SG1 6-HWTORadius

Version 1.
HOW-TO GUIDELINES
Setting Up a RADIUS Server
HWTO3SG1.6 - 5/3/02
Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland

Tel. +358 (9) 4767 11 Fax. +358 (9) 4767 1234 email: info@stonesoft.com
Copyright © 2002 Stonesoft Corp. All rights reserved.
All trademarks or registered trademarks are property of their respective owners.
Introduction
This document outlines the steps necessary to configure StoneGate, in order to
authenticate users externally to an RSA ACE/Server version 5.0 for Windows NT. This
document covers authentication procedures using either password authentication or
SecureID tokens. Authentication is accomplished using the RADIUS server running on
the RSA ACE/Server as an intermediate agent that processes external authentication
requests from a StoneGate cluster.
The document assumes the reader possesses basic knowledge of the RSA ACE/Server
administration software. Screenshots of the RSA ACE/Server are provided in three
appendices, but only a minimum configuration of the RSA ACE/Server is addressed.
Network Configuration Example

The following figure depicts the structure of the final configuration.
ILLUSTRATION 1.1 Final configuration
SG VPN Client
Management network
@
Management Server
Log Server
FW
RSA ACE/ Server
(as RADIUS server)
NT Agent (ACE client)
Intranet
Setup Requirements
This setup was established with the following components:
• StoneGate Management v. 1.6
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 2
• Netscape v. 6
• Microsoft Windows NT platform
• RSA ACE/Server v. 5.0
• RSA ACE/Agent 4.4
Configuration Steps
The RADIUS server setup consists of the following main steps:
1. Before you start
2. RSA ACE/Server installation
3. RADIUS server configuration
4. Authentication service configuration in StoneGate User Manager
5. Using authentication service in a rule base with StoneGate Security Policy Manager
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 3
B e f o r e Yo u S t a r t
Updating the ‘hosts’ File

The RSA ACE/Server must be able to resolve the IP address of its RADIUS
requesters/clients according to their names and vice versa. Thus, if you do not have a
DNS server, you have to edit the file \winnt\system32\drivers\etc\hosts and add
an entry for each of the nodes in your cluster as highlighted in Illustration 1.2. You need
to register the dedicated IP addresses (NDI), which are the source addresses that the
RSA ACE/Server sees whenever an authentication request is generated by the cluster.
Make sure that the current machine IP address of the RSA ACE/Server and any RSA
ACE/Agent is registered in the DNS or located in the ‘hosts’ file. If you do not have any
DNS, enter the NDIs of a cluster. Figure 1.2 depicts the ‘hosts’ file.
ILLUSTRATION 1.2 Hosts file update
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 4
Note: You need to use the dedicated IP addresses, not the virtual IP addresses of the cluster.
RSA/ACE Server Installation

Before you can start RADIUS Server configuration, you have to install the RSA/ACE
Server. For instructions, please see Appendix A “RSA ACE/Server Installation” on
page 40.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 5
RADIUS Server Configuration

Before you can use the RADIUS server, you must configure and verify that you can use
the RADIUS server incorporated with your RSA ACE/Server software.
To configure the RADIUS server:

1. Go to Start>Programs>ACE Configuration Management. The RSA ACE/Server
Configuration Management window opens.
ILLUSTRATION 1.3 RSA ACE/Server Configuration Management
2. In the RSA ACE/Server Configuration Management window, first click on the Edit
button on the bottom left of the box.
3. In the Enable Features section of this window, make sure that:
• The DES radio button of the Encryption Type is selected.
• The RADIUS Server Enabled check box is checked.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 6
4. Click OK to continue.
5. In the following dialog box, click Yes to save the configuration changes to the RSA
ACE/Server configuration file.
RSA ACE/Server Startup

Before you can use your ACE and RADIUS servers, you must first start them by doing
the following:
To start the RSA ACE/Server:

1. Go to Start > Settings > Control Panel.
2. Click the RSA/ACE Server icon to open the RSA ACE/Server start dialog box.
ILLUSTRATION 1.5 RSA ACE/Server Start dialog box
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 7
3. Check the Automatic ACE/Server Startup box and click Start to start the server.
4. When the “RSA ACE/Server is started” pop-up appears, click OK to continue.
5. In the Reminder window, click OK to exit.
6. Go back to the RSA ACE/Server dialog box and click the Stop button to stop the
RSA/ACE Server.
RADIUS Server Verification

