Your SlideShare is downloading. ×
How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3

359
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
359
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Replacing legacy two-factor authenticationwith YubiRADIUS forcorporate remoteaccessHow to GuideMay 15, 2012
  • 2. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 2 of 19yubicocococoIntroductionYubico is the leading provider of simple, open online identity protection. The company’sflagship product, the YubiKey®, uniquely combines driverless USB hardware with opensource software. More than a million users in 100 countries rely on YubiKey strong two-factorauthentication for securing access to computers, mobile devices, networks and onlineservices. Customers range from individual Internet users to e-governments and Fortune 500companies. Founded in 2007, Yubico is privately held with offices in California, Sweden andUK.DisclaimerThe contents of this document are subject to revision without notice due to continuedprogress in methodology, design, and manufacturing. Yubico shall have no liability for anyerror or damages of any kind resulting from the use of this document.The Yubico Software referenced in this document is licensed to you under the terms andconditions accompanying the software or as otherwise agreed between you or the companythat you are representing.TrademarksYubico and YubiKey are trademarks of Yubico Inc.Contact InformationYubico Inc228 Hamilton Avenue, 3rd FloorPalo Alto, CA 94301USAinfo@yubico.com
  • 3. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 3 of 19yubicocococoContentsIntroduction..........................................................................................................................................2Disclaimer............................................................................................................................................2Trademarks .........................................................................................................................................2Contact Information.............................................................................................................................21 Document Information.....................................................................................................................51.1 Purpose...................................................................................................................................51.2 Audience .................................................................................................................................51.3 References..............................................................................................................................51.4 Version ....................................................................................................................................51.5 Definition .................................................................................................................................52 Introduction......................................................................................................................................62.1 Legacy Two-Factor Authentication (TFA) Systems ................................................................63 Overview .........................................................................................................................................73.1 Legacy TFA authentication architecture .................................................................................73.2 Yubico open source TFA authentication architecture .............................................................83.3 Yubico Open Source Solution.................................................................................................83.3.1 YubiKey...............................................................................................................................83.3.2 YubiRADIUS........................................................................................................................83.3.3 YubiCloud vs. On-board Validation Server .......................................................................103.3.4 Supports both single domain as well as multi domain ......................................................114 Prerequisites .................................................................................................................................124.1 Remote Access Product supporting RADIUS .......................................................................124.2 Virtualization platform to host YubiRADIUS..........................................................................124.2.1 Image requirements ..........................................................................................................124.3 One or more YubiKey(s) .......................................................................................................124.4 Active Directory or LDAP Directory server............................................................................125 Planning and preparations ............................................................................................................135.1 Access GW supporting RADIUS...........................................................................................135.2 YubiCloud vs. Built in validation Server ................................................................................135.3 Virtual Appliance Platform.....................................................................................................135.4 Internet connection for downloading .....................................................................................145.4.1 YubiRADIUS image...........................................................................................................145.4.2 Personalization (Programming) tool..................................................................................145.5 Firewall considerations..........................................................................................................145.6 Failover – Multi Master planning ...........................................................................................15
