Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Whitepaper: Digipass Authentication for Pulse Connect Secure

This whitepaper describes how to configure Pulse Connect Secure together with VASCO IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with two-factor authentication.

For more information contact: sales@kappadata.be

  • Login to see the comments

  • Be the first to like this

Whitepaper: Digipass Authentication for Pulse Connect Secure

  1. 1. DIGIPASS Authentication for Pulse Connect Secure INTEGRATION GUIDE
  2. 2. 1 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO® , Vacman® , IDENTIKEY® , aXsGUARD™™, DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners.
  3. 3. 2 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Table of Contents Disclaimer ......................................................................................................................1 Table of Contents ...........................................................................................................2 Reference guide .............................................................................................................4 1 Overview...................................................................................................................5 2 Technical Concepts ...................................................................................................6 2.1 Pulse Secure......................................................................................................... 6 2.1.1 Pulse Connect Secure ...................................................................................... 6 2.2 VASCO................................................................................................................. 6 2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance ................................... 6 3 Installation ...............................................................................................................7 3.1 Pulse Connect Secure ............................................................................................ 7 3.2 IDENTIKEY Appliance............................................................................................. 8 4 Setup without IDENTIKEY....................................................................................... 14 4.1 Architecture........................................................................................................ 14 4.2 Pulse Connect Secure Settings .............................................................................. 14 4.2.1 Authentication Servers................................................................................... 14 4.2.2 User Realms ................................................................................................. 16 4.2.3 User Roles.................................................................................................... 17 4.2.4 Sign-in......................................................................................................... 18 4.3 Testing the Solution............................................................................................. 19 5 Solution .................................................................................................................. 21 5.1 Architecture........................................................................................................ 21 5.2 Pulse Connect Secure Settings .............................................................................. 21 5.2.1 Authentication Servers................................................................................... 21 5.2.2 User Realms ................................................................................................. 22 5.2.3 Sign-in......................................................................................................... 24
  4. 4. 3 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 5.3 IDENTIKEY Authentication Server Settings ............................................................. 25 5.3.1 Policies ........................................................................................................ 25 5.3.2 Client .......................................................................................................... 26 5.3.3 User ............................................................................................................ 27 5.3.4 DIGIPASS .................................................................................................... 28 5.4 Testing the Solution............................................................................................. 30 6 Solution with Virtual DIGIPASS .............................................................................. 32 6.1 Architecture........................................................................................................ 32 6.2 Pulse Connect Secure Settings .............................................................................. 32 6.2.1 Authentication Servers................................................................................... 32 6.3 IDENTIKEY Authentication Server Settings ............................................................. 34 6.3.1 MDC Configuration ........................................................................................ 34 6.3.2 Policies ........................................................................................................ 35 6.3.3 DIGIPASS .................................................................................................... 36 6.3.4 User ............................................................................................................ 38 6.4 Testing the Solution............................................................................................. 39
