Interlink Networks, LLC RAD-Series RADIUS Server
RSA SecurID Ready Implementation Guide th
Last Modified: September 4 , 2013
Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description
Interlink Networks, LLC www.interlinknetworks.com RAD-Series RADIUS Server Version 8.2 for Linux and Oracle Solaris The Interlink Networks RAD-Series RADIUS Server is a carrier-class RADIUS Authentication, Authorization & Accounting Server for securing both wired and wireless networks. It provides high performance, is highly scalable, is modular, and is highly extensible and customizable through its configurable Finite State Machine architecture, Advanced Policy Engine, and Software Developer’s Kit.
Interlink Networks, LLC RAD-Series RADIUS Server
Solution Summary The Interlink Networks RAD-Series RADIUS Server provides Authentication, Authorization, and Accounting (AAA) services for all points of network and service access through application of the IETF Standard RADIUS protocol. The AAA services delivered by the RAD-Series RADIUS Server provides: • • • • •
Ease of management and control through a centralized service. Consistent application of all authorization policies through a central service. Scalability and resiliency through the use of multiple instances including geographically separated instances. Customizability and use in unforeseen applications through extensions developed with the RADSeries Advanced Policy Engine and Software Developer’s Kit (SDK). Interoperability with all devices and applications complying to the IETF RADIUS Standards.
-2-
Interlink Networks, LLC RAD-Series RADIUS Server
The RAD-Series RADIUS Server can be configured to communicate with an RSA Authentication Manager via RSA’s native SecurID protocol and act as an RSA Authentication Agent for authentication. This extends the RAD-Series Server‘s Authentication Service by providing a form of two factor authentication. The RSA Authentication Manager is enhanced by the extensive and customizable authorization policies configured and enforced by the RAD-Series Server acting in conjunction with the RSA Authentication Manager. The RAD-Series RADIUS Server employs a dual IP stack to support both IPv4 and IPv6 address types. This feature enables RSA Authentication Manager to provide authentication services to hosts on IPv6 networks. RSA SecurID supported features Interlink Networks RAD-Series RADIUS Server RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface
-3-
Yes No Yes No Yes No No No No
Interlink Networks, LLC RAD-Series RADIUS Server
Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: • •
Hostname IP Addresses for network interfaces
Set the Agent Type to “Standard Agent” when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Interlink Networks RAD-Series RADIUS Server will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents.
RSA SecurID files RSA SecurID Authentication Files Files sdconf.rec failover.dat securid (Node Secret) sdstatus.12 sdopts.rec
Location Configuration directory (/etc/opt/aaa by default) Configuration directory (/etc/opt/aaa by default) Configuration directory (/etc/opt/aaa by default) Configuration directory (/etc/opt/aaa by default) Configuration directory (/etc/opt/aaa by default)
Note: The appendix of this document contains more detailed information regarding these files.
Important: This version of RAD-Series RADIUS uses a new version of the RSA Authentication libraries that changes the encryption format of the node secret file. If you are upgrading from a previous version of RAD-Series RADIUS, you must clear the node secret or convert it using a tool available from RSA.
-4-
Interlink Networks, LLC RAD-Series RADIUS Server
Partner Product Configuration Before You Begin This section provides instructions for configuring the Interlink Networks RAD-Series RADIUS Server with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. The RAD-Series Server can be configured either by using the RAD-Series Server Manager tool or by directly editing the configuration files. This document illustrates configuration using the RAD-Series Server Manager. Please refer to the RAD-Series Server documentation and application notes available from Interlink Networks, LLC if you want to edit the configuration files directly. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All RAD-Series RADIUS Server components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
Configuring RAD-Series RADIUS Server for RSA SecurID Authentication Interlink Networks RAD-Series RADIUS Server supports RSA SecurID Authentication using RSA’s native SecurID protocol. The following instructions configure RSA SecurID Authentication for a RAD-Series RADIUS Server running in an Oracle Solaris or Linux environment.
First Steps for all RSA SecurID Authentication Configurations 1. 2.
Copy the sdconf.rec and failover.dat files generated on the RSA Authentication Manager to the RAD-Series RADIUS Server configuration directory (/etc/opt/aaa by default). Login into the RAD-Series Server Manager using a workstation browser.
-5-
Interlink Networks, LLC RAD-Series RADIUS Server
3.
Load the current configuration of the server to be updated by clicking on Load Configuration in the navigation frame, selecting the server from the list, and clicking on Load.
Configuring an Individual User for RSA SecurID Authentication Individual users (user@realm) or entire realms (user@realm) can be configured for RSA SecurID Authentication. This section shows how to configure an individual user for RSA SecurID Authentication. 1.