  • 4. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 4 of 19yubicocococo5.7 Master Slave Considerations ................................................................................................155.8 Getting YubiKeys ..................................................................................................................166 YubiRADIUS Setup and Configuration .........................................................................................176.1 Process overview ..................................................................................................................177 YubiKey Deployment.....................................................................................................................187.1 Deployment for YubiCloud vs. On-board Val. Server ...........................................................187.2 Auto-deployment ...................................................................................................................187.3 Helpdesk Considerations ......................................................................................................187.4 Programming considerations ................................................................................................188 Summary.......................................................................................................................................198.1 Benefits when switching to YubiRADIUS..............................................................................198.2 Summary of the steps involved in the switch ........................................................................198.3 Auto-Deployment ..................................................................................................................19
  • 5. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 5 of 19yubicocococo1 Document Information1.1 PurposeThe purpose of this document is to guide readers through the steps of replacing an existinglegacy two factor authentication infrastructure (such as RSA Authentication Manager/ACEServer infrastructure) with the open source based YubiRADIUS infrastructure from Yubico.1.2 AudienceThis document is intended for technical staff of Yubico customers that want to replace existingtwo-factor authentication such as RSA SecurID with YubiKey based authentication forsecuring access to corporate resources via such techniques as Remote Access service orVPN.1.3 ReferencesPart of the Yubico YubiRADIUS solution is based on the Open Source FreeRADIUS andWebMin software.1.4 VersionThis version is released to the Yubico community as a “how to” guide.1.5 DefinitionTerm DefinitionYRVA Yubico’s YubiRADIUS Virtual ApplianceVPN Virtual Private NetworkSSL Secure Sockets LayerRADIUS Remote Authentication Dial In User Service. TheRADIUS protocol is used to communicatebetween access equipment such as an VPN GWand the RADIUS server)PIN Personal Identification NumberOTP One Time PasswordOVF Open Virtualization Format – standard formatsupported by the major virtualization platformvendorsYubiKey ID The 12 character (48 bit) public identifier of aYubiKeyAD Active DirectoryLDAP Lightweight Directory Access Protocol – refersboth the communication protocol as well as to alightweight directory service for findinginformation about users and other resources in anetwork.TFA Two-Factor Authentication
  • 6. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 6 of 19yubicocococo2 IntroductionYubico’s mission is to “make Internet identification secure, easy, and affordable for everyone”.The Company offers a physical authentication device/token, the YubiKey, which is used toprovide secure authentication to web services and various other applications.The YubiKey device is a tiny key-sized one-button authentication device, emulating a USBkeyboard and designed to generate a unique user identity and a one-time password (OTP)without requiring any software installed on end users computers.2.1 Legacy Two-Factor Authentication (TFA) SystemsOrganizations frequently utilize the powerful and flexible authentication mechanism providedby the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSLbased VPN solution provides a robust and flexible remote access solution. In any remoteaccess scenario two-factor authentication is highly recommended and in many cases requiredfor compliance with industry regulation such as for achieving PCI compliance.However, many organizations have a legacy Two-Factor Authentication (TFA) solutions whichthey for different reasons would like to replace with an open source solution from Yubico.In the sections below we will look at the considerations in planning and steps involved inreplacing a legacy TFA solution with YubiKey tokens and YubiRADIUS TFA infrastructure.
  • 7. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 7 of 19yubicocococo3 OverviewWhen looking at replacing legacy TFA authentication solutions with a solution from Yubico, youwill frequently find that there are many similarities and the task is therefore easier than perhapsfirst anticipated.Depending on the size of the organization the logistics leading up to the actual switchover willbe the biggest planning part. However, Yubico has in YubiRADIUS implemented threeimportant features in relation to the switchover to ease the logistics and coordination otherwiserequired.The following features help in the switchover from legacy solutions:1. Users may use their regular Active Directory (or LDAP) Username and Password – noneed for a different or temporary password2. Import of users based on Active Directory Group belonging or OUs – Making it possibleto gradually switch users to the new solution.3. Import YubiKeys without initial binding to users (see Auto Deployment)4. Auto-deployment – YubiKey is assigned at first login (binding at first use)We will go through the list above in more detail in the sections below.3.1 Legacy TFA authentication architectureThe diagram below describes at a high level the infrastructure of the legacy solution to bereplaced.Access/VPN GWInternetLegacyAuthentication ServerLegacyTokenOrganizationEnd user deviceThe Legacy solution usually has an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) isconnected via RADIUS protocol to a Legacy Authentication Server. The Legacy Token iseither based on Hardware (as in the picture) or a software client (or combination) on the endusers computers or access equipment.
