digipass authentication for sonicwall ssl-vpn - vasco · digipass authentication for sonicwall -...
TRANSCRIPT
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 1 of 55
DIGIPASS Authentication for SonicWall SSL-VPN
With IDENTIKEY Server / Axsguard IDENTIFIER
Integration Guidelines
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 2 of 55
Disclaimer Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or conditions.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of VASCO Data Security.
Trademarks
DIGIPASS, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO
Data Security. All trademarks or trade names are the property of their respective
owners. VASCO reserves the right to make changes to specifications at any time and
without notice. The information furnished by VASCO in this document is believed to be
accurate and reliable. However, VASCO may not be held liable for its use, nor for
infringement of patents or other rights of third parties resulting from its use.
Copyright
2011 VASCO Data Security. All rights reserved.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 3 of 55
Table of Contents
DIGIPASS Authentication for SonicWall SSL-VPN ........................................... 1
Disclaimer ...................................................................................................... 2
Table of Contents............................................................................................ 3
1 Reader ...................................................................................................... 5
2 Overview ................................................................................................... 6
3 Problem Description .................................................................................. 7
4 Solution .................................................................................................... 8
4.1 Benefits ............................................................................................... 8
4.2 How does two-factor authentication work?................................................ 8
4.3 Supported Platforms .............................................................................. 8
5 Technical Concept ..................................................................................... 9
5.1 General overview .................................................................................. 9
5.2 SonicWALL SSL-VPN prerequisites ........................................................... 9
5.3 IDENTIKEY Server Prerequisites .............................................................. 9
5.4 Overview of SonicWALL RADIUS Authentication with IK .............................10
5.5 Overview of actions ..............................................................................10
6 Configuration of the SonicWALL SSL-VPN ............................................... 11
6.1 Login to the SSL-VPN & check version .....................................................11
6.2 Set the time on SSL-VPN .......................................................................13
6.3 DNS Settings .......................................................................................14
6.4 Configure a default route for the SSL-VPN ...............................................15
6.5 Add NetExtender Client Address Range ...................................................16
6.6 Add NetExtender Client Routes...............................................................17
6.7 Create a Portal Domain .........................................................................18
6.8 Add a „local user‟ for the Domain ............................................................19
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 4 of 55
6.9 Edit the user‟s policy .............................................................................20
7 Configure the NSA 2400 .......................................................................... 21
7.1 Login ..................................................................................................21
7.2 Configure PRO4060 Interface and Zone ...................................................22
7.3 Create an Address ................................................................................26
7.4 Create inbound allow rule for https & NAT Policy ......................................27
7.5 Allow rule from DMZ to LAN for IDENTIKEY Server ...................................30
8 IDENTIKEY Server ................................................................................... 31
8.1 Policy configuration ..............................................................................31
8.2 Register Client .....................................................................................35
8.3 Configure User .....................................................................................35
8.3.1 Create New User ............................................................................35
8.3.2 Import DIGIPASS ...........................................................................37
8.3.3 Assign DIGIPASS ............................................................................38
8.4 Install Active Directory ..........................................................................40
8.4.1 Create Users ..................................................................................40
8.4.2 Import DIGIPASS ...........................................................................43
8.4.3 Assign Digipasses for Users .............................................................46
9 Two-factor authentication SSL-VPN test and conclusion ......................... 53
10 About VASCO Data Security .................................................................. 55
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 5 of 55
1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY
SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of
IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and
administration manuals of these products. Axsguard IDENTIFIER is the appliance
based solution, running IDENTIKEY SERVER by default.
Within this document, VASCO Data Security, provides the reader guidelines for
configuring the partner product with this specific configuration in combination with
VASCO Server and Digipass. Any change in the concept might require a change in the
configuration of the VASCO Server products.
The product name`IDENTIKEY SERVER`will be used throughout the document keeping
in mind that this document applies as well to the Axsguard IDENTIFIER.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 6 of 55
2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server
to work with a SonicWALL device. Authentication is arranged on one central place
where it can be used in a regular VPN or SSL/VPN connection.
SonicWALL is a strong leader in secure, easy to configure and affordable SSL-VPN
clientless remote access and provides users additional Unified Threat Management
security when combined with SonicWALL‟s firewall/VPN appliances. This addresses all
companies going from the SMB (Small & Medium Businesses) to the Enterprise space.
