Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... -...

15
Interlink Networks, LLC RAD-Series RADIUS Server RSA SecurID Ready Implementation Guide Last Modified: September 4 th , 2013 Partner Information Product Information Partner Name Interlink Networks, LLC Web Site www.interlinknetworks.com Product Name RAD-Series RADIUS Server Version & Platform Version 8.2 for Linux and Oracle Solaris Product Description The Interlink Networks RAD-Series RADIUS Server is a carrier-class RADIUS Authentication, Authorization & Accounting Server for securing both wired and wireless networks. It provides high performance, is highly scalable, is modular, and is highly extensible and customizable through its configurable Finite State Machine architecture, Advanced Policy Engine, and Software Developer’s Kit.

Transcript of Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... -...

Page 1: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

Interlink Networks, LLC RAD-Series RADIUS Server

RSA SecurID Ready Implementation Guide Last Modified: September 4th, 2013

Partner Information Product Information Partner Name Interlink Networks, LLC Web Site www.interlinknetworks.com Product Name RAD-Series RADIUS Server Version & Platform Version 8.2 for Linux and Oracle Solaris Product Description The Interlink Networks RAD-Series RADIUS Server is a carrier-class

RADIUS Authentication, Authorization & Accounting Server for securing both wired and wireless networks. It provides high performance, is highly scalable, is modular, and is highly extensible and customizable through its configurable Finite State Machine architecture, Advanced Policy Engine, and Software Developer’s Kit.

Page 2: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 2 -

Interlink Networks, LLC RAD-Series RADIUS Server

Solution Summary The Interlink Networks RAD-Series RADIUS Server provides Authentication, Authorization, and Accounting (AAA) services for all points of network and service access through application of the IETF Standard RADIUS protocol.

The AAA services delivered by the RAD-Series RADIUS Server provides:

• Ease of management and control through a centralized service. • Consistent application of all authorization policies through a central service. • Scalability and resiliency through the use of multiple instances including geographically separated

instances. • Customizability and use in unforeseen applications through extensions developed with the RAD-

Series Advanced Policy Engine and Software Developer’s Kit (SDK). • Interoperability with all devices and applications complying to the IETF RADIUS Standards.

Page 3: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 3 -

Interlink Networks, LLC RAD-Series RADIUS Server

The RAD-Series RADIUS Server can be configured to communicate with an RSA Authentication Manager via RSA’s native SecurID protocol and act as an RSA Authentication Agent for authentication. This extends the RAD-Series Server‘s Authentication Service by providing a form of two factor authentication. The RSA Authentication Manager is enhanced by the extensive and customizable authorization policies configured and enforced by the RAD-Series Server acting in conjunction with the RSA Authentication Manager.

The RAD-Series RADIUS Server employs a dual IP stack to support both IPv4 and IPv6 address types. This feature enables RSA Authentication Manager to provide authentication services to hosts on IPv6 networks.

RSA SecurID supported features Interlink Networks RAD-Series RADIUS Server

RSA SecurID Authentication via Native RSA SecurID Protocol Yes RSA SecurID Authentication via RADIUS Protocol No On-Demand Authentication via Native SecurID Protocol Yes On-Demand Authentication via RADIUS Protocol No RSA Authentication Manager Replica Support Yes Secondary RADIUS Server Support No RSA SecurID Software Token Automation No RSA SecurID SD800 Token Automation No RSA SecurID Protection of Administrative Interface No

Page 4: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 4 -

Interlink Networks, LLC RAD-Series RADIUS Server

Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console.

The following information is required to create an Authentication Agent:

• Hostname • IP Addresses for network interfaces

Set the Agent Type to “Standard Agent” when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Interlink Networks RAD-Series RADIUS Server will occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents.

RSA SecurID files RSA SecurID Authentication Files Files Location sdconf.rec Configuration directory (/etc/opt/aaa by default) failover.dat Configuration directory (/etc/opt/aaa by default) securid (Node Secret) Configuration directory (/etc/opt/aaa by default) sdstatus.12 Configuration directory (/etc/opt/aaa by default) sdopts.rec Configuration directory (/etc/opt/aaa by default)

Note: The appendix of this document contains more detailed information regarding these files.

Important: This version of RAD-Series RADIUS uses a new version of the RSA Authentication libraries that changes the encryption format of the node secret file.

If you are upgrading from a previous version of RAD-Series RADIUS, you must clear the node secret or convert it using a tool available from RSA.

Page 5: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 5 -

Interlink Networks, LLC RAD-Series RADIUS Server

Partner Product Configuration

Before You Begin This section provides instructions for configuring the Interlink Networks RAD-Series RADIUS Server with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. The RAD-Series Server can be configured either by using the RAD-Series Server Manager tool or by directly editing the configuration files. This document illustrates configuration using the RAD-Series Server Manager. Please refer to the RAD-Series Server documentation and application notes available from Interlink Networks, LLC if you want to edit the configuration files directly.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All RAD-Series RADIUS Server components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Configuring RAD-Series RADIUS Server for RSA SecurID Authentication Interlink Networks RAD-Series RADIUS Server supports RSA SecurID Authentication using RSA’s native SecurID protocol. The following instructions configure RSA SecurID Authentication for a RAD-Series RADIUS Server running in an Oracle Solaris or Linux environment.

First Steps for all RSA SecurID Authentication Configurations 1. Copy the sdconf.rec and failover.dat files generated on the RSA Authentication Manager to the RAD-Series

RADIUS Server configuration directory (/etc/opt/aaa by default). 2. Login into the RAD-Series Server Manager using a workstation browser.