Next, you need to ensure that the RADIUS service is started and listening on the
appropriate port.
1. At the command prompt, enter:
netstat -an | find “XXXX” (where “XXXX” is the number of the port
configured in “RADIUS Server Configuration” on page 6, i.e. 1645).
2. Check in the Windows NT Service panel that the RADIUS service is started and and
listening on the appropriate port.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 8
ILLUSTRATION 1.7 Netstat
RSA ACE/Server Administration

The authentication methods to be used in this example are static password and keyfob
(token). All administration functions are conducted from the main administration
window.
Main administration window

1. Open the main administration window.
2. Select Start>Programs>RSA ACE/Server>Database Administration Host Mode.
3. The RSA ACE/Server v. 5.0 Administration dialog box opens.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 9
ILLUSTRATION 1.8 Main administration window
Importing tokens
You must import tokens from an .asc file before the tokens can be assigned to a user.
To import tokens:
1. Select Token>Import Token from the main menu.
2. Insert the token diskette into drive a:\.
3. Select the path to the .asc file from the diskette, and click Open.
4. The Import Status dialog box opens allowing verification that the two demo tokens
were imported.
HWTO3SG1.6 - 5/3/02
HOW-TO GUIDELINES 10
ILLUSTRATION 1.9 Import Status dialog box
Adding a group
You should next define a group to which users can be added.
To add a group:
1. From the RSA ACE/Server Administration main menu, select Group>Add Group.
2. The Edit Group dialog box opens. Enter a group name and click OK to continue.
ILLUSTRATION 1.10 Edit Group dialog box
Adding a user
Now you can add users to the group created. The way to do this depends on the
authentication method, i.e. keyfob (token) or static password, defined for the user.
HWTO3SG1.6 - 5/3/02
Adding a user with a keyfob (token) authentication method

Follow the instructions below to add a user with a keyfob (token) authentication
method. For instructions on how to add a user with static password authentication
method, please see “Adding a user with a static password autentication method” on page 14.
To add a user with a keyfob (token) authentication method:

1. Enter a user by selecting User>Add User in the main RSA ACE/Server Administration
window. The Add User dialog box opens.
2. Enter at least the last name and default login (User ID) in the appropriate fields.
3. Click the Assign Token button.
ILLUSTRATION 1.11 Add User dialog box
4. In the main Administration window, select Tokens.

5. Select the token you want to assign to this user from the list of tokens on the Select
Token dialog box and click OK to continue.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.12 Select Token
6. You should now return to the Edit User window, which now contains the information
that you have defined.
ILLUSTRATION 1.13 Edit User
HWTO3SG1.6 - 5/3/02
7. Click the Group Memberships button. The Memberships dialog box opens.
ILLUSTRATION 1.14 Memberships
8. Select the group you created from the Available Groups column.
9. Click Join Group.
10. Click Exit to continue.
Adding a user with a static password autentication method

Follow the instructions below to add a user with a static password authentication
method. For instructions on how to add a user with keyfob (token) authentication,
please see “Adding a user with a keyfob (token) authentication method” on page 12.
To add a user with a static password authentication method:

1. Enter a user by selecting User>Add User in the main RSA ACE/Server Administration
window. The Add User dialog box opens. See illustration “Add User dialog box” on
page 12.
2. Enter at least the name and default login (User ID) in the appropriate fields of the
Add User dialog box.
3. Click on the Set/Change User Password... button.
4. Enter a password of 4-8 digits in the Enter Password and Confirm Password fields.
5. You should now return to the Edit User window, which now contains the information
that you have defined.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.15 Edit User
6. Repeat steps 6-10 from above (as in keyfob token authentication).
Defining Agent Hosts for the Nodes and for the RADIUS
Server
The agent hosts must be defined so that users can authenticate from these computers.
The RADIUS server acts as a proxy and must be defined as a virtual client.
The computers to be defined as agent hosts are:

• The nodes of the cluster using the NDI belonging to the NIC in which the CVI
authentication option is defined. In this example there are two nodes - Sophia21 and
Sophia22.
HWTO3SG1.6 - 5/3/02
• The computer running the RSA ACE/Server because it also hosts the Radius-to-Ace
proxy, the purpose of which is to forward authentication requests from the nodes to
the RSA ACE/Server.
The definition must be entered for each node plus the RSA ACE/Server itself.
To define the agent hosts:

1. Define a client on the RSA ACE/Server for each of the nodes in the cluster. Select
Agent Host > Add Agent Host.
2. The Edit Agent Host dialog box opens.
ILLUSTRATION 1.16 Edit Agent Host
3. In the Name field, enter the name from the ‘hosts’ file.
4. Click in the Network Address field. The IP address for this name should automatically
populate this field. If not, check the spelling of the name.
5. For Encryption Type, specify DES (Data Encryption Standard).
6. Click on the Group Activations button to authenticate the group that will be
authenticating from StoneGate. The Group Activations dialog box opens.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.17 Group Activations
7. In the Group Activations dialog box, select the group to be activated from the list of
Groups on the left. Click the Activate Group button and the group will appear on the
list of Directly Activated Groups on the right. Click Exit to return to the previous
window.
8. In the Edit Agent Host window, click the Assign/Change Encryption Key button. The
Assign/Change Encryption Key dialog box opens.
ILLUSTRATION 1.18 Assign/Change Encryption Key dialog box
9. Enter an encryption key that will be used to communicate with the RADIUS server
associated with the StoneGate cluster. This key will be the same as the one used for
the RADIUS server on the cluster. The encryption key defined here must be the
same as the one defined in the field Shared Secret in the Authentication Server Properties
window in StoneGate GUI. See Figure 1.22 on page 21.
HWTO3SG1.6 - 5/3/02
10. Next, define the agent hosts for the other node, Sophia 22. Use the same parameters
as with Sophia21 and repeat the steps 1-8. Illustration 1.19 depicts the agent host
definitions used for node Sophia22.
11. Finally, define the agent hosts for the RSA ACE/Server itself (jowcol). Repeat the
steps 1-8 described above. Illustration 1.20 depicts the agent host definitions of the
RSA ACE/Server itself.
HWTO3SG1.6 - 5/3/02
The RADIUS server configuration has now been finalized.
RSA/ACE Client Setup

The next thing to do is to setup the RSA ACE Client. If you need more information
about the setup, please see Appendix B “RSA ACE Client Setup” on page 46. If you are
already familiar with the RSA ACE Client setup, you can skip Appendix B.
First Contact with Casual ACE Agent

Next, the ACE Client needs to be contacted. If you need more information about this,
please see Appendix C “First Contact with Casual ACE Agent” on page 58. If you are
already familiar with the RSA ACE Client setup, you can skip Appendix C.
HWTO3SG1.6 - 5/3/02
C r e a t i n g R A D I U S S e r v e r a n d S e r v i c e i n S t o n eG a t e
In StoneGate, you must perform the following tasks:
• Create a RADIUS server.
• Create a RADIUS authentication service.
• Create users or a special *external* user.
• Add rules in the Security Policy Manager.
• Check the service number.
At least one CVIs in the cluster must be defined for use in authentication, which means
it must use CVI mode A (this determines the interface used for authentication requests).
This is enabled by checking the Use as identity for authentication request box.
ILLUSTRATION 1.21 Interface Properties
Creating a RADIUS Server

Next, create a RADIUS server in StoneGate Network Element Manager.
To create a RADIUS server:

1. In the StoneGate Control Panel, open the Network Element Manager. Select the
Repository View and right-click on Servers. From the contextual menu that appears,
select New>Authentication Server.
2. The Authentication Server Properties window opens.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.22 Authentication Server Properties window
3. Fill in the fields of the window. Verify that the port number in the Port Number field is
the same as the RSA ACE/Server RADIUS port number (1645).
4. Enter the shared secret. It is the same as the key created on the ACE Host Agent
running on this server. See Figure 1.18 on page 17.
5. Check the RADIUS radio button in the Type field.
6. Click OK to continue.
Creating a RADIUS Authentication Service

Next, create a RADIUS authentication service in StoneGate User Manager.
To create a RADIUS authentication service:

1. In the StoneGate User Manager, select the Authentication Services tab.
2. Click on the New Authentication service button on the toolbar.
HWTO3SG1.6 - 5/3/02
3. The Authentication Service dialog box opens.