VASCO Data Security delivers reliable authentication through the use of One Time
Password technology. VASCO IDENTIKEY Server combined with SonicWALL SSL-VPN
and SonicWALL firewall VPN appliances creates an open-market approach delivered
through VASCO DIGIPASS Technology.
VASCO IDENTIKEY Server allows users to utilize the VASCO DIGIPASS concept that
uses One Time Passwords that are assigned for time segments that provide easy and
secure SSL-VPN remote access. The One Time Password within the authentication
request is verified on the VASCO IDENTIKEY Server. After verification, a RADIUS
access-accept message is sent to the SonicWALL SSL-VPN server for authentication.
Digipass integration works in the same way with other SonicWall solutions :
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 7 of 55
3 Problem Description The basic working of the SonicWALL is based on authentication to an existing media
(LDAP, RADIUS, local authentication …). To use the IDENTIKEY Server with
SonicWALL, the external authentication settings need to be changed or added
manually.
Since static passwords are generally known as non-secure and easy to compromise,
One Time Passwords were introduced to the remote access market to secure corporate
LAN or central resources. A method to track and manage incoming users via the
SonicWALL SSL-VPN and firewall/VPN devices also needed to be introduced.
Two-factor authentication is a method that requires two independent means of
information to establish identity and privileges. Two-factor authentication is stronger
and more rigorous than traditional password authentications, which only require one
factor, such as the user‟s password.
The following pages present how to solve these issues with configuration the
SonicWALL SSL-VPN and NSA 2400, and the VASCO IDENTIKEY Server / Axsguard
IDENTIFIER.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 8 of 55
4 Solution After configuring IDENTIKEY Server and the SonicWALL devices in the right way, you
eliminate the weakest link in any security infrastructure – the use of static passwords
– that are easily stolen, guessed, reused or shared.
The SonicWALL appliance gives you the ability of a combined SSL/VPN platform, it‟s
possible to access your network from a web portal page and/or to create a SSL tunnel.
4.1 Benefits
Two-factor authentication offers the following benefits in combination with SonicWALL
SSL-VPN:
Enhances security by requiring two independent variables of information for
authentication.
Reduces the security risks associated with one-factor passwords.
Minimizes the time administrators spend training and supporting users by
providing a strong authentication process that is simple, intuitive, and
automated.
4.2 How does two-factor authentication work?
Two-factor authentication requires the use of a third-party authentication service. The
authentication service consists of two components:
An authentication server that the administrator uses to configure user names
and assign tokens, and manage authentication-related tasks.
With two-factor authentication, users must enter a valid One Time Password to gain
access. A One Time Password consists of the following:
The user‟s personal identification number (PIN).
A One Time Password issued.
Users receive the temporary token codes from their VASCO DIGIPASS. The DIGIPASS
displays a new One Time Password every 32 seconds. When VASCO IDENTIKEY Server
authenticates the user, it verifies that the One Time Password timestamp is valid in
the current timeframe. If the PIN is correct and the One Time Password is current, the
user is authenticated.
Because user authentication requires these two factors, the VASCO DIGIPASS solution
offers stronger security than traditional single-factor authentication.
4.3 Supported Platforms
IDENTIKEY Server. This document describes version 3.2.
SonicWALL SSL-VPN SRA1200/4200 and SRA VA platforms running firmware
version 5.0 or higher. This document describes firmware version 5.0.0.0-14SV
of SSL-VPN.
SonicWALL NSA 2400 running SonicOS Enhanced 5.x. This document describes
SonicOS Enhanced version 5.7.0.0
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 9 of 55
5 Technical Concept 5.1 General overview
The concept is very easy: the IDENTIKEY Server (IK) is installed as a back-end
authentication service for the SonicWALL SSL-VPN.
This means that the IK receives all authentication requests from the SonicWALL SSL-
VPN. The One Time Password (OTP) within the authentication request will be verified
on the IK.
After IK verification, a RADIUS access-accept message is sent to the SonicWALL SSL-
VPN for the Authentication part.
Figure 1: General Overview / Network Diagram
5.2 SonicWALL SSL-VPN prerequisites
Please make sure you have a working setup of the SonicWALL. It is very important
this is working correctly before you start implementing the authentication to the
IDENTIKEY SERVER.
5.3 IDENTIKEY Server Prerequisites
In this guide we assume you already have IDENTIKEY Server installed and working. If
this is not the case, make sure you get it working before installing any other features.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 10 of 55
5.4 Overview of SonicWALL RADIUS Authentication
with IK
The following is a description on the RADIUS authentication sequence WITHOUT
DIGIPASS assigned:
A remote user initiates a connection to the SonicWALL NSA.