  • 8. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 8 of 19yubicocococo3.2 Yubico open source TFA authentication architectureThe diagram below describes the new Yubico open source based infrastructure replacing thelegacy.Similarly to the Legacy solution usually an Access GW (e.g. Cisco ASA) or VPN (e.g. OpenVPN) is connected via RADIUS protocol to YubiRADIUS. The Legacy Token is either basedon Hardware (as in the picture) or a software client (or combination) on the end userscomputers or access equipment.3.3 Yubico Open Source SolutionThe YubiKey is small USB connected OTP device that combined with the organizationsActive Directory (or LDAP) and the Yubico open source based YubiRADIUS server providessimple and secure TFA access to applications.3.3.1 YubiKeyThe YubiKey USB connected OTP device is recognized as a USB keyboard so it works on allcomputer platforms without any client software needed (Windows, Linux, Mac, iPad andnewer Android etc.).With a simple touch on the YubiKey it automatically generates and enters a unique identityand One-Time Password (OTP).Combined with a PIN or password (from your LDAP or Active Directory database), theYubiKey provides strong two-factor authentication. The YubiKey is manufactured in Swedenwith an auditable process for secrets.3.3.2 YubiRADIUSThe Yubico YubiRADIUS Virtual Appliance is a FreeRADIUS based solution built on opensource components which provides an organization with Yubikey based two-factorauthentication for remote access where the password part can checked against theorganization’s own (existing) AD (Active Directory) or LDAP so that users only have toremember their normal network password and the Yubikey part can be validated either usingYubiCloud – the Yubico Online Validation Service or an onsite Yubico Validation and KeyManagement Server combination.
  • 9. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 9 of 19yubicocococoYK-KSMKey ServerManagementWebminOrganization’sActive DirectoryPAM (Pluggable Auth Mod)Request ProxyServerCisco ASAOr other Radius EquipmentRADIUSProtocolFreeRadiusYubiRADIUS - Virtual AppliancePW viaLDAPInt. OR Ext.OpenLDAP*(Optional Internal)OTP/PWSeparatorOTP viaYubiCloudOR InternalYubiCloudUID - YubiKeyMapping &DatabaseYK-VALValidation ServerOptional - YubiHSMHSM (Hardware Security Module)for Additional Key ProtectionDeployment of Yubikeys can be as easy as sending out Yubikeys to users without priorregistration and the Yubikey to User binding will be handled automatically upon first use byYubiRADIUS Virtual Appliance which also supports several other more traditional deploymentmethods.Deployment of Yubico YubiRADIUS Virtual Appliance solution itself requires no changes tothe organizations AD/LDAP schema which is an important factor for most organizations.Further standard authentication interface with username and password is used also for theYubico two-factor authentication so there is no client side software to be installed.Additionally the YubiRADIUS Virtual Appliance solution supports multiple domains in order toalso support more involved deployments such as used by a large organization or a SecurityService Provider. Each domain configuration works separately and has its own configurationsettings.Finally in order to make it easy for customers to quickly deploy a solution Yubico provides aready to deploy “YubiRADIUS Virtual Appliance” OVF and VMware based image with allneeded components.
