sonicwall inc.
ssl-vpn series
rsa securid ready implementation guide
last modified: march 27, 2009
partner information
product information
partner name sonicwall inc.
web site
product name sonicwall ssl-vpn
version & platform sonicos ssl-vpn 3.5.0.0-15sv
product description sonicwall ssl-vpn appliances provide small and mid-size organizations
an easy-to-use, secure and affordable remote access solution that requires
no pre-installed client software. utilizing a standard web browser,
authorized users such as employees, contractors, partners and customers,
can easily and securely access e-mail, files, intranets, web and legacy
applications and remote desktops from any location. sonicos supports
rsa securid authentication via the radius protocol.
product category perimeter defense (firewalls, vpns & intrusion detection)
2
solution summary
partner integration overview
authentication methods supported radius
list library version used n/a
rsa authentication manager replica support n/a
secondary radius server support yes (2)
rsa authentication agent host type for 6.1 communication server
rsa authentication agent host type for 7.1 standard agent
rsa securid user specification designated users, all users, default method
rsa securid protection of administrative users no
rsa software token and rsa securid 800 automation no
lan
internet
rsa server sonicwall ssl-vpn
remote user
remote user
gateway device
3
product requirements
partner product requirements: sonicwall ssl-vpn
hardware version 2000, 4000
firmware version sonicos ssl-vpn 3.5.0.0-15sv
agent host configuration
important: "agent host" and "authentication agent" are synonymous.
"agent host" is a term used with the rsa authentication manager 6.x
servers and below. rsa authentication manager 7.1 uses the term
"authentication agent".
important: all "authentication agent" types for 7.1 should be set to
"standard agent".
to facilitate communication between the sonicwall ssl-vpn and the rsa authentication manager /
rsa securid appliance, an agent host record must be added to the rsa authentication manager
database. the agent host record identifies the sonicwall ssl-vpn within its database and contains
information about communication and encryption. you will also need to configure a radius client.
to create the agent host record, you will need the following information.
· hostname
· ip addresses for all network interfaces
when adding the agent host record, you should configure the sonicwall ssl-vpn as standard agent.
this setting is used by the rsa authentication manager to determine how communication with the
sonicwall ssl-vpn will occur.
to create the radius client record, you will need the following information.
· hostname
· ip addresses for all network interfaces
· radius secret
note: hostnames within the rsa authentication manager / rsa securid
appliance must resolve to valid ip addresses on the local network.
please refer to the appropriate rsa security documentation for additional information about creating,
modifying and managing agent host, and radius client records.
rsa securid files
rsa securid authentication files
files location
sdconf.rec n/a
node secret n/a
sdstatus.12 n/a
sdopts.rec n/a
4
partner product configuration
before you begin
this section provides instructions for integrating the partners' product with rsa securid authentication.
this document is not intended to suggest optimum installations or configurations.
it is assumed that the reader has both working knowledge of all products involved, and the ability to
perform the tasks outlined in this section. administrators should have access to the product
documentation for all products in order to install the required components.
all vendor products/components must be installed and working prior to the integration. perform the
necessary tests to confirm that this is true before proceeding.
documenting the solution
the sonicwall ssl-vpn running sonicos ssl-vpn supports secure two-factor authentication via the
radius protocol. this section provides the configuration steps required to enable such functionality.
sonicos ssl-vpn firmware
first, make sure that the latest version of sonicos ssl-vpn is running on the sonicwall ssl-vpn.
note: sonicwall recommends that customers update to the latest
version of sonicos ssl-vpn prior to completing this configuration.
configuring the ssl-vpn appliance for securid authentication
1. on the sonicwall ssl-vpn, navigate to the portal > domain page.
5
2. click on the add domain button.
3. in the authentication type pull-down menu, select radius.
4. enter a descriptive name for the authentication domain in the domain name field. this is the domain name
users will select in order to log into the sonicwall ssl-vpn portal.
5. enter the ip address of the radius server in the radius server address field.
6. enter the radius server port in the radius server port field.
7. enter a number (in seconds) for radius timeout in the radius timeout (seconds) field.
8. enter the maximum number of retries in the max retries field.
