Nortel Networks NORTEL 3050 User's Manual
Contents
1. 9 ig r Testing the configuration Open a web browser and point to the portal address For user credentials enter a SecurlD username and Passcode From the Login Service list select your RSA SecurlD or RSA RADIUS challenge group Click Login to authenticate and enter the Portal Server eal NORTEL NETWORKS Welcome to the RSA Security Partner Lab SSL VPN 3050 Login Status not fogged in Username Password Login Service default Ep Note The user name does not need to exist on the VPN Gateway 3050 in order to be authenticated The VPN Gateway 3050 will pass off authentication to the RSA Authentication Manager as a trusted authentication source SecurlID 10 Certification Checklist Date Tested September 26 2007 Product Name 6 1 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN User Defined 4 8 Alphanumeric User Defined 4 8 Alphanumeric User Defined 5 7 Numeric User Defined 5 7 Numeric User Selectable User Selectable Deny 4 and 8 Digit PIN i Deny 4 and 8 Digit PIN Deny Alphanumeric PIN i Deny Alphanumeric PIN PASSCODE 16 Digit Passcode 16 Digit Passcode 4 Digit Password 4 Digit Password Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode Load Balancing Reliability Testing Failover 3 10 Replicas Failover Name Locking E2. and the RSA Authentication Manager RSA SecurlD Appliance an Agent Host record must be added to the RSA Authentication Manager database and the RADIUS server database if using RADIUS The Agent Host record identifies the Nortel VPN Gateway within its database and contains information about communication and encryption To create the Agent Host record you will need the following information e Hostname e IP Addresses for all network interfaces When adding the Agent Host Record you should configure the Nortel VPN Gateway as Communication Server This setting is used by the RSA Authentication Manager to determine how communication with the Nortel VPN Gateway will occur To create the RADIUS client record you will need the following information e Hostname e IP Addresses for all network interfaces RADIUS Secret EF Note Hostnames within the RSA Authentication Manager RSA SecurlD Appliance must resolve to valid IP addresses on the local network Please refer to the appropriate RSA Security documentation for additional information about Creating Modifying and Managing Agent Host records SecurID 4 3 he a ar Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating the partners product with RSA SecurlD Authentication This document is not intended to suggest optimum installations or configurations It is assumed that the reader has both working knowledge of a
3. support for the RSA Authentication Manager as a method of strong authentication for users using RSA SecurlD Authentication For enterprises maintaining IPsec VPN environments the Nortel VPN Gateway 3050 provides a new level of deployment flexibility and end user support by incorporating IPsec VPN client termination to remove the network administrator s challenge of managing multiple devices to deliver both types of remote access service Partner Integration Overview SecurlD 2 b a Product Requirements Partner Product Requirements Nortel VPN Gateway 3050 7 0 1 0 Hardware Platform Platform Required Patches VPN 3050 ASA 310 ASA 410 ASA 310 FIPS N A Additional Software Requirements Application Additional Patches Internet Explorer 5 0 5 5 and 6 0 O RSA SecurlD files RSA SecurlD Authentication Files sdconf rec Node Secret sdstatus 12 sdopts rec Not implemented a Go to the appendix of this document to get detailed information regarding these files SecurID 3 b a Agent Host Configuration l Important Agent Host and Authentication Agent are synonymous Agent Host is a term used with the RSA Authentication Manager 6 x servers and below RSA Authentication Manager 7 1 uses the term Authentication Agent l Important All Authentication Agent types for 7 1 should be set to Standard Agent To facilitate communication between the Nortel VPN Gateway
4. Mode Next Tokencode Mode Load Balancing Reliability Testing Failover 3 10 Replicas Failover No RSA Authentication Manager No RSA Authentication Manager Additional Functionality RSA Software Token Automation System Generated PIN System Generated PIN User Defined 8 Digit Numeric User Defined 8 Digit Numeric PIN Expiration PIN Expiration Next Tokencode Mode Next Tokencode Mode RSA SecuriD 800 Token Automation System Generated PIN System Generated PIN User Defined 8 Digit Numeric User Defined 8 Digit Numeric PIN Expiration PIN Expiration Next Tokencode Mode Next Tokencode Mode SWA w Pass Fail N A Non Available Function SecurID 12 PIN Rejection When a PIN is rejected by the Authentication Manager Server the user is questioned by the client to try a different PIN but the program flow is not intuitive 1 The user first authenticates using either Token or Password The user is next prompted to create a new PIN Welcome to the RSA Security Partner Lab SSL YPN 3050 Login Status Anter your new PIN containing from 4 to amp alohanumere characters Response 2 The user must re enter the new PIN to validate input from the previous step Welcome to the FSA Security Partner Lab SSL WPN 3050 Login Status Sease re enter new PIN Response 3 If rejected the client displays the question to the user with an empty text box for input Welcome to the RSA Security Partner Lab SSL Y