The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded
to the SonicWALL SSL-VPN.
The SonicWALL SSL-VPN gathers the remote user‟s ID and password, and then
submits a RADIUS authentication request to the IDENTIKEY Server.
IDENTIKEY Server performs the verification and answers to the SonicWALL
SSL-VPN with an access-accept or access-reject message.
SonicWALL SSL-VPN then provides access to the authenticated user‟s individual
Portal on the SonicWALL SSL-VPN where the protected resources can be
accessed via a simple „bookmark‟ click or via IPSec-alike NetExtender access.
The following is a description on the RADIUS authentication sequence WITH
DIGIPASS Assigned:
A remote user initiates a connection to the SonicWALL NSA.
The SonicWALL NSA is configured that all https (SSL-VPN) traffic is forwarded
to the SonicWALL SSL-VPN.
The SonicWALL SSL-VPN gathers the remote user‟s ID and one time password
generated by the DIGIPASS, and then submits a RADIUS authentication
request to the IDENTIKEY Server.
IDENTIKEY Server performs the OTP verification and answers to the SonicWALL
SSL-VPN with an access-accept or access-reject message.
SonicWALL SSL-VPN then provides access to the authenticated user‟s individual
Portal on the SonicWALL SSL-VPN where the protected resources can be
accessed via a simple „bookmark‟ click or via IPSec-alike NetExtender access.
5.5 Overview of actions
In the next chapters we will show you how to configure each device and server in the
right way to enable the 2-factor authentication with IDENTIKEY Server.
SonicWALL SSL-VPN configuration SSL-VPN appliance Chapter 6
SonicWALL NSA2400 configuration Firewall appliance Chapter 7
IDENTIKEY Server configuration IDENTIKEY Server Chapter 8
Sample of a logon Logon Chapter 9
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 11 of 55
6 Configuration of the
SonicWALL SSL-VPN 6.1 Login to the SSL-VPN & check version
1. Browse to the default IP address of the SSL-VPN SRA 1200 or 4200 the X0
interface: https://192.168.200.1
2. Login with the default values: User Name: admin and Password: password
Note: If you enter http://192.168.200.1 it will automatically redirect to https.
3. Check in the System > Status page that the current „Firmware Version‟ is
at least 5.0:
Figure 2: Checking the Firmware version
If it is not 5.0 or higher, register the SonicWALL SSL-VPN appliance at
https://www.mysonicwall.com and download the latest firmware version with a valid
SonicWALL support entitlement.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 12 of 55
Navigate to Network > Interfaces for the correct IP address of the SSL-VPN‟s X0
interface. According to the Network Diagram on page 3, this can be left to the default
IP address 192.168.200.1:
Figure 3: Checking the IP-address for the Network Interface
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 13 of 55
6.2 Set the time on SSL-VPN
Since the two-factor authentication depends on time synchronization, it is important
that the internal clocks for the SSL-VPN appliance and the VASCO IdentiKey are set
correctly.
Navigate to System > Time on the SSL-VPN appliance to select the correct Time
Zone:
Figure 4: Time Setting on the appliance
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 14 of 55
6.3 DNS Settings
Navigate to Network > DNS and set the correct DNS settings and/ or WINS Settings:
Figure 5: Checking DNS Settings
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 15 of 55
6.4 Configure a default route for the SSL-VPN
According to the Network Diagram on page 3, the default route for the SSL-VPN is the
NSA 2400‟s X2 interfaces that corresponds with the DMZ Zone. This IP address is set
to 192.168.200.250 and needs to be configured as the Default Route for the SSL-VPN.
Navigate to Network > Routes and set the correct Default Route on the SSL-VPN X0
interface:
Figure 6: Configuring a default route
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 16 of 55
6.5 Add NetExtender Client Address Range
NOTE: Navigate to NetExtender > Client Addresses to set the NetExtender Client
Address Range
If using NetExtender Clients, such as = IPSec like SSL-VPN tunnels:
Figure 7: Setting the NetExtender Client Address Range
In this example, the Client Address Range Begin and End can be left default as Client
Addresses will be assigned in the same subnet 192.168.200.0/24 of the SSL-VPN X0
interface. Exclude the SonicWALL SSL-VPN X0 interface and the SonicWALL NSA‟s X2
interface IP address, according to the Network Diagram on page 3.