ILLUSTRATION 1.23 Authentication Service dialog box
4. Enter a name for the authentication service, select the RADIUS radio button, and
click OK to continue.
5. The new service appears greyed-out on the list of authentication services in the left
panel of the Authentication Services tab. It is greyed-out because it does not yet include
any server.
ILLUSTRATION 1.24 User Manager Authentication Services tab
6. Drag and drop the ‘RadiusServer’ that you created from the right panel to the left
panel under the RADIUS authentication service. The server is now activated.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.25 RADIUS server activated
7. Create a group profile for all users authenticating to the RSA ACE/Server. In the
User Manager User Directory tab, expand the ‘InternalDomain’.
8. Right-click on the ‘stonegate’ domain. Select New>Group from the contextual menu
that appears.
9. The Group Properties dialog box opens.
ILLUSTRATION 1.26 GroupProperties dialog box
10. Enter a name for the group profile and click the Authentication tab.
11. Drag and drop the authentication service created to the Bound Authentication Services
panel. Click OK to continue.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.27 Group Properties Authentication tab
Modifying an Existing Authentication Service Definition

The default port defined in the RSA ACE/Server of the RADIUS service is 1645. The
RADIUS service defined in StoneGate is 1812. This means that the port number for
one or the other product will need to be changed.
Note: If you change the port number on the RSA ACE/Server, you will also need to edit the
‘services’ file on the Windows NT server and change the record for the RADIUS
service port. Another option is to modify the definition of the StoneGate RADIUS
service. The port should be UDP (not TCP) in the ‘services’ file. See Illustration 1.29.
Instead of modifying the default “RADIUS” service, you can create a new one and add
it to the security policy. In the Security Policy Manager, create a rule that allows the
cluster to communicate with the RSA ACE/Server.
To modify an existing service:

1. In the Service Properties panel located in the Service Manager Services tab, modify the
destination port of the RADIUS service. Change the port number in the Dst Ports
field from 1812 to 1645. Illustration 1.28 depicts the situation before the change.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.28 Service Manager, before
Illustration 1.29 depicts the situation after changing the destination port number.
ILLUSTRATION 1.29 Service Manager, after
There is no need to add a rule in the rule base to allow RADIUS traffic from the nodes
to the RADIUS server because the RADIUS service is already defined in the default
rules.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.30 Security Policy Manager
When you select the View Inherited Rules button from the toolbar, all inherited rules will
be displayed. The RADIUS service is in rule 7.
ILLUSTRATION 1.31 Security Policy Manager
RADIUS
service
Creating an External User

Next, you need to create an *external* user profile. This is a special user profile that
passes the actual user ID (not *external*) to the RSA ACE/Server along with the next
token for authentication. This is the preferred method for authenticating to the RSA
ACE/Server. Otherwise, you need to create a user profile on StoneGate for every user
that will authenticate to the RSA ACE/Server. You must also maintain the same list on
the RSA ACE/Server.
HWTO3SG1.6 - 5/3/02
To create an *external* user:

1. In the User Manager, expand ‘InternalDomain’ and ‘stonegate‘ domain. Right-click
on the group created above and select New>User. The User Properties dialog box
opens.
ILLUSTRATION 1.32 User Properties
2. In the General tab, define *external* as the UserName. Select the Always Active check
box or set the expiration parameters. Click OK to continue.
3. Select the Authentication tab and drag and drop the RADIUS service to the panel on
the right listing bound authentication services. For an *external* user, you do not
need to specify any password here because it is retrieved from the RADIUS server.
Click OK to continue.
ILLUSTRATION 1.33 User Properties Authentication tab
HWTO3SG1.6 - 5/3/02
The *external* user has now been created and it appears in the user directory of the
User Manager as depicted in Illustration 1.34.
ILLUSTRATION 1.34 User Manager, User Directory tab
4. In the Security Policy Manager, open the Access Rules tab.

ILLUSTRATION 1.35 Security Policy Manager Access Rules tab
5. Double-click in the Authentication field. The Authentication Parameters dialog box

opens.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.36 Authentication Parameters, Parameters tab
6. Select the Parameters tab.