  • 10. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 10 of 19yubicocococo3.3.3 YubiCloud vs. On-board Validation ServerYubiRADIUS can be configured to validate YubiKeys either by using the YubiCloud (easiestdeployment) or using the built in internal Validation Server.YK-KSMKey ServerOTP viaYubiCloudOR InternalYubiCloudYK-VALValidation ServerOTP validation through YubiCloud or On-board Validation Server
  • 11. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 11 of 19yubicocococo3.3.4 Supports both single domain as well as multi domainYubiRADIUS can be used in a ISP setting for multiple organizations or in an organization thathas multiple domains with separate Ads or LDAPs per domain. The only difference betweensingle and multiple domains/organizations are that in a multiple domain/organizationdeployment the user name must be followed with a fully qualified domain name.Domain1LDAP/ADServerRADIUSClientDomain2LDAP/ADServerRADIUSClientRADIUSLDAPYubicoYubiRADIUSVirtual ApplianceYubiRADIUSVirtualApplianceAdmin UI basedon WebminYubiCloudOnlineValidationServiceLDAPRADIUSInternetYubico LocalValidationServerORYubico WebService APIYubiRADIUS VirtualAppliance VM ImageYubiRADIUS supports multi domain deployment with seperate AD/LDAPs per domainSingle domain ID: Username PW: Password + OTPMulti domain or Multi organization ID: Username@domain.orgainzation.com PW: Password + OTP
  • 12. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 12 of 19yubicocococo4 PrerequisitesThe following are the prerequisites to deeply YubiRADIUS in order to replace a legacytwo-factor authentication solution.4.1 Remote Access Product supporting RADIUSThe Access Product must support RADIUS protocol4.2 Virtualization platform to host YubiRADIUSYou need a virtualization platform such as VMware Server/ESX or similar to host theYubiRADIUS image. The image is available in two formats. Either VMware format or OVF(Open Virtualization Format) supported by many vendors such as Red Hat, IBM, VMware andothers. Read more about the platforms below.http://en.wikipedia.org/wiki/Open_Virtualization_Format4.2.1 Image requirementsThe following is the out of the box recommended image requirements 1 Processor 256 MB memory 8 GB Disk4.3 One or more YubiKey(s)For more information regarding YubiKey, please visit the following link:http://www.yubico.com/products/yubikey/4.4 Active Directory or LDAP Directory serverYubico YubiRADIUS virtual appliance (YVA) server supports username and passwordauthentication with external Active Directory/LDAP directory or internal LDAP using the built-in OpenLDAP server.In order to deploy and test YVA solution, either external (to the image) Active Directory/LDAPor the on the image configurable OpenLDAP server must be used.
  • 13. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 13 of 19yubicocococo5 Planning and preparationsIn order to replace a legacy TFA solution the following prerequisites, planning and preparationsmust be taken into consideration.In brief we will cover the following in this section.1. Access GW supporting RADIUS2. YubiCloud or Built in Database3. Virtual Appliance Platform4. Internet connection for downloading of5. YubiRADIUS image6. YubiKey Personalization (Programming) tool7. Firewall planning and preparation8. YubiRADIUS Failover – Multi Master YubiRADIUS9. Master Slave considerations10. Getting YubiKeys5.1 Access GW supporting RADIUSThe first requirement is that the Access Gateway of any other Access equipment such as aFirewall with VPN functionality or VPN Gateway has support for RADIUS and relatedrequirements listed below.Please verify the following:1. RADIUS protocol must be supported2. RADIUS Authentication port must be set to UDP port 18123. Authentication method PAP (not CHAP nor CHAP2)4. RADIUS Server IP or DNS name can be configured5. RADIUS Shared Secret can be configured5.2 YubiCloud vs. Built in validation ServerThe YubiRADIUS virtual appliance can use either the built in Validation Server or theYubiCloud.In order to use the built in Validation server you will need an import file for the YubiKeys.There are two ways to get this.1. If you order at least 500 YubiKeys you can ask that Yubico program the YubiKeys insuch way that you will get an encrypted CD copy of the information (AES keys etc.)needed to import on the Validation server.2. You can alternatively reprogram any number of YubiKeys you get from Yubico storeusing the Personalization (programming) tool. See below.5.3 Virtual Appliance PlatformThe YubiRADIUS virtual appliance is available as a VMware Player/Server format or as anOpen Virtualization Format (OVF) for infrastructure such as VMware ESX.
