DIGIPASS Authentication for F5 FirePass - Kinetic Solutions

DIGIPASS Authentication for F5 FirePass With IDENTIKEY Server

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010Integration VASCO Data Security. All rights reserved. Guideline

Page 1 of 18

Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & IDENTIKEY are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright  2010 VASCO Data Security. All rights reserved.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 2 of 18

Table of Contents DIGIPASS Authentication for F5 FirePass ....................................................... 1 Disclaimer ...................................................................................................... 2 Table of Contents............................................................................................ 3 1

Overview ................................................................................................... 4

2

Problem Description.................................................................................. 4

3

Solution .................................................................................................... 4

4

Technical Concept ..................................................................................... 5 4.1

General overview .................................................................................. 5

4.2

F5 FirePass prerequisites ........................................................................ 5

4.3

IDENTIKEY Server Prerequisites .............................................................. 5

5

F5 FirePass Configuration ......................................................................... 6

6

IDENTIKEY Server ................................................................................... 10

7

8

6.1

Policy configuration ..............................................................................10

6.2

Client configuration ..............................................................................13

F5 FirePass SSL/VPN test ....................................................................... 15 7.1

Response Only .....................................................................................15

7.2

Challenge / Response ...........................................................................16

About VASCO Data Security .................................................................... 18

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 3 of 18

1 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY Server to work with a F5 FirePass device. Authentication is arranged on one central place where it can be used in a regular VPN or SSL/VPN connection.

2 Problem Description The basic working of the F5 FirePass is based on authentication to an existing media (LDAP, RADIUS, local authentication …). To use the IDENTIKEY Server with F5 FirePass, the external authentication settings need to be changed or added manually.

3 Solution After configuring IDENTIKEY Server and the F5 FirePass in the right way, you eliminate the weakest link in any security infrastructure – the use of static passwords – that are easily stolen guessed, reused or shared. The F5 FirePass gives you the ability of a combined SSL/VPN platform, it’s possible to access your network from a web portal page and/or to create a SSL tunnel.

Figure 1: Web portal

Figure 2: SSL Tunnel

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 4 of 18

4 Technical Concept 4.1

General overview

The main goal of the F5 FirePass is to perform authentication to secure all kind of VPN connections. As the F5 FirePass can perform authentication to an external service using the RADIUS protocol, we will place the IDENTIKEY Server as back-end service for the F5 FirePass appliance, to secure the authentication with our proven IDENTIKEY Server software. The users will now be checked first by IDENTIKEY Server that can be linked to Active Directory in the back-end. So we just place IDENTIKEY Server in between the F5 FirePass and the Active Directory.

Figure 3: General overview

4.2

F5 FirePass prerequisites

Please make sure you have a working setup of the F5 FirePass. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER. Currently all F5 FirePass devices use the same web config and CLI interface. This means our integration guide is suited for the complete product range of F5 FirePass devices.

4.3

IDENTIKEY Server Prerequisites

In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 5 of 18

5 F5 FirePass Configuration By default the webconfig is reachable by https:///admin/ In our case this becomes: https://10.10.1.110/admin/

Figure 4: F5 FirePass Configuration (1) On the lower left menu, select Users.

Figure 5: F5 FirePass Configuration (2)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 6 of 18

On the top left menu, now select Groups.

Figure 6: F5 FirePass Configuration (3) In this case we are assuming that you already have some external authentication. (Active Directory, LDAP, RADIUS, …) Click on the group name that you want to change. As we were currently using the ADusers group to authenticate the users to Active Directory, we change this group.

Figure 7: F5 FirePass Configuration (4)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 7 of 18

In case the authentication method is already RADIUS, skip to Figure 10. Otherwise, click the Convert authentication method.

Figure 8: F5 FirePass Configuration (5) Choose the RADIUS Authentication option.

Figure 9: F5 FirePass Configuration (6)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 8 of 18

Now fill in the details of the server where IDENTIKEY Server is installed.

Figure 10: F5 FirePass Configuration (7) Click the Save Settings button to save the changes. We now configured the authentication to go the IDENTIKEY Server. You still need to configure the IDENTIKEY Server in order to have the same back-end as your application was using before. If the users were checked on Active Directory, RADIUS or any other back-end authentication service, you will need to setup IDENTIKEY Server with the same back-end authentication.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 9 of 18

6 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account.

6.1

Policy configuration

To add a new policy, select PoliciesCreate.

Figure 11: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 10 of 18

Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None.

Figure 12: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: • • • • • • •

Local auth.: Back-End Auth.: Back-End Protocol: Dynamic User Registration: Password Autolearn: Stored Password Proxy: Windows Group Check:

Digipass/Password Default Default Default Default Default Default

(None) (None) (No) (No) (No) (No Check)

After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 11 of 18

In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password.

Figure 13: Policy configuration (3) The user details can keep their default settings.

Figure 14: Policy configuration (4)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 12 of 18

6.2

Client configuration

Now create a new component by right-clicking the Components and choose New Component.

Figure 15: Client configuration (1)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 13 of 18

As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was “vasco”. Click Create.

Figure 16: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 14 of 18

7 F5 FirePass SSL/VPN test 7.1

Response Only

To start the test, browse to the public IP address or hostname of the F5 FirePass device. In our example this is https://10.10.1.110. Enter your Username and Password (One Time Password) and click the Logon button.

Figure 17: Response Only (1) If all goes well, you will be authenticated and see the SSL/VPN portal page.

Figure 18: Response Only (2)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 15 of 18

7.2

Challenge / Response

For the challenge response test, enter your Username and Password (challenge/response trigger). Click the Logon button. In our case the challenge/response trigger is the user’s static password.

Figure 19: Challenge / Response (1) You will be presented with a DP300 Challenge code. Use this challenge on your DIGIPASS 300 (keypad) to generate a response. Enter the response in the empty field and click Logon.

Figure 20: Challenge / Response (2)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 16 of 18

And if everything goes well, you will be shown the SSL/VPN portal page.

Figure 21: Challenge / Response (3)

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 17 of 18

8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-Business and e-Commerce. VASCO’s User Authentication software is carried by the end user on its DIGIPASS products which are small “calculator” hardware devices, or in a software format on mobile phones, other portable devices, and PC’s. At the server side, VASCO’s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO’s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO’s time-based system generates a “one-time” password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO’s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries.

DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0  2010 VASCO Data Security. All rights reserved.

Page 18 of 18