5. Nortel Networks nant VPN Gateway 3050 RSA SecurlD Ready Implementation Guide Last Modified March 14 2008 Partner Information Product Information Web Site wwwnortelnetworks com O O Z O S Product Description The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote users The gateway performs on the fly content transformation to instantly convert most intranet resources into externally viewable secure HTML pages and employs an advanced network address and port translation NAPT utility to build SSL secured VPN tunnels for client server communications Product Category Perimeter Defense VPN Firewalls amp Intrusion Detection NORTEL METWORK b a Solution Summary The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote employees partners and customers By using the native capability of widely deployed Web browsers the SSL VPN Gateway offers a convenient clientless alternative for securely provisioning resources for remote users without the need to install and manage client tunneling software on their PCs Due to the clientless nature of this solution Strong two factor authentication is essential to ensure the identity of users connecting to your Enterprise from the internet For this reason Nortel Networks VPN Gateway 3050 provides
6. PN 3050 Login Status PIN rejected Piease try again Response Submit 4 The client will accept any input by the user and then prompt for a new Passcode to restart the authentication process Welcome to the RSA Security Partner Lab SSL YPN 3050 Login Status Sease Enter Passcode Response Submit 5 The user then inputs a valid Passcode SecurID 13 Administration Logon NEW PIN mode does not work via the admin console The user is prompted to create or accept a PIN but the PIN never gets sent to the server and the user gets redirected to a blank web page SecurID 14 Appendix Delete Node Secret 1 Navigate to Config gt Administration gt RSA Servers and click on the link for the RSA Authentication Server Label you created 2 Click the button labeled Remove Node Secret Config Monitor Managing SSL 7 0 1 0 on 3050 Administration RSA Servers Add Modify aan RSA Servers Cluster Manager Host s Modify RSA Server Certificates SSL Offload Servers Id 1 VPN Gateways SS aaa RSA Server IP Hostname 10 100 50 37 Operation System Users i es Import sdconf rec file SSH keys SNMP File SONMP RADIUS A Warning The created RSA servers should be Applied before importing the sdconf rec file RSA servers Auditing In Memory Remove sdconf rec and sdstatus 12 1 Navigate to Config gt Administration gt RSA Servers 2 Check the box for t
7. Sh Groups Lets you define the user groups that reside on the VPN Gateway When a user logs in to the VPN via the Portal the SSL VPN client or the IPsec VPN client the system tries to determine the users group membership This is done by searching for a match between a group name defined and a group name associated with the users credentials in the authentication mechanism by which the user was authenticated RADIUS LDAP NTLM SiteMinder RSA SecurlD RSA ClearTrust client certificate or local database 2 Default Group 3 RADIUS Authentication p Anonymous Group lt unselected gt p 1D Name User Type Comment Fj 1 Password Users advanced Users authenticated by static passwords 2 SecurlD Users advanced Users authenticated by RSA SecurlD Fj 3 RADIUS paren gem advanced Users authenticated by RSA RADIUS 7 From the Groups menu on the administration console click on the group name 8 Select the Access List tab 9 Create an appropriate Access list based on your organizations configuration In the example below you will see we have created a generic rule allowing all access for authenticated RSA SecurlD or RADIUS users General Access Lists Linksets TG IPsec VPN Admin Net Direct Mobility Extended Profiles o ogc CI ID Network i i Allow F 1 accept 10 Click Update to apply the Access rules 11 Configure the user group for any necessary links or VPN Settings as required 12 Click Apply to add the new in
8. formation to the IOS configuration Apply Pending Configuration Changes Apply Results Apply Succeeded SecurID 6 Configure the RSA Server record 1 Open the Management Interface MIP of the Nortel VPN Gateway using a web browser Authenticate with administrative user account and select the Config tab 2 From the SSL VPN admin menu select Administration gt RSA Servers item 3 Click the Add button and complete the form 4 Click Apply to commit changes to the IOS configuration Add New RSA Server Id 2 J RSA Server IP Hostname i a coco EF Note You must Update and Apply the RSA Server Group entry before you import the sdconf rec file 5 Toimport your sdconf rec file you will return to the RSA Servers menu and modify the entry for the sdconft rec file you will be adding Import sdconf rec file File Browsen import pack A Warning The created RS4 servers should be 4pplied before importing the sdconf rec file 6 Click import to upload the sdconf rec file and then click Apply changes to the IOS configuration Configuring the RSA SecurlID Authentication Servers 1 From the admin console select VPN Gateways gt Authentication 2 Click Add 3 Enter information for the Authentication Server such as Name and Display Name The Authentication Mechanism will be RSA Then click update to complete additional RSA SecurlD authentication options 4 Select the Settings tab and fill in the a
9. he RSA Authentication Server Label you created 3 Click delete Logged as sdmin Bh Remove a Secret Back Config Monitor Managing SSL 7 0 1 0 on 3050 Administration RSA Servers Wizards RSA Servers Cluster Manager Host s real The RSA Servers menu lets you configure the symbolic name for the RSA server and import the sdconf rec configuration file e SSL Offload Servers VPN Gateways E Administration CD G3 iy ae ID RSA Server IP Hostname Users 1 10 100 50 37 Remote Access Access List SSH keys SNMP SONMP RADIUS RSA servers Auditing In Memory 4 You now need to add a new record for an RSA Authentication Managers for authentication SecurID Logged as sdmin A Refresh 15