  • 14. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 14 of 19yubicocococoSelect a Virtualization Platform, either:1. Virtualization Platform supporting OVF image format or2. VMware Server or VMware Player using native formatOnce you selected a virtualization platform make sure it is prepared to have an imageuploaded to it.5.4 Internet connection for downloadingAn internet connection is needed to download Yubico open source YubiRADIUS image andYubico Personalization Tool. The latter not needed if YubiRADIUS is used with YubiCloud.If your server environment does not allow direct downloading then download to a USB driveand use that for transferring the image and applications.5.4.1 YubiRADIUS imageBoth the latest YubiRADIUS image in the selected format and the latest YubiRADIUSConfiguration Guide can be downloaded using the following link.http://www.yubico.com/yubiradiusDownloading the image will require about 1 GB of disk space.5.4.2 Personalization (Programming) toolPersonalization tool for programming YubiKeys for use of the internal database can be foundusing the following link.http://www.yubico.com/personalization-toolChoose between the cross platform tool (Windows, Mac OSX or Linux) or the Multi-configuration tool for Windows. Both can program multiple YubiKeys quickly. Download andinstall the tool.5.5 Firewall considerationsIf your network is segmented please make sure that Your Firewall(s) allows for UDP traffic onport 1812 (RADIUS Authentication) between any Access GW and YubiRADIUS appliance(s).Furthermore if YubiCloud is used for validation of the YubiKeys using YubiCloud thenoutbound port 443 (SSL) and port 80 needs to be open allowing YubiRADIUS server tocontact YubiCloud via the REST based Web services API.Please note that YubiCloud supports automatic failover if you want to use the automaticfailover you must configure all five servers i.e. api.yubico.com, api2.yubico.com,api3.yubico.com, api4.yubico.com, api5.yubico.com. The first api.yubico.com does not have anumber in order to be backwards compatible with older clients using only one server.Firewall settings1. Allow RADIUS Authentication protocol i.e. Open port 1812 UDP between any AccessGW and YubiRADIUS server(s)
  • 15. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 15 of 19yubicocococo2. Make sure AD or the LDAP server can be reached from YubiRADIUS server. OpenPort 389 for standard communication or Port 636 for (LDAPS protocol) to AD andLDAP.3. For use with YubiCloud – also allow port 80 and port 443 from YubiRADIUS toapi.yubico.com including api2, 3, 4 and 5 (for failover).4. The same ports port 80 and port 443 are used in the Multi Master setting andYubiRADIUS Master Slave setting as described below. If any of these are used makesure your Firewall has these posts open between the YubiRADIUS servers.5. For any trouble shooting SSH access on TCP Port 22 is needed5.6 Failover – Multi Master planningYubiRADIUS can be deployed in a Multi Master setting allowing up to Three YubiRADIUSservers to synchronize data between the servers in order to work in a failover setting.When used in this setting the different YubiRADIUS servers should preferably be hosted ondifferent virtual platform hosts.YubiRADIUSInstance 2Optional SyncYubiRADIUSInstance 1Drawing of two YubiRADIUS in Multi Master Configuration.Please note that the VK-VAL database in synchronized between all YubiRADIUS Servers(Multi Master). However for other databases i.e. YK-KSM, YK-MAP, YK-ROP and generalconfiguration only Master-Slave mode is supported. This means that you should plan whichserver that should be the real master.5.7 Master Slave ConsiderationsMultiple YubiRADIUS instances can be configured in a Master Slave configuration. This canbe useful if you use internal database in a setup with a large number of YubiRADIUS slavesi.e. small offices/home offices having their own YubiRADIUS but where you would like tominimize communication or when you don’t want the YubiKey database to be local at remotelocations.
  • 16. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 16 of 19yubicocococoMaster Salve uses the master’s database for requests for authentication.InternetLocal Office SitesYubiRADIUS NetworkMain Office YubiRADIUS (slaves)YubiRADIUSInstance 1YubiRADIUSInstance 2Optional SyncFailover5.8 Getting YubiKeysTo test and deploy YubiRADIUS you will need some YubiKeys. You can purchase YubiKeysfrom Yubico Web store https://store.yubico.com/ or from one of Yubico’s partners andresellers (contact sales@yubico.com for Partners and Resellers).
