NetMotion Mobility XE

NetMotion Mobility XE

Implementation Guide

(Version 5.4)

Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which

platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security.

Disclaimer

This document is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us.

Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: [email protected]

Table of Contents

Overview ... 4

Prerequisites ... 4

DualShield Configuration ... 5

Logon Procedure ... 5 Application ... 6 Certificates ... 7 Certificate Authority ... 7 SSL Certificate ... 7

Register Radius Client ... 8

Configure Radius Server... 9

NetMotion Configuration ... 11

Server Configuration ... 11

Client Configuration ... 12

User Authentication ... 13

One-Time Password ... 13

Modify Logon Procedure ...13

Test Logon ...13

One-Demand Password ... 15

Modify Logon Procedure ...15

Test Logon ...15

Device Authentication ... 17

NetMotion Configuration ... 17 Server Configuration ...17 Client Configuration ...17 DualShield Configuration ... 19 Test Logon ... 24

Overview

This configuration guide describes how to integrate NetMotion Mobility XE with Dualshield unified authentication platform in order to perform the multi-factors authentication.

NetMotion Mobility XE supports external RADIUS server as its authentication server with PEAP authentication method. DualShield unified authentication platform includes a fully compliant RADIUS server – DualShield Radius Server. DualShield supports multiple EAP authentication methods (PEAP, EAP-TLS, GTC, MSCHAPv2 etc) with a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include:

• Deepnet SafeID • Deepnet MobileID • Deepnet GridID • Deepnet CryptoKey • X.509 Certificate • RSA SecurID • VASCO DigiPass Go

• OATH-compliant OTP tokens

In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages.

The complete solution consists of the following components:

• NetMotion Mobility XE client/server

• DualShield Radius Server

• DualShield Authentication Server

Prerequisites

It is expected that NetMotion Mobility XE has already been setup and operating. Prior to configuring NetMotion Mobility XE for two-factor authentication, you must also have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents:

• DualShield Authentication Platform – Installation Guide

• DualShield Authentication Platform – Quick Start Guide

• DualShield Authentication Platform – Administration Guide

• DualShield Radius Server - Installation Guide

The document below provides general instructions for RADIUS authentication with the DualShield Radius Server:

DualShield Configuration

In the DualShield authentication server we need to create a RADIUS application which will be used for the two-factor authentication in NetMotion Mobility XE. An application in DualShield needs a logon procedure which defines how users will be authenticated when they attempt to logon to the application.

Logon Procedure

1. Login to the DualShield Management Console

2. In the main menu, select “Authentication | Logon procedure” 3. Click the “Create” button on the toolbar

4. Enter “Name” and select “RADIUS” as the type.

5. Click “Save”

6. Click the Context Menu icon of the newly create logon procedure, select “Logon Steps”

7. In the popup windows, click the “Create” button on the toolbar 8. Select the “Static Password” as the authenticator

Application

1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar

3. Enter “Name” 4. Select “Realm”

5. Select the logon procedure that was just created

6. Click “Save”

7. Click the context menu of the newly created application, select “Agent”

8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save”

Certificates

As the authentication protocol between NetMotion server and DualShield Radius server is Radius and the method is EAP/PEAP, we need a SSL server certificate for the DualShield Radius server.

In the production environment, you will probably want to purchase a commercial SSL certificate for your DualShield Radius server. In a test environment, however, you can create your own CA and issue a SSL certificate for DualShield Radius server.

Certificate Authority

To create a CA certificate,

1. In main menu, select “Repository | Certificate Management | Certificate Authority” 2. Click “Create” in the toolbar

3. Fill in the form

4. Click Save

SSL Certificate

To create a SSL certificate,

1. In main menu, select “Repository | Certificate Management | Server Certificates” 2. Click “Create” in the toolbar

3. Select the CA created in the previous step 4. Fill in the form

5. Click “Save”

Register Radius Client

We need to register NetMotion server as a Radius client in DualShield 1. In the main menu, select “RADIUS | Clients”

2. Click the “Register” button on the toolbar

3. Select the application that was created in the previous steps 4. Enter NetMotion Server’s IP in the IP address

5. Enter the Shared Secret which will be used later in the NetMotion Server. 6. Click “Save”

Configure Radius Server

1. In the main menu, select “RADIUS | Server”

2. Click the context menu of the Radius Server, select “EAP options” 3. Select the “General” tab

Select “PEAP” as the Default EAP Type 4. Click “Save”

5. Select the “TLS” tab

Select the SSL server certificate to be uploaded to the DualShield Radius Server 6. Click “Save”

7. Click the “PEAP” tab

Select “GTC” as the Default EAP Type 8. Click “Save”

NetMotion Configuration

NetMotion Mobility XE includes two components, NetMotion Server and NetMotion Client.