10. ll products involved and the ability to perform the tasks outlined in this section Administrators should have access to the product documentation for all products in order to install the required components All vendor products components must be installed and working prior to the integration Perform the necessary tests to confirm that this is true before proceeding Nortel VPN Gateway 3050 Agent configuration Administrative tasks can be performed in the Command Line Interface CLI as well as the Web Administration GUI All configuration steps and screenshots in this guide will refer to GUI administration Please refer to Nortel Administrative documentation for more complete details on CLI and GUI Administration tasks RSA SecurlID Authentication Configuration Overview 1 Create a User Group 2 Configure the RSA Server record 3 Configuring the RSA SecurlD Authentication Servers RADIUS Authentication Configuration Overview 1 Create a User Group 2 Configuring the RADIUS Authentication Servers SecurID 5 hh ana Creating and Configuring a RSA SecurlID or RADIUS User Group From the admin console expand VPN Gateways and click Add to add a VPN Gateway Click Create VPN Now click on the VPN Gateway you just created and click on Groups Click on the button Add New Group Fill out the form with the desired group name user type and description Click Update and then Apply to add the new group to the configuration oS
11. nabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager Additional Functionality RSA Software Token Automation System Generated PIN System Generated PIN User Defined 8 Digit Numeric User Defined 8 Digit Numeric User Selectable User Selectable Next Tokencode Mode Next Tokencode Mode RSA SecurlD 800 Token Automation System Generated PIN System Generated PIN User Defined 8 Digit Numeric User Defined 8 Digit Numeric User Selectable User Selectable Next Tokencode Mode Next Tokencode Mode Credential Functionality Determine Cached Credential State Determine Cached Credential State Set Credential Set Credential Retrieve Credential Retrieve Credential SWA BSD ww Pass amp Fail N A Non Available Function SecurID 11 Certification Checklist For RSA Authentication Manager 7 x Date Tested March 14 2008 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN User Defined 4 8 Alphanumeric User Defined 4 8 Alphanumeric User Defined 5 7 Numeric User Defined 5 7 Numeric Deny 4 and 8 Digit PIN l Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Alphanumeric PIN Deny Numeric PIN Deny Numeric PIN PIN Reuse PIN Reuse Passcode 16 Digit Passcode 16 Digit Passcode 4 Digit Fixed Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode
12. o add the new information to the IOS configuration SecurID 8 Configuring RADIUS Authentication Servers for Administrative Access 1 From the admin console select Administration gt RADIUS 2 Click Add 3 Enter information for the RADIUS Authentication Server RADIUS Add RADIUS Authentication Server IP Address 10 100 50 37 Port 1812 Shared Secret eoceceee Shared Secret again eececeee 4 Click update 5 Enable authentication by selecting enabled for RADIUS Authentication Status Config Monitor Managing SSL 7 0 1 0 on 3050 ed Sep 26 2007 12 F Logged as admin FA Administration RADIUS Authentication Wizards RADIUS Cluster Manager Host s Certificates SSL Offload Servers VPN Gateways RADIUS Servers Group Attributes Administration Operation System RADIUS Authentication Status Enable Disable RADIUS authentication of system users Users h disabled by default 10 Remote Access RADIUS Server Timeout seconds sepia Use Local Password As Fallback yes iv SNMP Ls RADIUS RSA servers paag RADIUS Servers Dr co cn a ID IP Address O 1 10 100 50 37 RADIUS menu is used to configure RADIUS authentication of system users Authentication applies to both CLI and WebUI users a 6 Click update then Apply NEW PIN mode does not work via the admin console See the Known issues section of this guide for more information SecurID
13. ppropriate information e RSA Server IP Hostname Select the RSA Authentication Manger server you created e Group For RSA Authenticated Users Select The Group name you created for the RSA Server Settings Allows you to configure some of the RSA authetication method specific settings e General Settings Advanced RSA Server IP Hostname 10 100 50 37 Ix Group For RSA Authenticated Users SecurlD Users 5 Click Update and then Apply to add the new information to the IOS configuration SecurlD 7 Configuring the RADIUS Authentication Servers 6 From the admin console select VPN Gateways gt Authentication 7 Click Add 8 Enter information for the Authentication Server such as Name and Display Name The Authentication Mechanism will be RADIUS Then click update to complete additional RADIUS authentication options 9 Select the Servers tab and click Add RADIUS Servers Add New RADIUS Server VPN 1 Auth Id 3 IP Address 10 100 50 35 format 10 10 1 75 Port isiz Shared Secret ecccccee Shared Secret again feccccees Update 10 Enter the appropriate information for you server and click Update Ep Note You can add a maximum of three RSA RADIUS servers to this authentication server list General Settings Session Network Attributes Servers Macros Advanced f Edit K Delete I 1D IP Address Fl 1 10 100 50 37 d 10 100 50 36 P 3 10 100 50 35 11 Click Apply t
Download Pdf Manuals
Related Search