• No results found

Meeting CJIS Advanced Authentication

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Meeting CJIS Advanced Authentication"

Copied!
56
0
0

Loading.... (view fulltext now)

Download now ( 56 Page )

Full text

(1)

Meeting CJIS Advanced

Authentication

using User Certificate and Strong Key Protection

Presented by:

Carlos Leon, Network Manager

(2)

Meeting CJIS Requirements

• CJIS security policy calls for the use of advanced authentication methods – authentication based on additional factors beyond simple user name/password authentication.

• NetMotion Mobility XE supports industry‐standard infrastructure: RADIUS servers as the front‐end for Microsoft's Active Directory Authentication and PKI (public key infrastructure) for provisioning and exchange of digital certificates.

• Other RADIUS / PKI solutions are supported if they are compatible with X.509v3 user certificates, standard Microsoft CAPI enabled access to those certificates, and the RADIUS EAP‐TLS or EAP‐TLS inside the PEAP protocol.

• In addition to strong authentication, CJIS security policy mandates the use of FIPS 140‐2 validated encryption.

• NetMotion Mobility XE’s use of validated/certified cryptographic libraries (NIST certificate numbers 237, 441 and 493) meets this requirement.

(3)

Strong Key Protection: Overview

This process utilizes a user-based public key infrastructure (PKI)

certificates X.509v3 secured by Microsoft Strong Key Protection which is stored on the user’s hard drive. The certificate is then used by

NetMotion VPN in a PEAP wrapper for EAP-TLS user authentication.

VPN will request the certificate:

Each time the employee reboots the computer After a time interval (13 hours is recommended) If employees bypasses NetMotion then connects

If air card disconnects (drops), then reconnects, the password for the certificate will be not requested again.

(4)

Employee Logon Process

• Steps through the process for authentication and access to the network:

– Officers logon: Windows Network username & password to follow CJIS policy 5.6.2.1

– Officers VPN client (NetMotion) calls the PKI which forces the user to type an individual password to access the individual certificate following CJIS policy 5.6.2.2

– The VPN awaits the verification from the RADIUS server to allow for connection to the network. – Officer will be prompted for certificate password

(5)
(6)

Software Requirements for

Solution

Microsoft Windows Server 2008 R2

Enterprise or Datacenter:

– Microsoft Active Directory Certificate Services (AD CS)

– Microsoft Network Policy and Access Services (NPAS)

Microsoft Active Directory Infrastructure

NetMotion Mobility XE 9.21 Server

(7)

Today's Installation &

Configuration Objectives

Install and Configure simple deployment

of Microsoft Certificate Services

Install and Configure Network Policy and

Access Services (RADIUS)

NetMotion Mobility XE Server

Configuration

NetMotion XE Client Configuration

(8)

Installation &

Configuration

(9)

Install Certificate Services

Open Server Manager on the Windows

2008 R2 Server where you plan to install

Certificate Services

Click on Roles

(10)

Install Certificate Services

Click Next

Select Active

Directory

Certificate

Services

Click on Next

(11)

Install Certificate Services

Click Next until you Complete the Wizard

accepting

all defaults

as

displayed

NOTE: The values

displayed for “Common name for this CA:” and “Distinguished name suffix” will be specific to your environment.

(12)

Configuring Certificate Services

Open Server Manager on Certificate Services Server

Expand out Roles | Active Directory Certificate Services |

Servername

(13)

Configuring Certificate Services

Right Click the USER CERIFICATE

• A Duplicate Template dialog box may appear asking if this

Certificate is for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise

(14)

Configuring Certificate Services

Change the Template display

name:

• In the screen shot we specified

CJIS-NetMotion

Click the Security tab and

Select the Active Directory Group you wish to use

(15)

Configuring Certificate Services

Set Extensions

Application Polices

– Remove all but

Client Authentication

• Certificate is only used by User Authentication

Set Request Handing

– Prompt every time the certificate is used.

(16)

Configuring Certificate Services

Now you need to issue the template

Return to Server Manager

Right click on Certificate Templates

(17)

Configuring Certificate Services

The template you just duplicated should

(18)

Configuring Active

Directory

(19)

Configuring Active Directory to use

Strong Key Policy

Use Group Policies

to enforce:

– Strong Key Protection

– User must enter a password each time they use a key

(20)

Configuring Active Directory to Deploy

Certificate

s

Open Group Policy Management Snap-In

– Note: This snap‐in exists on the Domain Controller

Right click on the Default Domain Policy

Select Edit to open the Group Policy Management Editor

(21)

Configuring Active Directory

• Apply to officer laptops Organizational Unit or at Domain level

(22)

Configuring Network

Policy and Access

(23)

Configuring Network and Access

Policy Services

There are 3 things that should be defined in

Network Policy and Access Services

1. Create the RADIUS Client

2. Create a Connection Request Policy 3. Create a Network Policy

• If you have more than one Mobility XE server in your pool you will need to create a RADIUS Client for each NetMotion

(24)

Install and Configure

Network Policy and

(25)

Install Network Policy & Access Services

(NPS)

