Thursday, October 2, 2008

How to Implement RSA Authentication with Nortel Contivity VPN Gateway

Summary

This article describes how to implement RSA authentication for Nortel Contivity VPN Gateway

Requirements
  • RSA server (Windows platform)

  • Nortel Contivity VPN Gateway
    Note: This article assumes basic RADIUS knowledge and familiarity with the Nortel Contivity VPN.
Background
This article describes the RADIUS integrations with RSA and how to enable the RSA authentication for VPN users.
  • RSA version 6.1, which is shipped with the Steel-Belted Radius (SBR) server component
Note: Both the RSA ACE/Server daemon and the SBR component can be installed on a running RSA server. Consult your product documentation for more information on how to complete this task.


Procedure

RSA server configuration steps

Note: If the RSA RADIUS Server component is not installed, consult the RSA RADIUS Server 6.1 Administrator’s Guide for further instructions

  1. On the RSA server, go to Start > Programs > RSA Security and launch RSA Authentication Manager Host Mode. The RSA Authentication Manager 6.1 Administrator window opens.

  2. Go to RADIUS and choose Manage RADIUS Server in the drop-down menu.
    The RSA RADIUS -- Powered by Steel-Belted Radius (RSA) window opens.
  3. In the right pane of the RSA RADIUS window, right-click RADIUS Clients and click Add. The Add RADIUS Client window opens.


  4. Provide the following configuration settings:

    Name: Type the name of the Nortel VPN Box (If there is no hostname assigned to the VPN box then add the same in the host file of the RSA Server)
    Description: Type a description (not mandatory).
    IP Address: Type the Nortel Contivity VPN Box IP address.
    Shared secret: Type the shared secret between Nortel Contivity VPN Box and the RADIUS server.
    Make/model: Choose - Standard Radius - from the drop-down menu.
  5. Click OK. The Add RADIUS Client window closes.

  6. Close the RSA RADIUS – Powered by Steel-Belted Radius (RSA) window.

  7. In the RSA Authentication Manager Host Mode window, click Agent Host and choose Add Agent Host.

  8. Configure the following settings for your Nortel Contivity device:

    Name: Provide the Fully Qualified Domain Name (FQDN) of the Nortel Contivity VPN device. After providing the FQDN, press the TAB key and the Network address field should populate itself.Network address: If this field does not populate itself, provide then add the FQDN in the host file of the RSA Server
    Agent Type: Select Communication Server.Select the Open to All Locally Known Users check box. If not all the users imported on the RSA server are allowed, click User Activations... and import the users that are allowed to authenticate through the Nortel Contivity.
    Note: By Default the Agent Host for the RSA Server will be created and configured as RADIUS Server after installation of RADIUS component. But in case if it is not created please create the same as below
  9. If not already present, create an Agent Host entry for the RSA server itself. Refer to the following screen shot:

    10. Configure the following settings for your RSA server:

    Name: Provide the FQDN of the RSA server. After providing the FQDN, press TAB and the Network Address window should populate itself.
    Network Address: If it does not self-populate, provide the IP address of the RSA server.
    Agent Type: Select RADIUS Server.
    Additional configuration steps on the RSA server
    1. Import users (through Lightweight Directory Access Protocol (LDAP) synchronization) or create local users.
    2. Assign token to users.
    3. Consult your RSA product documentation for more information on how to finalize the RSA server configuration.


Nortel Contivity VPN Router configuration steps

Enabling Support for RSA SecurID Authentication

  1. Using an Internet Browser, connect and login to the Nortel VPN Router Administration Console.
  2. Enable RSA SecurID authentication via RADIUS (Services > IPSec > RADIUS Authentication).

VPN Router Supported Authentication Types

  1. The Nortel VPN Router supports RSA SecurID Authentication of users via Radius only. This is configured in the Servers > Radius Authentication page of the CES Web management interface.
  2. Check the box at the top of the screen that reads Enable Access to RADIUS Authentication.
  3. Under the Server-Supported Authentication Options section, click the checkbox to enable support for Response Only authentication.

4. In the RADIUS Servers section, fill out the info required making sure the box labeled Enabled is checked next to each server available to the Nortel VPN Router for authentication.

RADIUS Group Configuration

Any user seeking RADIUS authentication must belong to a group specified by a group ID and password, configured in the Profiles > Groups > Edit > IPSec > Authentication > Configure page. This is a two-step process where (1) the Nortel VPN Router authenticates the remote user with RSA SecurID tokens, and (2) the client uses the Group ID and Group Password to authenticate the Switch's identity.

  1. Click to enable the RSA SecurID token security authentication.
  2. Enter the Group ID and Password to provide access to the Nortel VPN Router from the client.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)