NOTE: All the above IP settings and configurations shown in this document screen
shot will vary as per your network topology
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 17 of 55
6.6 Add NetExtender Client Routes
1. Navigate to NetExtender > Client Routes.
2. Click the Add button to select the correct Client Routes for the authenticated
remote users accessing the private networks via the SSL-VPN connection:
Figure 8: Adding the correct Client Routes
According to the Network Diagram on page 8, this corresponds with the subnet
connected to the X0 (LAN) interface of the SonicWALL NSA.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 18 of 55
6.7 Create a Portal Domain
Navigate to Portal > Domains and select Radius as the Authentication Type from
the Drop-down menu:
Figure 9: Adding a portal domain
Enter the Domain Name. This is the Domain Name users will use in order to log into
the SonicWALL SSL-VPN appliance portal.
The „Radius server address‟ is the IP address of the Vasco IDENTIKEY Server.
The „Radius server port‟ needs to match the Radius port of the Vasco IDENTIKEY
Server, as well as the „Secret password‟ that is used for Radius authentication
between these two elements.
In this example only a „Primary Radius server‟ is used.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 19 of 55
6.8 Add a „local user‟ for the Domain
Navigate to Users > Local Users to enter a user to the VASCO domain.
Figure 1: Adding a user to the domain (1)
Assign this user to the Radius Domain. Enter the Username.
NOTE: Passwords will be generated through the Radius Server. Make sure you
duplicate the same usernames from the Radius Server (Vasco Demo in this example).
This is not really required to add an external user account manually. When you use
external user (in this example vasco user) this user profile automatically added on
“Users > Local Users” page.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 20 of 55
6.9 Edit the user‟s policy
Navigate to Users > Local Users and click the Configure button:
Figure 11: Changing the policy for the user
We now configured the authentication to go the IDENTIKEY Server. You still need to
configure the IDENTIKEY Server in order to have the same back-end as your
application was using before. If the users were checked on Active Directory, RADIUS
or any other back-end authentication service, you will need to setup IDENTIKEY
Server with the same back-end authentication.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 21 of 55
7 Configure the NSA 2400 7.1 Login
1. Browse to the default IP address of the SonicWALL NSA on the LAN interface
labeled X0 on http://192.168.168.168 and login with the following default values:
User Name: admin
Password: password (please change afterwards)
Figure 2: System Administration Window
NOTE: It is advised that you register the SonicWALL NSA appliance on
https://www.mysonicwall.com where you can download the latest firmware version
with a valid SonicWALL support entitlement.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 22 of 55
7.2 Configure PRO4060 Interface and Zone
Navigate to Network > Interfaces according to the Network Diagram on page 3 to
configure the correct IP addresses and Zones:
Figure 3: Configuring IP-addresses and zones (1)
Click the Configure button for the X2 interface and enter the IP address
192.168.200.250 as follows:
Figure 4: Configuring IP-addresses and zones (2)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 23 of 55
Click the Configure button for the X1 interface (fixed tied to the WAN zone) and enter the IP
address 10.10.10.10 as follows:
Figure 5: Configuring IP-addresses and zones (3)
Now the X0 interface is configured (fixed tied to the LAN zone) with the IP address
10.120.1.250 as follows:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 24 of 55
Figure 6: Configuring IP-addresses and zones (4)
NOTE: As the IP address for accessing the GUI of the NSA 2400 on the X0 interface is
changed, the IP address of the computer accessing the GUI needs to be reconfigured
in the same IP subnet as the X0 Interface.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 25 of 55
After these changes, the summary in the Network > Interfaces page will look as
follows:
Figure 77: Network Interface Summary
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 26 of 55
7.3 Create an Address
Click the Add button and Navigate to Network > Address Objects:
Figure 8: Creating the Address Objects (1)
Repeat for an SSL-VPN SRA 4200 object in the DMZ zone. The IP address matches
the Network Diagram on page 3:
Figure 9: Creating the Address Objects (2)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 27 of 55
7.4 Create inbound allow rule for https & NAT Policy
In this chapter we will create an inbound „Allow‟ rule to permit all https traffic on WAN
to the SSL-VPN SRA 4200 object in the DMZ zone.