7. In the Method area, select the Require Authentication check box. Authentication applies
on this rule if checked. If unchecked, no authentication process is applied to the rule
and other parameters remain inoperative. If you select the Firewall-initiated
Authentication check box, this enforces the firewall to initiate the authentication
connection in case the client cannot be fully trusted.
8. In the Authorize area, you can select either:
• Connection to authorize a single connection with a single

authentication before time-out expires. Any new connection needs
authentication. Set the Time-out in milliseconds.
• Client IP to authorize all connections based on the IP address of the
authenticated user until expiration of time-out. Set the Time-out in
milliseconds.
9. Click the Authentication Services tab to display the embedded Authentication Service
View and select the authentication services accepted by the rule.
10. Expand the Authentication Service View as necessary and select an authentication
service.
11. Click Add to include the service in the Accepted Authentication Services list on the right.
You can remove services from the list by selecting one and clicking the Remove
button.
HWTO3SG1.6 - 5/3/02
12. Click OK to validate your settings.

ILLUSTRATION 1.37 Authentication Parameters, Authentication Services tab
Adding Rules in the Security Policy Manager

The node will communicate with the RSA ACE/Server using the IP addresses defined
as the Default for Outgoing Connections in the NDI interface in the firewall cluster
element. The protocol used is RADIUS (or radius-udp1645 if you decide to create a new
service).
1. In the Security Policy Manager, select first the User View from the selection box.
Then drag and drop the *external* user to the Users field.
2. Drag and drop the “RADIUS” authentication service to the Authentication field.
3. Save and install the security policy.
Illustration 1.38 depicts the situation before.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.38 Security Policy Manager, before
Illustration 1.39 depicts the situation after.

ILLUSTRATION 1.39 Security Policy Manager, after
The RADIUS Server setup is now complete.
HWTO3SG1.6 - 5/3/02
Authentication
After the RADIUS server setup, you should check that it is operating properly. Try to
authenticate using either Authentication Client or Telnet 2543. The Authentication
Client is part of StoneGate VPN Client.
Using Authentication Client authentication

Follow the steps below to authenticate using the Authentication Client.
To authenticate using the Authentication Client:

1. Select Start>Programs>StoneGate>VPN Client.
2. The main page of StoneGate VPN Client opens on your default browser.
3. Select option Firewall > Authentication.
ILLUSTRATION 1.40 VPN Client Authentication main page
4. The User Authentication page opens. Type in the name or the address of the
StoneGate Security Gateway.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.41 User Authentication
5. When you use Authentication Client authentication, an Authentication Required

prompt opens.
HWTO3SG1.6 - 5/3/02
ILLUSTRATION 1.42 Authentication Required
6. Enter the username, domain, and password and click the Submit button. Here, the
password must consist of the PIN code (4 digits) + the keyfob number (6 digits).
7. The Authentication Finished page opens. It informs you whether the authentication
has been successful.
Using simple Telnet authentication

If you do not have any authentication client (StoneGate VPN Client) installed, you must
create a Telnet connection to the gateway address, using StoneGate authentication port
2543.
ILLUSTRATION 1.43 Telnet connection
HWTO3SG1.6 - 5/3/02
Tr o u b l e s h o o t i n g
The following screenshot from the Log Browser shows an example of a typical error
caused by situations in which the DNS server or /etc/hosts file was not correctly
configured.
Illustration 1.44 shows that the firewall tried to authenticate a user three times but did
not succeed because in our case the /etc/hosts file was not correctly configured. The
firewall was not able to resolve the IP address into a host name.
ILLUSTRATION 1.44 Reverse lookup
Authenticating if there are Several Authentication Services

StoneGate can use the following authentication services:
• UserPassword
• IPSec Certificate
• Radius
• TACACS+
HWTO3SG1.6 - 5/3/02
The authentication service used for a connection is chosen by the firewall engine unless
the user specifies it as part of the user name. In all versions of StoneGate (up to and
including 1.6.2) the firewall chooses the first authentication service in the user's LDAP
database. However, the list of user's authentication services is not organized (it is
actually a group) so the firewall may not choose the authentication service shown
topmost in the user's GUI. To guarantee predictable service that operates correctly
every time, the administrator should set only one authentication service for each user, or
users should always specify the authentication service while authenticating.
The full syntax of the user name field in the authentication process is the following:
username[@domain][;authentication_service]
If the user does not belong to the default domain of the management server, [@domain]
needs to be specified. If the user has more than one authentication service, it is
necessary to specify [;authentication_service].
The variables pictured in square brackets are optional. The ability to set these
parameters makes most general cases simple to specify while delivering run-time
flexibility for expert users.
Examples
In a typical general (simple) case, an authentication window appears in the VPN Client
in response to a firewall-initiated authentication request. Only one authentication
service is set for John, a user belonging to the default domain* so he must enter the
following data in the authentication window:
User name: john
Domain:
Password: secret
In a more complicated case, a user named Jack normally authenticates with a static
password when he is local to the corporate network. He occasionally travels, and while
on the road authenticates using a SecurID card. On the road (e.g.) with only a personal
digital assistant, he uses Telnet to authenticate to firewall port 2543:
SG login: jack@stonegizmo.com;ace
HWTO3SG1.6 - 5/3/02
Enter PASSCODE: 624982

