Академический Документы
Профессиональный Документы
Культура Документы
HOW-TO GUIDELINES
HWTO3SG1.6 - 5/3/02
Introduction
This document outlines the steps necessary to configure StoneGate, in order to
authenticate users externally to an RSA ACE/Server version 5.0 for Windows NT. This
document covers authentication procedures using either password authentication or
SecureID tokens. Authentication is accomplished using the RADIUS server running on
the RSA ACE/Server as an intermediate agent that processes external authentication
requests from a StoneGate cluster.
The document assumes the reader possesses basic knowledge of the RSA ACE/Server
administration software. Screenshots of the RSA ACE/Server are provided in three
appendices, but only a minimum configuration of the RSA ACE/Server is addressed.
SG VPN Client
Management network
@
Management Server
Log Server
FW
RSA ACE/ Server
(as RADIUS server)
NT Agent (ACE client)
Intranet
Setup Requirements
This setup was established with the following components:
• StoneGate Management v. 1.6
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 2
Setting Up a RADIUS Server
• Netscape v. 6
• Microsoft Windows NT platform
• RSA ACE/Server v. 5.0
• RSA ACE/Agent 4.4
Configuration Steps
The RADIUS server setup consists of the following main steps:
1. Before you start
2. RSA ACE/Server installation
3. RADIUS server configuration
4. Authentication service configuration in StoneGate User Manager
5. Using authentication service in a rule base with StoneGate Security Policy Manager
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 3
Setting Up a RADIUS Server
B e f o r e Yo u S t a r t
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 4
Setting Up a RADIUS Server
Note: You need to use the dedicated IP addresses, not the virtual IP addresses of the cluster.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 5
Setting Up a RADIUS Server
2. In the RSA ACE/Server Configuration Management window, first click on the Edit
button on the bottom left of the box.
3. In the Enable Features section of this window, make sure that:
• The DES radio button of the Encryption Type is selected.
• The RADIUS Server Enabled check box is checked.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 6
Setting Up a RADIUS Server
4. Click OK to continue.
5. In the following dialog box, click Yes to save the configuration changes to the RSA
ACE/Server configuration file.
ILLUSTRATION 1.4 RSA ACE/Server Configuration Management
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 7
Setting Up a RADIUS Server
3. Check the Automatic ACE/Server Startup box and click Start to start the server.
4. When the “RSA ACE/Server is started” pop-up appears, click OK to continue.
5. In the Reminder window, click OK to exit.
ILLUSTRATION 1.6 RSA ACE/Server Configuration Management
6. Go back to the RSA ACE/Server dialog box and click the Stop button to stop the
RSA/ACE Server.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 8
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 9
Setting Up a RADIUS Server
Importing tokens
You must import tokens from an .asc file before the tokens can be assigned to a user.
To import tokens:
1. Select Token>Import Token from the main menu.
2. Insert the token diskette into drive a:\.
3. Select the path to the .asc file from the diskette, and click Open.
4. The Import Status dialog box opens allowing verification that the two demo tokens
were imported.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 10
Setting Up a RADIUS Server
Adding a group
You should next define a group to which users can be added.
To add a group:
1. From the RSA ACE/Server Administration main menu, select Group>Add Group.
2. The Edit Group dialog box opens. Enter a group name and click OK to continue.
ILLUSTRATION 1.10 Edit Group dialog box
Adding a user
Now you can add users to the group created. The way to do this depends on the
authentication method, i.e. keyfob (token) or static password, defined for the user.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 11
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 12
Setting Up a RADIUS Server
6. You should now return to the Edit User window, which now contains the information
that you have defined.
ILLUSTRATION 1.13 Edit User
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 13
Setting Up a RADIUS Server
7. Click the Group Memberships button. The Memberships dialog box opens.
ILLUSTRATION 1.14 Memberships
8. Select the group you created from the Available Groups column.
9. Click Join Group.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 14
Setting Up a RADIUS Server
Defining Agent Hosts for the Nodes and for the RADIUS
Server
The agent hosts must be defined so that users can authenticate from these computers.