  5. 5. 4 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Reference guide ID Title Author Publisher Date ISBN
  6. 6. 5 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 1 Overview This whitepaper describes how to configure Pulse Connect Secure together with VASCO IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with two-factor authentication.
  7. 7. 6 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 2 Technical Concepts 2.1 Pulse Secure 2.1.1 Pulse Connect Secure Pulse Connect Secure offers setting up remote access to the company’s intranet through an SSL VPN solution, in a way that is easy to use though still flexible. The solution is available as a hardware appliance or a virtual appliance. 2.2 VASCO 2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance IDENTIKEY Authentication Server is an off-the-shelf centralized server that provides two-factor authentication with DIGIPASS devices. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Appliance is a standalone authentication appliance that offers the features of IDENTIKEY Authentication Server, being ready to be deployed right away. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar.
  8. 8. 7 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 3 Installation 3.1 Pulse Connect Secure Follow the installation steps on the console of the Pulse Connect Secure appliance. Start the installation. Configure the network settings. Create an admin user.
  9. 9. 8 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Finalize the configuration with certificate information and a random string. 3.2 IDENTIKEY Appliance Open the console of the IDENTIKEY appliance. Log on with ‘rescue’ for the basic configuration. Choose n for network configuration.
  10. 10. 9 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Configure the IP address of the appliance by typing i. Configure the gateway of the appliance by typing g. Navigate to the appliance’s IP address using https, and open the configuration wizard by logging on with the default credentials ‘sysadmin’ – ‘sysadmin’.
  11. 11. 10 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Follow the configuration wizard, and configure the sysadmin password, network settings and certificate information.
  12. 12. 11 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure
  13. 13. 12 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Configure the license for the appliance. You can request a temporary license from the Vasco Customer Portal http://cp.vasco.com.
  14. 14. 13 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Finish the wizard with the IDENTIKEY configuration and an administrator user.
  15. 15. 14 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 4 Setup without IDENTIKEY Before adding two-factor authentication to the sign-in, it is important to validate a standard configuration without a connection to IDENTIKEY Authentication Server. A standard authentication setup in Pulse Connect Secure will be configured, based on users that are added locally. 4.1 Architecture 4.2 Pulse Connect Secure Settings Navigate to the administration interface of Pulse Connect Secure. This is hosted on https://[server IP address]/admin. 4.2.1 Authentication Servers An authentication server in Pulse Connect Secure configures a system that can handle the authentication for the SSL VPN sign-in. In order to authenticate using local users on Pulse Connect Secure, we will use the authentication server called ‘System Local’ that is default configured. Navigate to Authentication > Auth Servers > System Local
  16. 16. 15 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Create a local user in the System Local authentication server, to test the authentication. Open tab Users and click on New.
  17. 17. 16 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Username: userlocal  Full Name: Local Test User  Password: Test1234 Click on Save Changes. 4.2.2 User Realms A User Realm is the central configuration for the SSL VPN sign-in, specifying how it will be handled exactly. The authentication server to be used will be selected in the user realm. Navigate to the default user realm ‘Users’, which specifies the authentication based on System Local. Users > User Realms > Users
  18. 18. 17 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 4.2.3 User Roles User roles are managed in Pulse Connect Secure to specify what a user is allowed to do in the SSL VPN. A default role ‘Users’ already exists with the most usual configuration for what regular users are allowed to. Any role can be configured specific to the needs of the environment, regardless of the authentication configuration. Roles will be assigned to users based on the configured Role Mapping inside the user realm. For the user realm Users, a default role mapping has been defined that assigns the Users role to all users for the realm. Navigate to the tab ‘Role Mapping’ of the user realm.
  19. 19. 18 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 4.2.4 Sign-in A sign-in policy will link the sign-in URL to the user realm that will be used to authenticate users. The default sign-in policy links the root URL to the Users user realm. Navigate to Authentication > Sign-in Policies > */