Please enter the next code from your token: 863077
PASSCODE Accepted
Access granted
While he is in the office, he enters:

SG login: jack@stonegizmo.com;LDAP password on
stonegizmo.com
Password: secret2
Access granted
* There may be several authentication domains, but only one is marked as the default
domain. If a domain has not been specified for a user, the default domain is used.
HWTO3SG1.6 - 5/3/02
APPENDICES
APPENDIX A RSA ACE/Server Installation
Start the RSA ACE/Server setup by installing the software and the patches.
To install the RSA ACE/Server for Windows NT:

1. Insert the RSA ACE/Server CD (assume CD-ROM drive is d:\). Run the installation program
d:\aceserver\nt_i386\setup.exe and follow the instructions provided in the installation
shield.
2. The Welcome window of the RSA ACE/Server for Windows NT setup program opens. Click
Next to continue.
RSA ACE/Server Installation
ILLUSTRATION A.45 RCA ACE/Server Windows NT Setup program Welcome window
3. The following window provides version information. Click Next to continue.

ILLUSTRATION A.46 RSA ACE/Server 5.0 Welcome window
4. The License Agreement window opens. Read it through carefully. If you accept the agreement,
click Yes to accept and continue.
A — 41 HOW-TO GUIDELINES
ILLUSTRATION A.47 License Agreement
5. The New Input Files window opens. On the Primary, insert the Primary Server License disk
into drive A:\. Click Next to continue.
ILLUSTRATION A.48 New Input Files
6. The Available Input Files window lists all the currently available input files. Click Next to
continue.
HOW-TO GUIDELINES A — 42
ILLUSTRATION A.49 Available Input Files
7. In the Installation Directory window, enter the pathname to the destination directory. Use
standard defaults to install the server to c:\ace5\. Click Next to continue.
ILLUSTRATION A.50 Installation Directory
8. In the Installation Options window, select the items you want to install. A successful
configuration requires at least a New Primary RSA ACE/Server. Click Next to continue.
ILLUSTRATION A.51 Installation Options
9. The Start Copying Files window lists the current settings. Click Next to copy the files.
ILLUSTRATION A.52 Start Copying Files
10. You must restart the computer before you can use the RSA ACE/Server you installed. In the
Installation Complete window select the Yes, I want to restart my computer now radio button,
remove all disks from the disk drives, and click the Finish button. If required, install the
appropriate service pack for the RSA ACE/Server 5.0.
HOW-TO GUIDELINES A — 44
ILLUSTRATION A.53 Installation Complete
APPENDIX B RSA ACE Client Setup
Catool is a certificate utility tool provided with the ACE Client in order to create certificates and
keys used by the Client when communicating with the RSA ACE/Server.
Catool Installation
Follow the steps below for Catool installation.
To install Catool:
1. Intall the Catool that comes with the agent. Select Start > Programs > ACE Agent > RSA ACE
Agent Certificate Utility. The Welcome window opens. Click Next to continue.
RSA ACE Client Setup
ILLUSTRATION B.54 RSA ACE/Agent Certificate Utility
2. The Software License Agreement window opens. Read it through carefully. If you accept the
license agreement, click Yes to continue.
ILLUSTRATION B.55 Software License Agreement
B — 47 HOW-TO GUIDELINES
Catool Installation
3. The Choose Destination Location window opens. Choose a folder and click Next to continue.
ILLUSTRATION B.56 Choose Destination Location
4. In the Select Program Folder window, choose a program folder in which to store the program
icons that will be added. Click Next to continue.
ILLUSTRATION B.57 Select Program Folder
HOW-TO GUIDELINES B — 48
5. The Setup Complete window will inform you when the setup is complete. Exit the program by
clicking Finish.
ILLUSTRATION B.58 Setup Complete
6. Next, create a new root certificate and key. In the RSA ACE/Agent Certificate Utility dialog box,
define the current directory (by default in C:\Program Files\SDTI\RSA ACE Agent..).
Click the New Root Certificate and Keys button.
ILLUSTRATION B.59 RSA ACE/Agent Certificate Utility
7. The Create New Certificate and Keys dialog box opens.
NT Agent Installation
ILLUSTRATION B.60 Create new Certificate and Keys
8. You will receive a notification when the root certificate and keys are successfully created.
ILLUSTRATION B.61 RSA Security Inc. Certificate Tool
Next, you need to install the NT agent.
Installing the agent itself