The RADIUS server acts as a proxy and must be defined as a virtual client.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 15
Setting Up a RADIUS Server
• The computer running the RSA ACE/Server because it also hosts the Radius-to-Ace
proxy, the purpose of which is to forward authentication requests from the nodes to
the RSA ACE/Server.
The definition must be entered for each node plus the RSA ACE/Server itself.
3. In the Name field, enter the name from the ‘hosts’ file.
4. Click in the Network Address field. The IP address for this name should automatically
populate this field. If not, check the spelling of the name.
5. For Encryption Type, specify DES (Data Encryption Standard).
6. Click on the Group Activations button to authenticate the group that will be
authenticating from StoneGate. The Group Activations dialog box opens.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 16
Setting Up a RADIUS Server
7. In the Group Activations dialog box, select the group to be activated from the list of
Groups on the left. Click the Activate Group button and the group will appear on the
list of Directly Activated Groups on the right. Click Exit to return to the previous
window.
8. In the Edit Agent Host window, click the Assign/Change Encryption Key button. The
Assign/Change Encryption Key dialog box opens.
9. Enter an encryption key that will be used to communicate with the RADIUS server
associated with the StoneGate cluster. This key will be the same as the one used for
the RADIUS server on the cluster. The encryption key defined here must be the
same as the one defined in the field Shared Secret in the Authentication Server Properties
window in StoneGate GUI. See Figure 1.22 on page 21.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 17
Setting Up a RADIUS Server
10. Next, define the agent hosts for the other node, Sophia 22. Use the same parameters
as with Sophia21 and repeat the steps 1-8. Illustration 1.19 depicts the agent host
definitions used for node Sophia22.
ILLUSTRATION 1.19 Edit Agent Host
11. Finally, define the agent hosts for the RSA ACE/Server itself (jowcol). Repeat the
steps 1-8 described above. Illustration 1.20 depicts the agent host definitions of the
RSA ACE/Server itself.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 18
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 19
Setting Up a RADIUS Server
C r e a t i n g R A D I U S S e r v e r a n d S e r v i c e i n S t o n eG a t e
In StoneGate, you must perform the following tasks:
• Create a RADIUS server.
• Create a RADIUS authentication service.
• Create users or a special *external* user.
• Add rules in the Security Policy Manager.
• Check the service number.
At least one CVIs in the cluster must be defined for use in authentication, which means
it must use CVI mode A (this determines the interface used for authentication requests).
This is enabled by checking the Use as identity for authentication request box.
ILLUSTRATION 1.21 Interface Properties
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 20
Setting Up a RADIUS Server
3. Fill in the fields of the window. Verify that the port number in the Port Number field is
the same as the RSA ACE/Server RADIUS port number (1645).
4. Enter the shared secret. It is the same as the key created on the ACE Host Agent
running on this server. See Figure 1.18 on page 17.
5. Check the RADIUS radio button in the Type field.
6. Click OK to continue.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 21
Setting Up a RADIUS Server
4. Enter a name for the authentication service, select the RADIUS radio button, and
click OK to continue.
5. The new service appears greyed-out on the list of authentication services in the left
panel of the Authentication Services tab. It is greyed-out because it does not yet include
any server.
ILLUSTRATION 1.24 User Manager Authentication Services tab
6. Drag and drop the ‘RadiusServer’ that you created from the right panel to the left
panel under the RADIUS authentication service. The server is now activated.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 22
Setting Up a RADIUS Server
7. Create a group profile for all users authenticating to the RSA ACE/Server. In the
User Manager User Directory tab, expand the ‘InternalDomain’.
8. Right-click on the ‘stonegate’ domain. Select New>Group from the contextual menu
that appears.
9. The Group Properties dialog box opens.
ILLUSTRATION 1.26 GroupProperties dialog box
10. Enter a name for the group profile and click the Authentication tab.
11. Drag and drop the authentication service created to the Bound Authentication Services
panel. Click OK to continue.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 23
Setting Up a RADIUS Server
Note: If you change the port number on the RSA ACE/Server, you will also need to edit the
‘services’ file on the Windows NT server and change the record for the RADIUS
service port. Another option is to modify the definition of the StoneGate RADIUS
service. The port should be UDP (not TCP) in the ‘services’ file. See Illustration 1.29.