Select Firewall > Access Rules in the Matrix from WAN to DMZ:
Figure 10: Checking Access Rules
Step 1: Create an Allow access rule for https on the „WAN primary IP‟ address
object of the SonicWALL NSA by clicking the Add button:
Figure 11: Creating ‘Allow’ rule (1)
The „Allow‟ rule for https should look as follows:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 28 of 55
Figure 12: Creating ‘Allow’ rule (2)
Click „OK‟ and the following „Access Rules‟ will appear in the list from WAN to DMZ:
Figure 13: Creating ‘Allow’ rule (3)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 29 of 55
Step 2: Navigate to Network > NAT Policies and Select OK:
Figure 14: Creating a NAT policy
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 30 of 55
7.5 Allow rule from DMZ to LAN for IDENTIKEY Server
Create an access rule from the DMZ zone to the LAN zone for access to the VASCO
IdentiKey object.
Navigate to Firewall > Access Rule and indicate in the Matrix the Access Rules from
DMZ to LAN.
Figure 15: Creating an Access Rule
NOTE: If access from DMZ to LAN is needed towards more Destinations other than the
VASCO IdentiKey, add them here accordingly.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 31 of 55
8 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and
administrative account.
8.1 Policy configuration
Follow these steps to add a new policy:
1. Login to Vasco Identikey Web Administration window
2. Click Policies tab and select Create.
Figure 16: Policy configuration (1)
NOTE: There are policies available by default, and you can also create new policies to
suit your needs.
Fill in a policy name and choose the option most suitable in your situation. If you
want the policy to inherit a setting from another policy, choose the inherit option. If
you want to copy an existing policy, choose the copy option, and if you want to make
a new policy, choose the create option.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 32 of 55
Figure 17: Policy configuration (2)
In the policy options configure it to use the right back-end server. This could be the
local database, but also active directory or another radius server.
This is probably the same that was in your default client authentication options before
you changed it. Or you use the local database, Windows or you go further to another
radius server.
NOTE: Configure the policy properties to use the appropriate back-end server. This
may be the same authentication service as previously used in the SonicWALL VPN/SSL
box.
The example below shows the SonicWALL policy:
• Local Auth.: Default (DIGIPASS/Password)
• Back-End Auth.: Default (None)
• Dynamic User Registration: Default (No)
• Password Autolearn: Default (No)
• Stored Password Proxy: Default (No)
• Windows Group Check: Default (No Check)
After configuring this Policy, the authentication will happen locally in the IDENTIKEY
Server. So user credentials are passed through to the IDENTIKEY Server, it will check
these credentials to its local user database and will answer to the client with an
Access-Accept or Access-Reject message.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 33 of 55
In the Policy tab, click the Edit button, and change the Local Authentication to
Digipass/Password.
Figure 28: Policy configuration (3)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 34 of 55
Figure 18: Policy configuration (4)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 35 of 55
8.2 Register Client
Now create a new component by right-clicking the Components and choose New
Component.
Figure 19: Client configuration (1)
Select RADIUS Client for Client Type. Enter the IP address of the SonicWALL
SSL/VPN box. In the policy ID field you should find your new policy. Fill in the
Shared Secret you entered for the RADIUS server properties on the SonicWALL
SSL/VPN box. Click Create.
8.3 Configure User
8.3.1 Create New User
Click the Users tab and select Create.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 36 of 55
Figure 20: User configuration (1)
Fill in the username and password fields. Click the Create button to choose the
domain and Organizational Unit:
Figure 21: User configuration (2)
The user will show in the list of users in the Vasco Identikey Web Administration MMC:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 37 of 55
Figure 22: User configuration (3)
8.3.2 Import DIGIPASS
Click on the DIGIPASS Tab and select Import:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 38 of 55
Figure 23: DIGIPASS configuration (1)
Browse for the *.DPX file, enter the Transport Key and click UPLOAD
Figure 24: DIGIPASS configuration (2)
A confirmation message pops up when the DIGIPASS is imported successfully:
8.3.3 Assign DIGIPASS
There are two ways to assign a DIGIPASS to a user. Search for a DIGIPASS and
assign it to a user or search for a user and assign it to a DIGIPASS.
1. Select user and Click on Assign DIGIPASS button:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 39 of 55
Figure 25: Assign DIGIPASS (1)
2. Or Select a DIGIPASS and NEXT.
Figure 26: Assign DIGIPASS (2)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 40 of 55
NOTE: If the User ID is left blank, press the Find button and a list of all the available
users in the same domain will appear. If no users appear, make sure the domains of
the DIGIPASS and the user match.
Figure 27: Assign DIGIPASS (3)
When a user is assigned to a DIGIPASS a confirmation message will pop up:
8.4 Install Active Directory
NOTE: These set of steps are required when VASCO IDENTIKEY server is installed for
Active Directory.
