• No results found

Configuring the Watchguard Edge for RADIUS authentication

N/A
N/A
Protected

Academic year: 2021

Share "Configuring the Watchguard Edge for RADIUS authentication"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

Watchguard Edge and the CRYPTOCard CRYPTO-MAS

hosted RADIUS authentication service

Mark Slater 6

th

December 2008

Problem

Watchguard introduced RADIUS authentication into their Edge range of firewall appliances starting with version 10 of the firmware.

The Watchguard Edge will only forward RADIUS authentication requests if the RADIUS username

it receives is in the format of domain\username.

The CRYPTO-MAS hosted RADIUS server expects to receive just a username and not the domain\ part of the login. The CRYPTO-MAS portal won’t allow a username to be created which

contains a \.

Due to the above, a Watchguard Edge cannot authenticate to the CRYPTO-MAS RADIUS server.

Solution

Microsoft Windows 2003 Server ships with an installable service called Internet Authentication

Service (IAS). As well as being able to operate as a standalone RADIUS server, IAS also has the ability to act as a RADIUS proxy, enabling RADIUS requests to be proxied onto a third party RADIUS server and then proxied back to the originating RADIUS client.

One other interesting feature of IAS is that it allows the format of the RADIUS username to be

modified prior to being sent on to the 3rd party RADIUS server.

In this solution we will use IAS to act as a RADIUS proxy, sitting between the Watchguard Edge and the CRYPTO-MAS RADIUS server. We will use the feature of IAS which allows modification

to strip off the domain\ part of the RADIUS username sent from the Watchguard. This means

that only the username part is sent to the CRYPTO-MAS RADIUS server, which can then be

successfully authenticated. The RADIUS access allowed token will then be sent back to the Watchguard.

This solution will require the customer to have a Windows 2003 server running on the LAN, on to which the IAS service will be installed.

N.B. In Windows 2008 IAS has been renamed Network Policy Server. No testing has been done with this but it should be possible to achieve the same results.

The method detailed below would also be suitable for other 3rd party firewalls which will only

accept a RADIUS username in a specific format.

(2)

Configuring the Watchguard Edge for RADIUS authentication

Detailed description of VPN and RADIUS configuration can be found in the Watchguard Edge Administrators guide. Key points are:

Set the RADIUS server on the Edge to point to the IP of the Windows Server, which will be running the IAS service. Choose and enter a RADIUS server secret which will be used to authenticate RADIUS requests between the Watchguard and IAS (in the example below, IAS server is on 192.200.200.101).

Create a group for your VPN users (choose a suitable name). Make a note, as this will be used when configuring the CRYPTO-MAS portal.

(3)

Installing and Configuring Internet Authentication Server

IAS is installed by going into Add/Remove programs and clicking on Add/Remove Windows

Components. Highlight Networking Services, click the Details button and then put a tick next to Internet Authentication Service.

You may be prompted for your Windows 2003 server to install CD.

(4)

Right click on RADIUS Clients and select New RADIUS Client.

Enter Watchguard Edge for the friendly name, and IP address/DNS name for the Watchguard

Edge.

Enter the RADIUS server secret as set on the Watchguard Edge (not the CRYPTO-MAS shared secret).

(5)

Select Remote Access Policies and then New Remote Access Policy

Select Add on the policy conditions screen, select Client-IP-Address from the list of options and

enter the Watchguard internal IP address.

Select Grant Remote Access on the next screen. A new policy will be created allowing the

Watchguard access.

Expand Connection Request Processing and select Remote RADIUS Server Groups. Right

click and select New Remote RADIUS Server Group.

On the Add Servers page click Add. On the Address tab enter the IP address of the

CRYPTO-MAS RADIUS server.

On the Authentication\Accounting tab enter the shared RADIUS secret you have been given by

(6)

Ensure the tick box is selected to Start the New Connection Request Policy Wizard when this wizard closes.

When the New Connection Request

Policy Wizard starts, enter

CRYPTO-MAS for policy name.

Select Add on the policy conditions

screen, select Client-Friendly-Name

from the list of options and enter

Watchguard Edge.

Click Next and click on the Edit Policy

(7)

On the Authentication tab select Forward requests to the following remote RADIUS server group for authentication and select CRYPTOCard from the drop down list.

If you are using RADIUS accounting tick the box on the Accounting tab and select CRYPTOCard from the drop down list.

On the Attribute tab select User-Name in the

Attribute drop down list and click on Add . Type

domain\\ in the Find box (N.B. replace the word domain with the name of the domain the users will enter when connecting via the Watchguard VPN

client). Leave the ReplaceWith box blank.

This will strip out the domain\ part of the username entered on the Watchguard VPN client prior to it being sent to the CRYPTO-MAS RADIUS server.

(8)

Configuring the VPN Group on the CRYPTO-MAS Portal

The Watchguard Edge will expect the CRYPTO-MAS portal to pass back a RADIUS attribute which contains the VPN group name you have configured on the Watchguard Edge.

Log into your CRYPTO-MAS portal, click on the Group tab and select the group which your VPN

users are a member of.

Add a RADIUS authentication property for the property Filter-Id with a property value which

matches the name of the VPN group you have created on the Watchguard. Save the property you have added.

Testing the RADIUS authentication

From the Watchguard Edge management interface, enter the RADIUS configuration screen and

click on the Test RADIUS

authentication button. Enter your CRYPTO-MAS username into the username box in the format of

domain\username (where domain matches the domain you setup in the attribute filter string on IAS on the previous page).

Generate a One Time Password using your CRYPTOCard token or software client, and enter it into the

password box and click on Test. A

successful connection should look similar to the screenshot on the left.

Log In should return OK. Get group list should return OK and the name of your Watchguard VPN group.

References

Related documents

After configuring the machine and user authentication roles, begin configuring the external RADIUS 802.1x server. In the vWLAN GUI, navigate to the Configuration tab and

a metal sphere weighing 24 kg is melted down and recast into a solid cone which has a base with a radius of 8 cm.. the perpendicular height of the cone is not readily

Q: MDX query to get sales by product line for specific period plus number of months with sales A: Function Count(, ExcludeEmpty) counts number of non empty set

Based on Bill Hewlitt’s truism that “you cannot manage what you cannot measure”, one element of the work carried out with our client was to review their current mechanisms for

aaa authentication login default group radius enable aaa authentication enable default group radius enable aaa accounting exec start-stop group radius. ip radius

The RADIUS Server Load Balancing feature distributes authentication, authorization, and accounting (AAA) authentication and accounting transactions across servers in a server

The damage detection algorithm is based on reconciling finite element models with data collected before and after damage using a Bayesian methodology (Yuen 2002; Beck

source number, (2) the Sandage plate identification (plate center in Galactic coordinates), (3) right ascension (equinox J2000.0), (4) declination (equinox J2000.0), (5)