9. enter the authentication secret in the secret password field.
10. click the name of the layout in the portal name pull-down menu.
11. click add to update the configuration. the domain will be added to the domain settings table.
time synchronization
because two-factor authentication depends on time synchronization, it is import that the internal clocks for
the sonicwall ssl-vpn and the rsa authentication manager server are set correctly. on the
soncwall ssl-vpn, set the time on the system > time page.
6
end-user experience
after rsa securid has been enabled as an authentication method, navigate to the sonicwall ssl-vpn
device with a web browser. the following screens will be available for rsa securid authentication.
end-user login to sonicwall ssl-vpn
end-user prompted to accept system generated pin
end-user prompted to confirm pin
end-user pin change accepted
7
certification checklist for rsa authentication manager v6.x
date tested: 03/26/2009
certification environment
product name version information operating system
rsa authentication manager 6.1.3 windows 2003 server r2
sonicwall ssl-vpn 2000 sonicos 3.5.0.0-15sv
mandatory functionality
rsa native protocol radius protocol
new pin mode
force authentication after new pin n/a force authentication after new pin
system generated pin n/a system generated pin
user defined (4-8 alphanumeric) n/a user defined (4-8 alphanumeric)
user defined (5-7 numeric) n/a user defined (5-7 numeric)
user selectable n/a user selectable
deny 4 and 8 digit pin n/a deny 4 and 8 digit pin
deny alphanumeric pin n/a deny alphanumeric pin
passcode
16 digit passcode n/a 16 digit passcode
4 digit password n/a 4 digit password
next tokencode mode
next tokencode mode n/a next tokencode mode
load balancing / reliability testing
failover (3-10 replicas) n/a failover
name locking enabled n/a name locking enabled
no rsa authentication manager n/a no rsa authentication manager
additional functionality
rsa software token automation
system generated pin n/a system generated pin n/a
user defined (8 digit numeric) n/a user defined (8 digit numeric) n/a
user selectable n/a user selectable n/a
next tokencode mode n/a next tokencode mode n/a
rsa securid 800 token automation
system generated pin n/a system generated pin n/a
user defined (8 digit numeric) n/a user defined (8 digit numeric) n/a
user selectable n/a user selectable n/a
next tokencode mode n/a next tokencode mode n/a
credential functionality
determine cached credential state n/a determine cached credential state
set credential n/a set credential
retrieve credential n/a retrieve credential
bsd / par = pass = fail n/a = non-available function
8
certification checklist for rsa authentication manager 7.x
date tested: 03/26/3009
certification environment
product name version information operating system
rsa authentication manager 7.1 windows 2003 server r2
sonicwall ssl-vpn 2000 sonicos 3.5.0.0-15sv
mandatory functionality
rsa native protocol radius protocol
new pin mode
force authentication after new pin n/a force authentication after new pin
system generated pin n/a system generated pin
user defined (4-8 alphanumeric) n/a user defined (4-8 alphanumeric)
user defined (5-7 numeric) n/a user defined (5-7 numeric)
deny 4 and 8 digit pin n/a deny 4 and 8 digit pin
deny alphanumeric pin n/a deny alphanumeric pin
deny numeric pin n/a deny numeric pin
pin reuse n/a pin reuse
passcode
16 digit passcode n/a 16 digit passcode
4 digit fixed passcode n/a 4 digit fixed passcode
next tokencode mode
next tokencode mode n/a next tokencode mode
load balancing / reliability testing
failover (3-10 replicas) n/a failover
no rsa authentication manager n/a no rsa authentication manager
additional functionality
rsa software token automation
system generated pin n/a system generated pin n/a
user defined (8 digit numeric) n/a user defined (8 digit numeric) n/a
next tokencode mode n/a next tokencode mode n/a
rsa securid 800 token automation
system generated pin n/a system generated pin n/a
user defined (8 digit numeric) n/a user defined (8 digit numeric) n/a
next tokencode mode n/a next tokencode mode n/a
bsd / par = pass = fail n/a = non-available function
9
known issues
radius testing tool
the radius testing tool does not support new pin and/or next tokencode modes. it is intended to be
used to test standard radius authentication and does not support radius challenge/response.