If you receive the warning displayed in illustration Figure B.62, check that the service “RSA
ACE/Server RADIUS daemon” is started.
ILLUSTRATION B.62 Warning
To install the agent:

1. Before you start the agent installation, copy c:\ace5\data\sdconf.rec from the RSA
ACE/Server machine to c:\winnt\system32\ of the Agent machine. If the RSA ACE/
Server is UNIX, copy /ace5/data/sdconf.rec from the RSA ACE/Server machine to
c:\winnt\system32\ of the Agent machine. This file record contains information about the
RSA ACE/Server configuration that the ACE client uses when establishing the contact with
the RSA ACE/Server.
2. Insert the SecurSight Agent CD.
3. Run the SecurSight Agent installation program d:\acecInt\nti386\agent.exe.
4. The RSA ACE/Agent for Windows NT setup program Welcome window is displayed. Click
Next to continue.
ILLUSTRATION B.63 Welcome window
5. The Software License Agreement window opens. Read the license through carefully. If you
accept it, click Yes to continue.
ILLUSTRATION B.64 Software License Agreement
6. In the Select Components window, select Network Access Authentication (Client). Click Next to
continue.
ILLUSTRATION B.65 Select Components
7. In the Location of Root Certificate window, enter the path of the “sdroot.crt” file previously
created with Catool. Click Next to continue.
ILLUSTRATION B.66 Location of the Root Certificate “sdroot.crt”
8. In the Select Root Cert dialog box, select the root certificate and click Open.
ILLUSTRATION B.67 Select Root Cert
9. In the Location of Root Certificate “sdroot.crt” window, click Next to continue.
ILLUSTRATION B.68 Location of Root Certificate “sdroot.crt”
10. In the following window, enter the path to your RSA ACE/Server configuration record and
click Next to continue. This file was created earlier as depicted in Illustration 1.4, “RSA ACE/
Server Configuration Management,” on page 7 and it is now copied to this location.
ILLUSTRATION B.69 Location of RSA ACE/Server configuration record “sdconf.rec”
11. Follow the program registration instructions in this window. Click Next to continue.
ILLUSTRATION B.70 RSA ACE/Agent Registration
12. In the Setup Complete window, click Yes, I want to restart my computer now, remove all disks from
disk drives, and click Finish to complete the setup.
ILLUSTRATION B.71 Setup complete
APPENDIX C First Contact with Casual
ACE Agent
Next, contact the Ace Agent. This is the initial contact and there is no need to do
this separately for each user. Later on, the users will connect using the
Authentication Client.
Note: If you have engine version 774 or higher, this operation can be performed
directly from the first authentication using the Telnet 2543 or Authentication
Client connection using the StoneGate VPN Client.
1. After reboot, start the Log Monitor on the RSA ACE/Server from
Start>Programs>RSA ACE>Log Monitor. The Log Monitor assists you in
configuring and troubleshooting. Complete the definitions and click OK to
continue.
ILLUSTRATION C.72 Log Monitor Selection Criteria
2. An empty window will open. This window will display a note confirming
whether or not the authentication has been accepted.
C — 59 HOW-TO GUIDELINES
ILLUSTRATION C.73 RSA ACE/Server Log Monitor
3. From the client, run Start>Programs> RSA ACE>Authentication test.