Instead of modifying the default “RADIUS” service, you can create a new one and add
it to the security policy. In the Security Policy Manager, create a rule that allows the
cluster to communicate with the RSA ACE/Server.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 24
Setting Up a RADIUS Server
Illustration 1.29 depicts the situation after changing the destination port number.
ILLUSTRATION 1.29 Service Manager, after
There is no need to add a rule in the rule base to allow RADIUS traffic from the nodes
to the RADIUS server because the RADIUS service is already defined in the default
rules.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 25
Setting Up a RADIUS Server
When you select the View Inherited Rules button from the toolbar, all inherited rules will
be displayed. The RADIUS service is in rule 7.
ILLUSTRATION 1.31 Security Policy Manager
RADIUS
service
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 26
Setting Up a RADIUS Server
2. In the General tab, define *external* as the UserName. Select the Always Active check
box or set the expiration parameters. Click OK to continue.
3. Select the Authentication tab and drag and drop the RADIUS service to the panel on
the right listing bound authentication services. For an *external* user, you do not
need to specify any password here because it is retrieved from the RADIUS server.
Click OK to continue.
ILLUSTRATION 1.33 User Properties Authentication tab
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 27
Setting Up a RADIUS Server
The *external* user has now been created and it appears in the user directory of the
User Manager as depicted in Illustration 1.34.
ILLUSTRATION 1.34 User Manager, User Directory tab
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 28
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 29
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 30
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 31
Setting Up a RADIUS Server
Authentication
After the RADIUS server setup, you should check that it is operating properly. Try to
authenticate using either Authentication Client or Telnet 2543. The Authentication
Client is part of StoneGate VPN Client.
4. The User Authentication page opens. Type in the name or the address of the
StoneGate Security Gateway.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 32
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 33
Setting Up a RADIUS Server
6. Enter the username, domain, and password and click the Submit button. Here, the
password must consist of the PIN code (4 digits) + the keyfob number (6 digits).
7. The Authentication Finished page opens. It informs you whether the authentication
has been successful.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 34
Setting Up a RADIUS Server
Tr o u b l e s h o o t i n g
The following screenshot from the Log Browser shows an example of a typical error
caused by situations in which the DNS server or /etc/hosts file was not correctly
configured.
Illustration 1.44 shows that the firewall tried to authenticate a user three times but did
not succeed because in our case the /etc/hosts file was not correctly configured. The
firewall was not able to resolve the IP address into a host name.
ILLUSTRATION 1.44 Reverse lookup
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 35
Setting Up a RADIUS Server
The authentication service used for a connection is chosen by the firewall engine unless
the user specifies it as part of the user name. In all versions of StoneGate (up to and
including 1.6.2) the firewall chooses the first authentication service in the user's LDAP
database. However, the list of user's authentication services is not organized (it is
actually a group) so the firewall may not choose the authentication service shown
topmost in the user's GUI. To guarantee predictable service that operates correctly
every time, the administrator should set only one authentication service for each user, or
users should always specify the authentication service while authenticating.
The full syntax of the user name field in the authentication process is the following:
username[@domain][;authentication_service]
If the user does not belong to the default domain of the management server, [@domain]
needs to be specified. If the user has more than one authentication service, it is
necessary to specify [;authentication_service].
The variables pictured in square brackets are optional. The ability to set these
parameters makes most general cases simple to specify while delivering run-time
flexibility for expert users.
Examples
In a typical general (simple) case, an authentication window appears in the VPN Client
in response to a firewall-initiated authentication request. Only one authentication
service is set for John, a user belonging to the default domain* so he must enter the
following data in the authentication window:
User name: john
Domain:
Password: secret
In a more complicated case, a user named Jack normally authenticates with a static
password when he is local to the corporate network. He occasionally travels, and while
on the road authenticates using a SecurID card. On the road (e.g.) with only a personal
digital assistant, he uses Telnet to authenticate to firewall port 2543:
SG login: jack@stonegizmo.com;ace
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 36
Setting Up a RADIUS Server
* There may be several authentication domains, but only one is marked as the default
domain. If a domain has not been specified for a user, the default domain is used.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 37
APPENDICES
APPENDIX A RSA ACE/Server Installation
Start the RSA ACE/Server setup by installing the software and the patches.