Server Configuration

Login the NetMotion Moblity XE Console 1. In the main menu, “Settings | Server”,

2. Select “Authentication: User – Radius Server List” 3. Click “Add” button to add the DualShield Radius Server

4. Enter the Dualshield Radius Server IP address, port, shared secret, and NAS ID 5. Select “Authentication: User – Protocol”

6. Select “RADIUS-EAP(PEAP and EAP-TLS)”.

7. Click “Apply”

8. In the main menu, Select “Settings | Client”

Client Configuration

Prior to configure NetMotion Client, we need import the CA Certificate that was used to issue the SSL certificate to the Trusted Root CA store on the local computer where the NetMotion client is running.

1. Export the CA certificate from the DualShield Console

2. Import the CA certificate into the local Trusted Root CA store

Now, configure the NetMotion client.

1. Launch the NetMotion Mobility XE Client, click “configuration” button 2. In the “Server Certifiates” tab, select the CA certificate that was imported.

3. Click “OK”.

User Authentication

One-Time Password

NetMotion Mobility XE only supports one authentication sever. To support two-factor authentication with the user’s AD password and one-time password, you will configure the logon procedure in DualShield so that DualShield will verify both the user’s AD password and one-time password

Modify Logon Procedure

In DualShield, edit the logon procedure that you have created for the NetMotion application.

Enter the user's static password (AD password), and click “OK”.

DualShield will verify the user’s password. If succeeded, NetMotion client will prompt the user to enter a one-time password:

Enter a valid one-time password, click “OK”.

One-Demand Password

To support on-demand password (Deepnet T-Pass), simply edit the logon procedure and add the On-Demand Password in the authenticator list.

Modify Logon Procedure

In DualShield, edit the logon procedure that you have created for the NetMotion application.

Test Logon

Launch the NetMotion Mobility XE Client, click “Connect”:

Enter the user's static password (AD password), and click “OK”.

DualShield will verify the user’s password. If succeeded, your DualShield authentication server will automatically send out a one-time password to the user via SMS or email message:

NetMotion client will prompt the user to enter the one-time password:

Enter the one-time password received, click “OK”.

Device Authentication

NetMotion supports device authentication in parallel to the user authentication. When device authentication is enabled, the NetMotion Mobility server allows connections only from Mobility clients that can perform device authentication.

NetMotion Configuration

Server Configuration

Login the NetMotion Moblity XE Console

1. In the main menu, select “Settings | Server”

2. Select “Authentication:Device - Require Device Authentication” 3. Enable “Require device authentication ”

4. Click “Apply”

5. In the main menu, select “Settings | Client” 6. Select “Authentication - Mode”

7. Select “User required/Device optional”

8. Click “Apply”

Client Configuration

NetMotion’s device authentication requires a certificate to be installed on the client machine. You should obtain a client certificate and install it to the personal certificates folder on the local computer.

The subject CN is important. In this example, the subject CN of the device certificate is “demo.test”.

Launch the NetMotion Mobility client, click “Configuration” and select the “Client Certificates” tab

Enable the “Allow client certificates” option and select “Personal User Certificate”

DualShield Configuration

The device authentication is carried out in parallel to the user authentication. In DualShield, we need to create a separate database to keep device certificates and to create a separate logon procedure.

1. Create a new logon procedure

2. Create a new application

5. Create a new user

a) Click “Directory | Users” in the main menu

b) Select “NetMotion – Devices” domain in the left panel c) Click “Create” on the toolbar in the right panel

Enter the Login Name in the form of “host/xxx”, where “xxx” is the subject CN of the device certificate, e.g. “demo.test”

6. Import device certificate

a) Select “Certificate” in the context menu

Test Logon

Launch the NetMotion client

Select the device certificate, and then click “OK”

If the device authentication is successful, then the NetMotion client will continue to the process of user authentication.