Page 6: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 6 -

Interlink Networks, LLC RAD-Series RADIUS Server

3. Load the current configuration of the server to be updated by clicking on Load Configuration in the navigation frame, selecting the server from the list, and clicking on Load.

Configuring an Individual User for RSA SecurID Authentication Individual users (user@realm) or entire realms (user@realm) can be configured for RSA SecurID Authentication. This section shows how to configure an individual user for RSA SecurID Authentication. 1. Create the user by clicking on Users in the navigation frame, entering a unique username and clicking on

Create.

Page 7: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 7 -

Interlink Networks, LLC RAD-Series RADIUS Server

2. Select RSA SecurID from the Authentication Type dropdown list and click on Create.

Configuring a Realm for RSA SecurID Authentication 1. Create the realm by clicking on Local Realms in the navigation frame and then clicking on the New Local

Realm link.

Page 8: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 8 -

Interlink Networks, LLC RAD-Series RADIUS Server

2. Enter the realm name in the Name field. 3. Select Authentication from the Realm Type dropdown list. 4. Select RSA SecurID Authentication Manager from the User Profile Storage drop-down list.

5. Click on Create.

Final Steps to Apply the RSA SecurID Authentication Configurations 1. Save the updated configuration by clicking on Save Configuration in the navigation frame, selecting the server

from the list, and clicking on Save.

2. If the RAD-Series Server is running then click on Administration in the navigation frame and click on Stop.

Page 9: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 9 -

Interlink Networks, LLC RAD-Series RADIUS Server

3. Start the RAD-Series Server using the new configuration by clicking on Administration in the navigation frame and then clicking on Start.

Page 10: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 10 -

Interlink Networks, LLC RAD-Series RADIUS Server

Certification Checklist for RSA Authentication Manager Date Tested: August 8th, 2013

Certification Environment Product Name Version Information Operating System

RSA Authentication Manager 8.0 Virtual Appliance Interlink Networks RAD-Series RADIUS

8.2 Red Hat Enterprise Linux

Mandatory Functionality

RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN N/A System Generated PIN System Generated PIN N/A User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) N/A User Defined (5-7 Numeric) User Defined (5-7 Numeric) N/A Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN N/A Deny Alphanumeric PIN Deny Alphanumeric PIN N/A Deny Numeric PIN Deny Numeric PIN N/A Deny PIN Reuse Deny PIN Reuse N/A Passcode 16-Digit Passcode 16-Digit Passcode N/A 4-Digit Fixed Passcode 4-Digit Fixed Passcode N/A Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode N/A On-Demand Authentication On-Demand Authentication On-Demand Authentication N/A On-Demand New PIN On-Demand New PIN N/A Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover N/A No RSA Authentication Manager No RSA Authentication Manager N/A JJO / PAR = Pass = Fail N/A = Not Applicable to Integration

Page 11: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 11 -

Interlink Networks, LLC RAD-Series RADIUS Server

Appendix

Partner Integration Details RSA SecurID API 8.1.2 C SDK RSA Authentication Agent Type Standard Agent RSA SecurID User Specification Designated Users Display RSA Server Info No Perform Test Authentication No Agent Tracing Yes

API Details: This version of the RAD-Series RADIUS Server uses a new version of the RSA Authentication libraries that changes the encryption format of the node secret file. If you are upgrading from a previous version then you must clear the node secret or convert it using a tool available from RSA.

Node Secret: This node secret is stored in the file securid in the RAD-Series Server configuration directory (/etc/opt/aaa by default). To clear the node secret, remove the securid file.

sdconf.rec: The sdconf.rec file is generated on the RSA Authentication Manager and stored in the RAD-Series Server configuration directory (/etc/opt/aaa by default). Certain changes to the RAD-Series Server or RSA Authentication Manager such as IP address changes require that a new file be generated and installed on the RAD-Series RADIUS Server.

failover.dat: The failover.dat file is generated on the RSA Authentication Manager and stored in the RAD-Series Server configuration directory (/etc/opt/aaa by default). Certain changes to the RAD-Series Server or RSA Authentication Manager such as IP address changes require that a new file be generated and installed on the RAD-Series RADIUS Server.

Page 12: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 12 -

Interlink Networks, LLC RAD-Series RADIUS Server

Agent Tracing: 1. Login into the RAD-Series Server Manager using a workstation browser.

2. Load the current configuration of the server to be updated by clicking on Load Configuration in the navigation frame, selecting the server from the list, and clicking on Load.

Page 13: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 13 -

Interlink Networks, LLC RAD-Series RADIUS Server

3. Click on Server Properties in the navigation frame. 4. Click on the RSA SecurID Properties link.

5. Set the RSA Trace Level parameter to the desired value (0-15) and click on Modify.

Page 14: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 14 -

Interlink Networks, LLC RAD-Series RADIUS Server

6. Save the updated configuration by clicking on Save Configuration in the navigation frame, selecting the server from the list, and clicking on Save.

7. If the RAD-Series Server is running then click on Administration in the navigation frame and click on Stop. 8. Start the RAD-Series Server using the new configuration by clicking on Administration in the navigation frame

and then clicking on Start.

Page 15: Interlink Networks, LLC · The Interlink Networks RAD-Series RADIUS Server is a carrier-class ... - 3 - Interlink Networks, LLC ... This version of RAD-Series RADIUS uses a new version

- 15 -

Interlink Networks, LLC RAD-Series RADIUS Server

IPv6 support: The RAD-Series RADIUS Server employs a dual IP stack to support both IPv4 and IPv6 address types. This feature enables the RAD-Series RADIUS Server to proxy authentication requests from hosts on IPv6 networks to RSA Authentication Manager Servers on IPv4 networks.