In the user account, click on Edit to enter the mobile phone number.

Enter the number in the field ‘Mobile’ and click on Save.


Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .



Username: user1 Password: the static password defined for user1

Click Sign In.

An additional page is shown where the received virtual OTP can be entered.

Normally, an SMS message should be delivered to the mobile phone number configured for user1. The message contains the generated virtual OTP.

Enter the OTP on the page and click on Enter.



In case of success, you will be redirected to the SSL VPN homepage.

Small Business & Entrepreneurship

Whitepaper: Digipass Authentication for Pulse Connect Secure