HOW-TO GUIDELINES 40
RSA ACE/Server Installation
4. The License Agreement window opens. Read it through carefully. If you accept the agreement,
click Yes to accept and continue.
A — 41 HOW-TO GUIDELINES
ILLUSTRATION A.47 License Agreement
5. The New Input Files window opens. On the Primary, insert the Primary Server License disk
into drive A:\. Click Next to continue.
ILLUSTRATION A.48 New Input Files
6. The Available Input Files window lists all the currently available input files. Click Next to
continue.
HOW-TO GUIDELINES A — 42
RSA ACE/Server Installation
7. In the Installation Directory window, enter the pathname to the destination directory. Use
standard defaults to install the server to c:\ace5\. Click Next to continue.
ILLUSTRATION A.50 Installation Directory
8. In the Installation Options window, select the items you want to install. A successful
configuration requires at least a New Primary RSA ACE/Server. Click Next to continue.
A — 43 HOW-TO GUIDELINES
ILLUSTRATION A.51 Installation Options
9. The Start Copying Files window lists the current settings. Click Next to copy the files.
ILLUSTRATION A.52 Start Copying Files
10. You must restart the computer before you can use the RSA ACE/Server you installed. In the
Installation Complete window select the Yes, I want to restart my computer now radio button,
remove all disks from the disk drives, and click the Finish button. If required, install the
appropriate service pack for the RSA ACE/Server 5.0.
HOW-TO GUIDELINES A — 44
RSA ACE/Server Installation
A — 45 HOW-TO GUIDELINES
APPENDIX B RSA ACE Client Setup
Catool is a certificate utility tool provided with the ACE Client in order to create certificates and
keys used by the Client when communicating with the RSA ACE/Server.
Catool Installation
Follow the steps below for Catool installation.
To install Catool:
1. Intall the Catool that comes with the agent. Select Start > Programs > ACE Agent > RSA ACE
Agent Certificate Utility. The Welcome window opens. Click Next to continue.
HOW-TO GUIDELINES 46
RSA ACE Client Setup
2. The Software License Agreement window opens. Read it through carefully. If you accept the
license agreement, click Yes to continue.
ILLUSTRATION B.55 Software License Agreement
B — 47 HOW-TO GUIDELINES
Catool Installation
3. The Choose Destination Location window opens. Choose a folder and click Next to continue.
ILLUSTRATION B.56 Choose Destination Location
4. In the Select Program Folder window, choose a program folder in which to store the program
icons that will be added. Click Next to continue.
ILLUSTRATION B.57 Select Program Folder
HOW-TO GUIDELINES B — 48
RSA ACE Client Setup
5. The Setup Complete window will inform you when the setup is complete. Exit the program by
clicking Finish.
ILLUSTRATION B.58 Setup Complete
6. Next, create a new root certificate and key. In the RSA ACE/Agent Certificate Utility dialog box,
define the current directory (by default in C:\Program Files\SDTI\RSA ACE Agent..).
Click the New Root Certificate and Keys button.
ILLUSTRATION B.59 RSA ACE/Agent Certificate Utility
B — 49 HOW-TO GUIDELINES
NT Agent Installation
8. You will receive a notification when the root certificate and keys are successfully created.
ILLUSTRATION B.61 RSA Security Inc. Certificate Tool
NT Agent Installation
Next, you need to install the NT agent.
HOW-TO GUIDELINES B — 50
RSA ACE Client Setup
5. The Software License Agreement window opens. Read the license through carefully. If you
accept it, click Yes to continue.
B — 51 HOW-TO GUIDELINES
NT Agent Installation
6. In the Select Components window, select Network Access Authentication (Client). Click Next to
continue.
ILLUSTRATION B.65 Select Components
HOW-TO GUIDELINES B — 52
RSA ACE Client Setup
7. In the Location of Root Certificate window, enter the path of the “sdroot.crt” file previously
created with Catool. Click Next to continue.