Create the user by clicking on Users in the navigation frame, entering a unique username and clicking on Create.
-6-
Interlink Networks, LLC RAD-Series RADIUS Server
2.
Select RSA SecurID from the Authentication Type dropdown list and click on Create.
Configuring a Realm for RSA SecurID Authentication 1.
Create the realm by clicking on Local Realms in the navigation frame and then clicking on the New Local Realm link.
-7-
Interlink Networks, LLC RAD-Series RADIUS Server
2. 3. 4.
Enter the realm name in the Name field. Select Authentication from the Realm Type dropdown list. Select RSA SecurID Authentication Manager from the User Profile Storage drop-down list.
5.
Click on Create.
Final Steps to Apply the RSA SecurID Authentication Configurations 1.
Save the updated configuration by clicking on Save Configuration in the navigation frame, selecting the server from the list, and clicking on Save.
2.
If the RAD-Series Server is running then click on Administration in the navigation frame and click on Stop.
-8-
Interlink Networks, LLC RAD-Series RADIUS Server
3.
Start the RAD-Series Server using the new configuration by clicking on Administration in the navigation frame and then clicking on Start.
-9-
Interlink Networks, LLC RAD-Series RADIUS Server
Certification Checklist for RSA Authentication Manager th
Date Tested: August 8 , 2013 Product Name RSA Authentication Manager Interlink Networks RAD-Series RADIUS
Certification Environment Version Information 8.0 8.2
Operating System Virtual Appliance Red Hat Enterprise Linux
Mandatory Functionality RSA Native Protocol New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse Passcode 16-Digit Passcode 4-Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager
RADIUS Protocol Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse
N/A N/A N/A N/A N/A N/A N/A N/A
16-Digit Passcode 4-Digit Fixed Passcode
N/A N/A
Next Tokencode Mode
N/A
On-Demand Authentication On-Demand New PIN
N/A N/A
Failover No RSA Authentication Manager
N/A N/A
JJO / PAR
= Pass
- 10 -
= Fail N/A = Not Applicable to Integration
Interlink Networks, LLC RAD-Series RADIUS Server
Appendix Partner Integration Details RSA SecurID API
8.1.2 C SDK
RSA Authentication Agent Type
Standard Agent
RSA SecurID User Specification
Designated Users
Display RSA Server Info
No
Perform Test Authentication
No
Agent Tracing
Yes
API Details: This version of the RAD-Series RADIUS Server uses a new version of the RSA Authentication libraries that changes the encryption format of the node secret file. If you are upgrading from a previous version then you must clear the node secret or convert it using a tool available from RSA.
Node Secret: This node secret is stored in the file securid in the RAD-Series Server configuration directory (/etc/opt/aaa by default). To clear the node secret, remove the securid file.
sdconf.rec: The sdconf.rec file is generated on the RSA Authentication Manager and stored in the RAD-Series Server configuration directory (/etc/opt/aaa by default). Certain changes to the RAD-Series Server or RSA Authentication Manager such as IP address changes require that a new file be generated and installed on the RAD-Series RADIUS Server.
failover.dat: The failover.dat file is generated on the RSA Authentication Manager and stored in the RAD-Series Server configuration directory (/etc/opt/aaa by default). Certain changes to the RAD-Series Server or RSA Authentication Manager such as IP address changes require that a new file be generated and installed on the RAD-Series RADIUS Server.
- 11 -
Interlink Networks, LLC RAD-Series RADIUS Server
Agent Tracing: 1.
Login into the RAD-Series Server Manager using a workstation browser.
2.
Load the current configuration of the server to be updated by clicking on Load Configuration in the navigation frame, selecting the server from the list, and clicking on Load.
- 12 -
Interlink Networks, LLC RAD-Series RADIUS Server
3. 4.
Click on Server Properties in the navigation frame. Click on the RSA SecurID Properties link.
5.
Set the RSA Trace Level parameter to the desired value (0-15) and click on Modify.
- 13 -
Interlink Networks, LLC RAD-Series RADIUS Server
6.
Save the updated configuration by clicking on Save Configuration in the navigation frame, selecting the server from the list, and clicking on Save.
7. 8.
If the RAD-Series Server is running then click on Administration in the navigation frame and click on Stop. Start the RAD-Series Server using the new configuration by clicking on Administration in the navigation frame and then clicking on Start.
- 14 -
Interlink Networks, LLC RAD-Series RADIUS Server
IPv6 support: The RAD-Series RADIUS Server employs a dual IP stack to support both IPv4 and IPv6 address types. This feature enables the RAD-Series RADIUS Server to proxy authentication requests from hosts on IPv6 networks to RSA Authentication Manager Servers on IPv4 networks.
- 15 -