  • 17. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 17 of 19yubicocococo6 YubiRADIUS Setup and ConfigurationThe Setup and configuration is handled in a separate document using the following link.http://www.yubico.com/yubiradiusScroll down to the configuration guide.6.1 Process overviewIf possible, for companies with multiple Access GWs, use a spare or commission one of theGWs to be the initial GW for the switchover. Then follow the steps below.At a high level the following needs to be done: Identify the Virtual Appliance Platform infrastructure to use Load the YubiRADIUS image Check Firewall settings to allow Radius port 1812, 389 for AD/LDAP communication and Web services port 80/443 if YubiCloud shall be used Importing YubiKeys for use of internal validation server or point to YubiCloud Import users from AD or LDAP Set up Failover and potential Slaves Set up Access GW or other equipment (called RADIUS Clients) to use RADIUS protocol port UDP 1812 to communicate with YubiRADIUS Create the RADIUS clients for the domain(s) in YubiRADIUS Follow the configuration guide for details
  • 18. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 18 of 19yubicocococo7 YubiKey DeploymentOnce the YubiRADIUS system has been set up there are only a few things left to do. Somewill depend on whether you used YubiCloud or the On-board Validation Server.7.1 Deployment for YubiCloud vs. On-board Val. ServerYubiCloud is the simplest way to deploy keys but even using the Built-in Validation serverdeployment is also quite easy.When using YubiCloud you can use standard Yubikeys directly from the Store. In somesituations you can even ask your users to buy their YubiKeys online so that you don’t have tokeep any inventory of YubiKeys and the first time the users use their YubiKey it will be tied tothem in the system.When using the on-board Validation server you will need to import the correspondingYubiKeys AES keys before the YubiKeys can be used with the system.7.2 Auto-deploymentYubiRADIUS supports Auto-deployment which is the absolutely easiest way to deploy keys.Using the Auto-Deployment feature you don’t have to worry about any manual steps inassigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey tohis/her user id at first use. No administrator or helpdesk person needed to be involved in theprocess (unless you want them to).YubiRADIUS auto deployment feature will automatically tie a YubiKey to valid user the firsttime the key is used and the user name and password portion is successfully authenticatedby AD or LDAP.7.3 Helpdesk ConsiderationsOrder some extra YubiKeys to have on hand in the help desk for people that call in to theHelpdesk function and have forgotten their YubiKeys at home.7.4 Programming considerationsWhen programming YubiKeys for using the internal you have several options. Mostconvenient is to ask Yubico to program the YubiKeys to work with your own ValidationsServer.Second best thing is to order Standard YubiKeys and reprogram them when they arrive. Go tohttp://www.yubico.com/personalization-toolFor more information on how to program see info using the link.
  • 19. YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 19 of 19yubicocococo8 SummaryIt is very straightforward to replace your Legacy Two-Factor Authentication (TFA) with theYubiKey/YubRADIUS solution.8.1 Benefits when switching to YubiRADIUSCompared to many other Legacy Solutions you will benefit the following way when usingYubiRADIUS.The following features help in the switchover from legacy solutions:1. Users may use their regular Active Directory (or LDAP) Username and Password –no need for a different or temporary password2. Import of users based on Active Directory Group belonging or OUs – Making itpossible to gradually switch users to the new solution.3. Import YubiKeys without initial binding to users (see Auto Deployment)4. Auto-deployment – YubiKey is assigned at first login (binding at first use)8.2 Summary of the steps involved in the switchAt a high level the following needs to be done: Load the YubiRADIUS on the Virtualization Platform infrastructure Firewall to allow Radius, AD/LDAP and Web services (if YubiCloud) Import YubiKeys if internal validation server is used (not YubiCloud) Import users from AD or LDAP Set up Failover and Slaves Create the RADIUS clients for the domain(s) in YubiRADIUS Test functionality with built in RadTest RADDIUS client Configure Access GW for RADIUS and YubiRADIUSThis process only takes a few hours of time to complete after which you will be ready to startusing the Yubico solution.8.3 Auto-DeploymentUsing the Auto-Deployment feature you don’t have to worry about any manual steps inassigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey tohis/her user id at first use. No administrator or helpdesk needed to be involved in the process(unless you want them to).