  20. 20. 19 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 4.3 Testing the Solution Browse to the SSL VPN Web portal, hosted on the root URL of the Pulse Secure Connect’s IP address over https. Authenticate with the test user userlocal and password Test1234. Check if you are redirected to the Pulse Secure Connect main user interface.
  21. 21. 20 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure
  22. 22. 21 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 5 Solution When the basic setup is completed successfully, the solution is ready to be integrated with IDENTIKEY. This will secure the SSL VPN with two-factor authentication. The users and DIGIPASS will be managed in IDENTIKEY, and the authentication will use the RADIUS protocol. 5.1 Architecture 5.2 Pulse Connect Secure Settings Navigate to the administration interface of Pulse Connect Secure. This is hosted on https://[server IP address]/admin. 5.2.1 Authentication Servers To connect to IDENTIKEY, a new Authentication Server should be defined in Pulse Connect Secure. This will configure the RADIUS connection. Navigate to Authentication > Auth Servers Select Radius Server in the dropdown box and click New Server
  23. 23. 22 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Name: Identikey  Radius Server: IP of the IDENTIKEY server  Shared Secret: Choose a shared secret to secure the Radius connection  Enable ‘Users authenticate using tokens or one-time passwords’ Click on Save Changes at the bottom of the page. 5.2.2 User Realms Now we have to specify a new user realm where we will link the new Authentication Server. Navigate to Users > User Realms > New
  24. 24. 23 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Name: Identikey  Authentication: Identikey Click on Save Changes at the bottom of the page. Configure the Role Mapping for this user realm. For the setup, we will use a simple configuration to assign the ‘Users’ role to all users. Navigate to the tab ‘Role Mapping’ of the user realm, and choose New Rule.
  25. 25. 24 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Name: All Users  If username is: *  Add role Users Click on Save Changes at the bottom of the page. 5.2.3 Sign-in The new user realm will have to be linked to the existing sign-in page. We will set this up in the Sign-in Policy. Navigate to Authentication > Sign-in Policies > */
  26. 26. 25 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Enable the Identikey realm. Select Users and click Remove. Select Identikey and click Add. It is possible to select multiple user realms. This will provide a list of the available realms on the sign-in page. 5.3 IDENTIKEY Authentication Server Settings The incoming RADIUS connection needs to be configured in IDENTIKEY. With it, the required authentication process also needs to be set up. 5.3.1 Policies In the Policy, the behavior of the authentication is defined. There are different specific settings possible, which need to be set according to the requirements of the environment. For the test setup, only local authentication on IDENTIKEY will be performed, without any additional settings. Navigate to the IDENTIKEY Web Administration. It is available on https://[IP of IDENTIKEY]/webadmin . Log on with the administrator account.
  27. 27. 26 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Navigate to Policies > Create.  Policy ID: Pulse Secure Integration  Inherits From: Identikey Local Authentication Click on Create. If needed, specific settings can be modified in the policy details. However in this setup, the default settings inherited from Identikey Local Authentication will be fine. 5.3.2 Client A client specifies which applications are allowed to connect to IDENTIKEY through which protocol. For the setup, a client will be registered to allow incoming RADIUS requests from Pulse Connect Secure.
  28. 28. 27 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Navigate to Clients > Register.  Client Type: RADIUS Client  Location: The IP address of the Pulse Connect Secure server  Policy ID: Pulse Secure Integration  Protocol ID: RADIUS  Shared Secret: The shared secret that you chose when configuring the Authentication Server in Pulse Connect Secure. This secret has to be the same on both sides of the connection.  Confirm Shared Secret: repeat the shared secret Click on Create. 5.3.3 User A user has to be configured to test the authentication. Navigate to Users > Create.
  29. 29. 28 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  User ID: user1  Domain: master Click on Create. 5.3.4 DIGIPASS The DIGIPASS record will be able to check the one-time password that is submitted by the user during authentication. This DIGIPASS is unique and identified by its serial number. It will be assigned to the user account, so the correct link is established between the user ID and the DIGIPASS. To be able to use a DIGIPASS, the records should be imported into IDENTIKEY. For testing purposes, demo DIGIPASS licenses can be used. The import happens by following the wizard DIGIPASS > Import. For assigning the DIGIPASS to user1, navigate to the user account. Select the tab Assigned DIGIPASS.
  30. 30. 29 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Click Assign and follow the wizard. Select ‘Search now to select DIGIPASS to assign’ to select the required DIGIPASS in the next step. Click Next.