ILLUSTRATION B.66 Location of the Root Certificate “sdroot.crt”
8. In the Select Root Cert dialog box, select the root certificate and click Open.
ILLUSTRATION B.67 Select Root Cert
B — 53 HOW-TO GUIDELINES
NT Agent Installation
10. In the following window, enter the path to your RSA ACE/Server configuration record and
click Next to continue. This file was created earlier as depicted in Illustration 1.4, “RSA ACE/
Server Configuration Management,” on page 7 and it is now copied to this location.
ILLUSTRATION B.69 Location of RSA ACE/Server configuration record “sdconf.rec”
HOW-TO GUIDELINES B — 54
RSA ACE Client Setup
11. Follow the program registration instructions in this window. Click Next to continue.
ILLUSTRATION B.70 RSA ACE/Agent Registration
12. In the Setup Complete window, click Yes, I want to restart my computer now, remove all disks from
disk drives, and click Finish to complete the setup.
B — 55 HOW-TO GUIDELINES
NT Agent Installation
HOW-TO GUIDELINES B — 56
APPENDIX C First Contact with Casual
ACE Agent
Next, contact the Ace Agent. This is the initial contact and there is no need to do
this separately for each user. Later on, the users will connect using the
Authentication Client.
Note: If you have engine version 774 or higher, this operation can be performed
directly from the first authentication using the Telnet 2543 or Authentication
Client connection using the StoneGate VPN Client.
1. After reboot, start the Log Monitor on the RSA ACE/Server from
Start>Programs>RSA ACE>Log Monitor. The Log Monitor assists you in
configuring and troubleshooting. Complete the definitions and click OK to
continue.
HOW-TO GUIDELINES 58
First Contact with Casual ACE Agent
2. An empty window will open. This window will display a note confirming
whether or not the authentication has been accepted.
C — 59 HOW-TO GUIDELINES
ILLUSTRATION C.73 RSA ACE/Server Log Monitor
HOW-TO GUIDELINES C — 60
First Contact with Casual ACE Agent
6. Click the RSA ACE/Server Test Directly button. This will connect to the local
RSA ACE/Server (IP address 0.0.0.0) because the client is currently running
on the same machine as the RSA ACE/Server.
7. The RSA SecurID Authentication dialog box opens.
ILLUSTRATION C.76 RSA SecurID Authentication
8. Enter here the UserName and first passcode entered when defining the user.
Click OK to continue.
C — 61 HOW-TO GUIDELINES
9. The RSA ACE/Server Log Monitor window opens. This window contains
information about the authentication attempt of the user called ‘userpwd’.
Click Exit to continue.
ILLUSTRATION C.77 RSA ACE/Server Log Monitor
10. A New PIN dialog box opens. Because this was the first successful
authentication, the user is asked to change the PIN code.
11. Enter a new PIN code and its confirmation. Click OK to continue.
HOW-TO GUIDELINES C — 62
First Contact with Casual ACE Agent
12. The RSA ACE/Agent Authentication Test dialog box opens. It confirms whether
the new PIN has been accepted. Click OK to continue.
ILLUSTRATION C.79 RSA ACE/Agent Authentication Test
13. The RSA ACE/Server Log Monitor window opens. It now contains information
about the authentication. Illustration C.80 depicts the situation for user
‘userpwd’. Click OK to continue.
ILLUSTRATION C.80 RSA ACE/Server Log Monitor
14. Next, perform steps 7-13 with user ‘userkeyfob’. First, enter the UserName
and the first passcode entered when defining the user.
15. You are asked to change the PIN code. Enter a new PIN code.
C — 63 HOW-TO GUIDELINES
ILLUSTRATION C.81 New PIN
16. A dialog box confirms whether or not the authentication has been successful.
ILLUSTRATION C.82 RSA ACE/Agent Authentication Test
17. Using the RSA ACE/Server Log Monitor, check that the actions you have
taken have been accepted. See Illustration C.83 on page 65.
HOW-TO GUIDELINES C — 64
First Contact with Casual ACE Agent
C — 65 HOW-TO GUIDELINES