8.4.1 Create Users
Create users by using an Active Directory back-end in the Active Directory Users
and Computers MMC.
Right-click a user and select Properties. This may happen automatically when the
Dynamic User Registration (DUR) option in the policy settings is active.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 41 of 55
Figure 28: Active Directory configuration (1)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 42 of 55
Select the DIGIPASS User Account tab and manually enter a password.
Figure 29: Active Directory configuration (2)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 43 of 55
Click the Apply button to see the Update History fields with the current date and
time. This means the DIGIPASS account was created successfully.
Figure 30: Active Directory configuration (3)
8.4.2 Import DIGIPASS
Right-click on Users and make sure the Import Digipass… option is in the MMC.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 44 of 55
Figure 31: Active Directory configuration (4)
Click on the Import Digipass… option.
Figure 32: Active Directory configuration (5)
Browse for the *.DPX file and enter the Transport Key.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 45 of 55
Figure 33: Active Directory configuration (6)
Select Show Applications to view available applications:
Figure 34: Active Directory configuration (7)
When the DIGIPASSes are imported successfully, a confirmation message appears:
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 46 of 55
Figure 35: Active Directory configuration (8)
8.4.3 Assign Digipasses for Users
Right-click on the Users on Active Directory MMC
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 47 of 55
Figure 36: Active Directory configuration (9)
Click on the Assign Digipass…
Figure 37: Active Directory configuration (10)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 48 of 55
Click on the Next button on the Digipass Assignment Wizard
Figure 38: Active Directory configuration (11)
List of users will be displayed as selected in previous step
Figure 50: Active Directory configuration (12)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 49 of 55
Select the User(s) you want to assign Digipasses
Figure 51: Active Directory configuration (13)
Search for the serial numbers
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 50 of 55
Figure 52: Active Directory configuration (14)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 51 of 55
Select Serial Number(s) from the list
Figure 53: Active Directory configuration (15)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 52 of 55
Click on the Next button and click on Finish button to complete the wizard
Figure 54: Active Directory configuration (16)
When digipasses assigned successfully, a confirmation message shown on Digipass
Assignment Wizard.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 53 of 55
9 Two-factor authentication
SSL-VPN test and conclusion To test the two-factor authentication SSL-VPN connectivity with VASCO IdentiKey,
connect your PC on the WAN (X1) interface of the NSA 2400 according to Figure 1:
Network Diagram. Point your browser to https://10.10.10.10.
1. Login to the Local Domain as an Administrator.
2. Enter Admin for the User Name and password for the Password.
3. Navigate to Portal > Domains and click Configure to test the RADIUS
connectivity to VASCO IdentiKey.
NOTE: If the RADIUS Authentication is successful, logout of the Administrator GUI and
login to https://10.10.10.10 with the User Name you created:
Figure 39: Test and conclusion (1)
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 54 of 55
NOTE: Use the FixedPassword+DIGIPASSPIN+DIGIPASSOTP password combination
for access to the SSL-VPN Portal where you have access to your Bookmarks or
NetExtender (IPSec and SSL-VPN) connectivity:
Figure 40: Test and conclusion (2)
Conclusion:
SonicWALL SSL-VPN and firewall/VPN appliances together with DIGIPASS
authentication solutions provide easy and secure clientless remote access to
the user dependent internal network resources.
DIGIPASS Authentication for SonicWall - Integration Guideline V1.0 2011 VASCO Data Security. All rights reserved. Page 55 of 55
10 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication
products for e-Business and e-Commerce.
VASCO‟s User Authentication software is carried by the end user on its DIGIPASS
products which are small “calculator” hardware devices, or in a software format on
mobile phones, other portable devices, and PC‟s.
At the server side, VASCO‟s VACMAN products guarantee that only the designated
DIGIPASS user gets access to the application.
VASCO‟s target markets are the applications and their several hundred million users
that utilize fixed password as security.
VASCO‟s time-based system generates a “one-time” password that changes with every
use, and is virtually impossible to hack or break.
VASCO designs, develops, markets and supports patented user authentication
products for the financial world, remote access, e-business and e-commerce. VASCO‟s
user authentication software is delivered via its DIGIPASS hardware and software
security products. With over 25 million DIGIPASS products sold and delivered, VASCO
has established itself as a world-leader for strong User Authentication with over 500
international financial institutions and almost 3000 blue-chip corporations and
governments located in more than 100 countries.