  31. 31. 30 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Select the correct DIGIPASS and click Next. Select a grace period of 0 days, and click Assign. The DIGIPASS is now assigned to the user and ready for use. Click on Finish. 5.4 Testing the Solution Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .
  32. 32. 31 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Username: user1  Password: OTP generated by the DIGIPASS assigned to user1 Click on Sign In. In case of success, you will be redirected to the SSL VPN homepage.
  33. 33. 32 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 6 Solution with Virtual DIGIPASS The solution is now secured with one-time passwords generated by a DIGIPASS. In another setup, Pulse Connect Secure can also handle authentications by a virtual DIGIPASS. The virtual DIGIPASS generates OTP’s on the server and these are delivered to the user through email, SMS or phone calls. The SSL VPN sign-in will now consist of two steps. The first step is to request the OTP from the server, and the next step to submit the OTP for authentication. An SMS gateway has to be configured to send the virtual OTP over SMS. 6.1 Architecture 6.2 Pulse Connect Secure Settings 6.2.1 Authentication Servers In order to authenticate using a virtual DIGIPASS, we have to modify the settings of the Authentication Server in Pulse Connect Secure. An extra authentication rule will specify that a second step needs to be added to the authentication, if the RADIUS server notifies that a virtual OTP is generated. Navigate to Authentication > Authentication Servers > Identikey
  34. 34. 33 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Click ‘New Radius Rule’ in the edit screen of the authentication server.  Name: Virtual Digipass  Response Packet Type: Access Challenge  Attribute criteria: Reply-Message matches the expression Enter One-Time Password  Show Next Token page Click Add next to the attribute criteria. Click on Save Changes at the bottom of the page. When a virtual OTP is requested from IDENTIKEY through RADIUS, it will send a special value in the RADIUS Reply-Message attribute. This value is exactly equal to ‘Enter One- Time Password’.
  35. 35. 34 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure 6.3 IDENTIKEY Authentication Server Settings 6.3.1 MDC Configuration Navigate to the IDENTIKEY Appliance configuration, on https://[IP of IDENTIKEY]/application. For an IDENTIKEY Authentication Server installation, the MDC configuration is in a separate tool. The software is located at VASCO > IDENTIKEY Server >Virtual DIGIPASS MDC Configuration. Log on with a system administrator account.
  36. 36. 35 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Navigate to Authentication Server > Message Delivery Component Enable the Message Delivery Component. Then configure an SMS gateway with its specific connection details. Enable that gateway and click Save. 6.3.2 Policies To test the virtual DIGIPASS, the setup has to be completed to allow for this scenario. The policy defines how the virtual OTP is requested. Open the IDENTIKEY web administration.
  37. 37. 36 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Navigate to Policies and open the policy Pulse Secure Integration. Open the tab Virtual DIGIPASS. All default values inherited from the IDENTIKEY Local Authentication policy are already correct for the setup.  Delivery Method: SMS  MDC Profile: empty  Request Method: Password This means that the user will request an OTP from the server, by providing his static password. Another option would be to request an OTP by a specific keyword. 6.3.3 DIGIPASS The user will need a virtual DIGIPASS serial number to be assigned. The specific DIGIPASS records should be imported by using the wizard DIGIPASS > Import. Navigate to the user account and open the tab Assigned DIGIPASS.
  38. 38. 37 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Click on Assign and follow the wizard. Choose a DIGIPASS type that is a virtual DIGIPASS, in this case DPVTL. Let IDENTIKEY automatically select an available virtual DIGIPASS.
  39. 39. 38 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Click on Assign, and on Finish on the next page. A virtual DIGIPASS is now assigned to the user, and ready to be used. 6.3.4 User A password has to be set for the user, to request a virtual OTP. The mobile phone number also has to be added, so the virtual OTP will be sent to that number. Navigate to Users and select the user1 account.
  40. 40. 39 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure Click on Set Password and choose a static password for the user. Type the password and repeat it for confirmation. Click on Save. In the user account, click on Edit to enter the mobile phone number. Enter the number in the field ‘Mobile’ and click on Save. 6.4 Testing the Solution Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .
  41. 41. 40 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure  Username: user1  Password: the static password defined for user1 Click Sign In. An additional page is shown where the received virtual OTP can be entered. Normally, an SMS message should be delivered to the mobile phone number configured for user1. The message contains the generated virtual OTP. Enter the OTP on the page and click on Enter.
  42. 42. 41 DIGIPASS Authentication for Pulse Connect Secure DIGIPASS Authentication for Pulse Connect Secure In case of success, you will be redirected to the SSL VPN homepage.

×