Open Server Manager on the Windows 2008

R2 Server where you plan to install NPS

Click on Roles

(26)

Install Network Policy & Access Services

Select Network Policy

and Access Services

Click Next

Select Network Policy

Server

Click Install to begin installation

Click Close to complete the install

(27)

NPAS – Create the RADIUS Client

Open Server Manager

where NPAS was installed

Expand out Roles |

Network Policy and

Access Services | NPS | RADIUS Clients and

Servers | RADIUS Clients

Right click RADIUS

(28)

NPAS – Create a Connection Request

Policy

Open Server Manager where NPAS was

installed

Expand out Roles |

Network Policy and

Access Services | NPAS | Policies | Connection

Request Policies

Right click Connection

Request Policies and

(29)

NPAS ‐ Connection Request Policy

(30)

NPAS ‐ Create a Network Policy

Open Server Manager where NPAS was installed Expand out Roles | Network Policy and Access

Services | NPS | Policies | Network Policies

(31)

NPAS ‐ Create a Network Policy

–Conditions

»Windows Group form Active Directory »NAS Identifier to be used in Netmotion

(32)

NPAS ‐ Create a Network Policy

Constraints: Select Microsoft: Smart Card or

other certificate and click OK

NOTE:

Selecting this option does NOT mean you must have Smart Cards

(33)

Installing NetMotion

(34)

Mobility XE Server install

Note:

(35)

Configuration NetMotion

(36)

Mobility XE Server Configuration

Configure Mobility XE for RADIUS – EAP and

EAP-TLS

(37)

Mobility XE Server Configuration

Configure RADIUS Server List

 Global Server Setting

(38)

Mobility XE Server Configuration

Configure User Logon Re-authentication

Interval

(39)

Installing User

C

ertificate

(40)

Client Configuration

– Requirement:

• Laptop joined to

domain

• NetMotion Client in bypass

• User must have local network access –WIFI or Ethernet

(41)

Installing User Certificate

User opens Certificate Console (Windows 7)

(42)

Installing User Certificate

• Start the process

Expand Personal

Right Click

Certificates

Click on Request

(43)

Installing User Certificate

• Pick correct certificate

Named

CJIS-Netmotion during the

Certificate install

Type password that will be used to access certificate. Enforced by strong key

protection and

requirement on certificate. Password follows Domain password policy

(44)

NetMotion XE Client

configuration

(45)

NetMotion Client configuration

Must configure client to use local

personal user certificate

Right Click

Properties

Status |Configuration ‐>

(46)

Netmotion XE Client

Connection

(47)

Client Connection

• First time XE client will ask for which certificate from the store to use:

(48)

Client Connection

User

asked

to type in Password to access

(49)
(50)

Renewing user Certificate

Requirement:

• Laptop joined to domain

• User must have network access –WIFI or Ethernet access

(51)

Renewing user Certificate

(52)

Renewing user Certificate

(53)
(54)

Recover Certificate lost password

• Process to create a new certificate if user does

NOT know the password for the certificate. – Requirement:

• Laptop joined to domain • NetMotion Client in bypass

• User must have network access –WIFI or Ethernet access

(55)

Recover Certificate lost password

User must delete old certificate and

(56)

Meeting CJIS Advanced Authentication

using User Certificate and Strong Key Protection

Presented by:

Carlos Leon, Network Manager

City of Palm Beach Gardens

[email protected] 561-248-7373

References

Download now ( PDF - 56 Page - 6.81 MB )

Related documents

Installing the VPN Client

Note If you are installing the VPN Client for Solaris, Release 3.7 or later on a Version 2.6 Solaris platform, you receive the following message during the VPN Client

Cisco VPN Client Installation

To open Cisco VPN Client software, click Start, click All Programs, click Cisco Systems VPN Client, and then click VPN Client.. By default the Cisco VPN Client will be in

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

2) Change the Dial-in or VPN access of the user “test” to “Allow Access” in the user properties. 3) On the IAS server create a Radius Client with the IP address of the

Arbitrary view action recognition via transfer dictionary learning on synthetic training data

x We propose a new transfer dictionary learning framework that utilizes synthetic 2D and 3D training videos to learn a dictionary that can project a real world 2D

Water Priming Mode Purge air from plumbing system. How do I solve ER-3 WATER PRIME: TIPS ON FILLING SPA IMPORTANT NOTE WARNING

Cause: Low water level, airlock in pipe work, closed shut-off valves, dirty filter cartridges, filtration pump failed or operation intermittent Solutions: Turn mains power

Is Your Vendor CJIS-Certified?

In 2011, the FBI’s Criminal Justice Information Services Division (CJIS) issued the CJIS Security Policy, a set of standards for organizations that access criminal

Collaborative knowledge creation: Evidence from Japanese patent data

One can see that the choice of radius values for the local factors does not alter the qualitative results obtained in the baseline setup shown in tables 7.1 and 7.3 in Section

Direct Control for Mobile & Supporting Mac OS X in Windows Environments

Certificate authentication for VPN and Wi-Fi Yes Yes Automated PKI certificate enrollment, configuration and distribution Yes Yes Active Directory-based user/device