4. When starting the client on Win2000 Professional, you may see the following
warning. Click OK to continue.
ILLUSTRATION C.74 RSA ACE/Agent Authentication Test
5. The RSA SecurID Authentication Information window opens.
HOW-TO GUIDELINES C — 60
ILLUSTRATION C.75 RSA SecurID Authentication Information
6. Click the RSA ACE/Server Test Directly button. This will connect to the local
RSA ACE/Server (IP address 0.0.0.0) because the client is currently running
on the same machine as the RSA ACE/Server.
7. The RSA SecurID Authentication dialog box opens.
ILLUSTRATION C.76 RSA SecurID Authentication
8. Enter here the UserName and first passcode entered when defining the user.
Click OK to continue.
9. The RSA ACE/Server Log Monitor window opens. This window contains
information about the authentication attempt of the user called ‘userpwd’.
Click Exit to continue.
10. A New PIN dialog box opens. Because this was the first successful
authentication, the user is asked to change the PIN code.
11. Enter a new PIN code and its confirmation. Click OK to continue.
ILLUSTRATION C.78 New PIN
12. The RSA ACE/Agent Authentication Test dialog box opens. It confirms whether
the new PIN has been accepted. Click OK to continue.
13. The RSA ACE/Server Log Monitor window opens. It now contains information
about the authentication. Illustration C.80 depicts the situation for user
‘userpwd’. Click OK to continue.
14. Next, perform steps 7-13 with user ‘userkeyfob’. First, enter the UserName
and the first passcode entered when defining the user.
15. You are asked to change the PIN code. Enter a new PIN code.
ILLUSTRATION C.81 New PIN
16. A dialog box confirms whether or not the authentication has been successful.
17. Using the RSA ACE/Server Log Monitor, check that the actions you have
taken have been accepted. See Illustration C.83 on page 65.

SG1 6-HWTORadius

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

SG1 6-HWTORadius

Загружено:

Авторское право:

Доступные форматы

Version 1.

Setting Up a RADIUS Server

Stonesoft Corp. Itälahdenkatu 22A, FIN-00210 Helsinki Finland

Network Configuration Example

Updating the ‘hosts’ File

RSA/ACE Server Installation

RADIUS Server Configuration

To configure the RADIUS server:

ILLUSTRATION 1.3 RSA ACE/Server Configuration Management

RSA ACE/Server Startup

To start the RSA ACE/Server:

RADIUS Server Verification

ILLUSTRATION 1.7 Netstat

RSA ACE/Server Administration

Main administration window

2. Select Start>Programs>RSA ACE/Server>Database Administration Host Mode.

3. The RSA ACE/Server v. 5.0 Administration dialog box opens.

ILLUSTRATION 1.8 Main administration window

ILLUSTRATION 1.9 Import Status dialog box

Adding a user with a keyfob (token) authentication method

To add a user with a keyfob (token) authentication method:

4. In the main Administration window, select Tokens.

ILLUSTRATION 1.12 Select Token

10. Click Exit to continue.

Adding a user with a static password autentication method

To add a user with a static password authentication method:

ILLUSTRATION 1.15 Edit User

6. Repeat steps 6-10 from above (as in keyfob token authentication).

The computers to be defined as agent hosts are:

To define the agent hosts:

ILLUSTRATION 1.17 Group Activations

ILLUSTRATION 1.18 Assign/Change Encryption Key dialog box

ILLUSTRATION 1.20 Edit Agent Host

The RADIUS server configuration has now been finalized.

RSA/ACE Client Setup

First Contact with Casual ACE Agent

Creating a RADIUS Server

To create a RADIUS server:

ILLUSTRATION 1.22 Authentication Server Properties window

Creating a RADIUS Authentication Service

To create a RADIUS authentication service:

3. The Authentication Service dialog box opens.

ILLUSTRATION 1.25 RADIUS server activated

ILLUSTRATION 1.27 Group Properties Authentication tab

Modifying an Existing Authentication Service Definition

To modify an existing service:

ILLUSTRATION 1.28 Service Manager, before

ILLUSTRATION 1.30 Security Policy Manager

Creating an External User

To create an *external* user:

4. In the Security Policy Manager, open the Access Rules tab.

5. Double-click in the Authentication field. The Authentication Parameters dialog box

ILLUSTRATION 1.36 Authentication Parameters, Parameters tab

6. Select the Parameters tab.

• Connection to authorize a single connection with a single

12. Click OK to validate your settings.

Adding Rules in the Security Policy Manager

Illustration 1.38 depicts the situation before.

ILLUSTRATION 1.38 Security Policy Manager, before

Illustration 1.39 depicts the situation after.

The RADIUS Server setup is now complete.

Using Authentication Client authentication

To create an external user: