RSA Authentication Manager to IDENTIKEY Authentication … · RSA Authentication Manager to...

RSA Authentication Manager to IDENTIKEY Authentication Server

MIGRATION GUIDE

1 RSA Authentication Manager to IDENTIKEY Authentication Server


Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no

responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any

use of the information contained in this document.

Copyright

Copyright © 2013 VASCO Data Security, Inc, VASCO Data Security International GmbH. All

rights reserved. VASCO®, Vacman®, IDENTIKEY AUTHENTICATION ®, aXsGUARD™ and

DIGIPASS® logo are registered or unregistered trademarks of VASCO Data Security, Inc.

and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data

Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under al l

title, rights and interest in VASCO Products, updates and upgrades thereof, including

copyrights, patent rights, trade secret rights, mask work rights, database rights and all other

intellectual and industrial property rights in the U.S. and other countries. Microsoft and

Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may

be trademarks of their respective owners.



Table of Contents

1 Introduction.............................................................................................................. 3

2 RSA Authentication Manager Architecture ................................................................ 4

3 Migration architecture .............................................................................................. 5

3.1 General overview .................................................................................................. 5

3.2 RADIUS Authentication with IDENTIKEY Authentication Server and RSA Authentication

Manager ........................................................................................................................ 6

4 Final architecture ...................................................................................................... 7

4.1 General Overview .................................................................................................. 7

4.2 RADIUS Authentication with IDENTIKEY Authentication Server .................................... 7

5 RSA Authentication Manager Configuration .............................................................. 8

5.1 User configuration ................................................................................................. 8

5.2 RADIUS client and Authentication Agent ................................................................... 9

6 IDENTIKEY Authentication Server configuration ..................................................... 12

6.1 Set time and date ............................................................................................... 12

6.2 Policy Configuration ............................................................................................. 13

6.3 RADIUS Client configuration ................................................................................. 17

6.4 RADIUS Back-End configuration ............................................................................ 18

6.5 User Configuration .............................................................................................. 20

6.6 DIGIPASS configuration ....................................................................................... 23

7 Migration scenario details ....................................................................................... 26

7.1 Dynamic User Registration (DUR) .......................................................................... 26

7.2 Migration results ................................................................................................. 28

8 About VASCO Data Security .................................................................................... 29



1 Introduction In this White Paper we will describe the migration of an existing RSA Authentication Manager

implementation, used in conjunction with a RADIUS enabled system (e.g. Firewall, VPN –

SSL/VPN, NAS), towards a VASCO solution, based upon IDENTIKEY Authentication Server and the

DIGIPASS products.

We have tested this migration with:

RSA ACE Server 6.0

RSA Authentication Manager 7.1 (used in this guide)

We assume that the person performing the migration has the required experience with installing

RSA Authentication Manager and the IDENTIKEY Authentication Server. This document will guide

you through the migration process, showing the different configuration steps.



2 RSA Authentication Manager

Architecture Figure 1 illustrates a typically deployment solution architecture, with a VPN – SSL/VPN system

using RADIUS authentication in combination with the RSA Authentication Manager.

Figure 1: RSA Authentication Manager Architecture

The RSA Authentication Manager is typically setup with the built-in RADIUS Server. Through the

RADIUS protocol, the VPN or SSL/VPN will check whether a certain user will be given access to

the network, after entering a correct One Time Password, generated by the SecurID token.



3 Migration architecture 3.1 General overview

The concept is very easy: the IDENTIKEY Authentication Server is installed as front-end of the

RSA Authentication Manager.

This means that the IDENTIKEY Authentication Server will intercept each RADIUS authentication

request going to the RSA Authentication Manager. Initially the users will not exist on the

IDENTIKEY Authentication Server and it will transparently forward the RADIUS Authentication

request (using Back-End RADIUS authentication) to the RSA Authentication Manager, which will

verify the users’ credentials such as the SecurID token.

The Dynamic User Registration (DUR) feature of the IDENTIKEY Authentication Server will have to

be enabled, assuring that users are created automatically in its own user database. As the

SecurID token reaches its end of life, the authentication will no longer be sent to the back-end

RSA Authentication Manager but handled locally and a DIGIPASS will be assigned to the user.

Special features as DUR and Back-End authentication makes the VM a very easy deployable

authentication server system. (Please see further).

Figure 2: Migration architecture



3.2 RADIUS Authentication with IDENTIKEY Authentication

Server and RSA Authentication Manager

1. A remote user initiates a VPN or SSL/VPN connection.

2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication

Server.

3. The IDENTIKEY Authentication Server will perform a back-end authentication request to the

RSA Authentication Manager.

4. The RSA Authentication Manager performs its verification and returns the results to the

IDENTIKEY Authentication Server.

5. The IDENTIKEY Authentication Server forwards the results to the VPN box.

6. The VPN box takes an appropriate action based on the returned RADIUS results.



4 Final architecture 4.1 General Overview

The authentication is now handled by the IDENTIKEY Authentication Server and will no longer go

to the RSA Authentication Manager. A DIGIPASS will be assigned to the user so he can start using

its DIGIPASS instead of the RSA token. This way the migration can be done very easy and

without much hassle for the end-users as well as the administrators.

Figure 3: Final architecture

4.2 RADIUS Authentication with IDENTIKEY Authentication

Server

1. A remote user initiates a VPN or SSL/VPN connection.

2. The VPN box submits a RADIUS authentication request to the IDENTIKEY Authentication

Server.

3. The IDENTIKEY Authentication Server performs the OTP verification.

4. The VPN box takes an appropriate action based on the returned RADIUS results.



5 RSA Authentication Manager

Configuration 5.1 User configuration

On our system we have created a user vasco on the RSA Authentication Manager, with a RSA

SecurID Key fob assigned, which is configured to be used without a STATIC PIN/password.

Figure 4: vasco user in RSA Authentication Manager



5.2 RADIUS client and Authentication Agent

Adding the RADIUS client and the Authentication agent, can be done in one step.

Go to RADIUSRADIUS ClientsAdd New.

Figure 5: RADIUS client and Authentication Agent (1)

As the Client Name, fill in the FQDN of the IDENTIKEY Authentication Server hostname. Fill in

the IP Address and the Shared Secret. Now click the Save and Create Associated RSA

Agent.




You will now automatically enter the new Authentication Agent page. Select the RADIUS profile

that you would like to use.


Click Save to continue.




The IDENTIKEY Authentication Server will now have been added automatically to the

authentication agents.




6 IDENTIKEY Authentication Server

configuration 6.1 Set time and date

Most DIGIPASS use a Time Based algorithm for generating the One Time Password. Those

DIGIPASS are created with the internal real time clock set to GMT. As such, it is important to set

the date, time and time zone of the server running the IDENTIKEY Authentication Server correctly

so that GMT can be derived correctly.

Figure 10: Setting correct date, time and time zone

You can also use the NTP settings to get the correct time provided through the internet.

Figure 11: Using NTP settings



6.2 Policy Configuration

A RADIUS client needs a policy to specify the setting to work with. For now we create a new

policy starting from blank. Select PolicyCreate.

Figure 12: Policy Configuration (1)

Fill in the Policy ID and add an optional description. As we create a blank policy, set Inherits

from to None and click Create.




You will now receive the message that the policy was created successfully so click on the Click

here to manage your policy.


In the general Policy tab, click the Edit button.




Set Local Authentication to None,

Back-End Authentication to Always and

Back-End Protocol to RADIUS

Click the Save button.


You will now see the changed settings appear in the next screen.

Select the Policy User tab (not the general USERS tab!) and click the Edit button.




Set Dynamic User Registration to Yes and click the Save button.


That’s it for the policy; let’s use it in the RADIUS client now.



6.3 RADIUS Client configuration

The RADIUS Client is where the calls originate from. The client in our test environment will be a

server running our VASCO RADIUS Simulator. Normally this will be a NAS, VPN or Web client.

Select ClientsRegister.

Figure 19: RADIUS Client configuration (1)

Client Type in this case will be RADIUS Client and the Location is the originating IP address

of the RADIUS call. Choose the correct Policy you created in the previous chapter and select

RADIUS as the Protocol ID. Finally fill in a shared secret and click the Create button.

Figure 20: RADIUS Client configuration (2)



6.4 RADIUS Back-End configuration

The RADIUS back-end will be the RSA Authentication Manager. So create it with the details for

this server.

Select Back-EndRegister Radius Back-End.

Figure 21: RADIUS Back-End configuration (1)

Most required fields are Back-End Server ID (a name for this server), Domain Name (which

domain to use in IDENTIKEY Authentication Server), Authentication IP Address (IP address of

the RSA Authentication Manager), Authentication Port (RSA port) and Shared Secret. It’s

probably best to fill in Timeout and Retries also. Click the Create button to save the settings.

Figure 22: RADIUS Back-End configuration (2)



Once the RADIUS settings are done, it might be a good time to test the original configuration

before changing any user details or migrating to a DIGIPASS.

This is explained in chapter 7.1 Dynamic User Registration.



6.5 User Configuration

The following steps will only work once the user is known through the DUR (Dynamic User

Registration) procedure. This means the user needs to have authenticated once to IDENTIKEY

Authentication Server. This way the user will be created on IDENTIKEY Authentication Server.

They are necessary once a user has to be migrated from a RSA token to a DIGIPASS. These

settings need to be changed per user, as we need to overrule the policy values.

Select Users and click the User you want to migrate.

Figure 23: User Configuration (1)

Under the User Account settings click the Edit button.



Select Local Authentication as Digipass/Password and set

Back-End Authentication to None; click Save to continue.


The user is now been setup to work with a DIGIPASS, so let’s assign one to this user.



6.6 DIGIPASS configuration

In the same user detail settings, go to the Assigned Digipass tab and click the Assign button.

Figure 26: DIGIPASS configuration (1)

If you have not that many DIGIPASS imported on your system, the easiest way is just to change

the On Clicking Next value to: Search now to select Digipass to assign and click Next.

Otherwise you will have to search for a part of the serial number of do a search for a certain type

of application or a certain type of DIGIPASS.


Now select the DIGIPASS you want to assign and click Next.




You could now change the grace period if you want and click Assign to complete these steps.




The DIGIPASS is now assigned to the user and can be used. Click Finish to return to the first

screen.




7 Migration scenario details 7.1 Dynamic User Registration (DUR)

We will test the vasco user with the VACMAN RADIUS Client Simulator from Vasco.

The VACMAN RADIUS Client Simulator is a program that simulates RADIUS Authentication and

Accounting processing in a similar fashion to RADIUS enabled NAS and Firewall devices. The

simulator can be used to test user (and static-password) authentication, (DIGIPASS) Digipass

password authentication, estimate RADIUS server performance, system overload, and assist in

detection of resource (memory, handle, etc.) leakage.

When we open the simulator we have to change some things first. Server IP should be the same

IP of the IDENTIKEY Authentication Server. The Auth. Port should be define as 1812 and the

Acct. port as 1813. These are the default values, if you would have changed these values during

the installation of your IDENTIKEY Authentication Server, you should fill in your ports. Next fill in

the Shared secret.

Click one of the yellow ports, allowing you to enter User ID and password.

Figure 31: RADIUS Client Simulator configuration



In the User ID field you enter vasco (the test user we have created.).

In the password field you give the RSA SecurID PASSCODE (One Time Password).

Click Login to test the authentication for this user. Also notice the returned RADIUS attributes.

Figure 32: Successful logon with original users

When the user vasco logged in successfully, he will be created automatically in the IDENTIKEY

Authentication Server (Dynamic User Registration). From now on you can follow the steps written

at 6.5 User configuration.



7.2 Migration results

Once the user’s properties and settings are changed to work with a DIGIPASS you will see that

the authentication returns no RADIUS attributes. This proofs the authentication has been

performed by IDENTIKEY Authentication Server.

Figure 33: Migration results

From now on, users can be migrated to a DIGIPASS one at the time when their SecurID token

gets end of life or sooner.



8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products

for e-Business and e-Commerce.

VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which

are small “calculator” hardware devices, or in a software format on mobile phones, other portable

devices, and PC’s.

At the server side, VASCO’s IDENTIKEY products guarantee that only the designated DIGIPASS

user gets access to the application.

VASCO’s target markets are the applications and their several hundred million users that utilize

fixed password as security.

VASCO’s time-based system generates a “one-time” password that changes with every use, and

is virtually impossible to hack or break.

VASCO designs, develops, markets and supports patented user authentication products for the

financial world, remote access, e-business and e-commerce. VASCO’s user authentication

software is delivered via its DIGIPASS hardware and software security products. With over 25

million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for

strong User Authentication with over 500 international financial institutions and almost 3000

blue-chip corporations and governments located in more than 100 countries.

RSA Authentication Manager to IDENTIKEY Authentication … · RSA Authentication Manager to...

Documents

Transcript of RSA Authentication Manager to IDENTIKEY Authentication … · RSA Authentication Manager to...