Configuring RSA Authentication For Use With an EClass Secure Remote Access Appliance.docx
《Configuring RSA Authentication For Use With an EClass Secure Remote Access Appliance.docx》由会员分享,可在线阅读,更多相关《Configuring RSA Authentication For Use With an EClass Secure Remote Access Appliance.docx(11页珍藏版)》请在冰豆网上搜索。
![Configuring RSA Authentication For Use With an EClass Secure Remote Access Appliance.docx](https://file1.bdocx.com/fileroot1/2023-2/1/cfa1223a-ff05-4784-92c0-f4803e5fc50d/cfa1223a-ff05-4784-92c0-f4803e5fc50d1.gif)
ConfiguringRSAAuthenticationForUseWithanEClassSecureRemoteAccessAppliance
Description:
Thisarticledescribesthesteps forconfiguringanRSAACEauthenticationserver(nowknownasRSAAuthenticationManager)forusewithanAventail/SonicWALLE-ClassSecureRemoteAccessappliance.ThisarticlecontainsinstructionsforbothRSAACE5.2andRSAAuthenticationManager7.1.
Pre-requisite:
MakesuretheapplianceandtheRSAACEserverareabletoresolveeachother'sFQDN(FullyQualifiedDomainName)properly. TtheFQDNyouuseforservermustbeforwardandreverseresolvableinDNS. AddinghostnamesandIPaddressestothehostsfileofeachsystemwillnotaccomplishthis;theymustberesolvablebyeachdevice'sconfiguredDNSserver.
DeploymentSteps:
RSA5.2
Step1:
AddanAgenthost(UnixAgent)withintheRSAAuthenticationManager'sdatabaseandgeneratethesdrec.conffile:
1.LaunchRSAAuthenticationManager.FromtheAgentHostmenu,selectAddAgentHost.
2.TypetheFQDNoftheAventailapplianceintheHostnamefield.
IftheRSAservercanresolvethename,thentheIPaddressfieldwillbeautomaticallyupdatedwhenyoumovetothatfield.
FillintheSiteinformationandselectUnixAgentunderAgenttype:
3.MakesureyoudonothavetheNodeSecretCreatedoptionselected.
4.AssignuserstotheAgenthostbyeitherselectingOpentoAllLocallyKnownUsersorbyactivatingusersunderUserActivations:
5.ClickOKtosavetheAgent,andthenselectGenerateConfigurationFilesunderAgentHostsandgenerateasdconf.recfile.
Note:
SonicWALLrecommendsgeneratingthesdconf.recfilewiththeAllAgentHostsoptionenabled,asshownbelow:
.
Step2:
NowlogintoAMCandcreateanewRSAACEauthenticationserver.Uploadthesdconf.recfilegeneratedinStep1,andthensaveandapplythechanges:
Step3:
LogintoWorkPlaceusingyourappliance'sRSAACErealm. Duringthefirstauthenticationattempt,theappliancewillnegotiatethenodesecret.Fromthatpointon,usersshouldbeabletologinusingtheirRSAusername/token.
RSAAuthenticationManager7.1
Note:
Thefollowingassumesyouhavealreadyassignedatokentoauser. Intheexamplebelow,wewillbedisplayinghowauthenticationwilllookforakeyfobuser.
Step1:
AddanAuthenticationAgent(theAventailappliance)withintheRSAAuthenticationManager'sdatabase:
1.FromthedesktoporStartmenu>AllPrograms>RSASecurity,launchtheRSASecurityConsole:
2.Onceloggedin,generatetheagentfromAccess>AuthenticationAgents>AddNew:
3.Foryouragent,fillineithertheHostnameorIPAddressandthenclickitscorresponding"Resolve"button. TheIPaddressandhostnameshouldbothresolveinDNSfortheauthenticationagent. Iftheydonot,thenauthenticationwillfailforusers:
4.FortheAgentTypeselectStandardAgent. Otheroptionsinthefollowingscreenshotcanbesetperyourorganization'ssecuritypolicy:
5.ClicktheSavebuttontosavethisauthenticationagent.
Step2:
Generatethesdconf.recfileforuseontheAventailappliance:
1.IntheSecurityConsole,clickAccess>AuthenticationAgents>GenerateConfigurationFile.
2.SelectMaximumRetries
3.SelectMaximumTimeBetweenEachRetry.
4.ClickGenerateConfigurationFile.
TheDownloadConfigurationFilepageopens.
5.ClickDownloadNow.
6.Whenprompted,clickSavetoDisk,andsavetheZIPfiletoyourmachine.
7.Unzipthefile,andusetheextractedsdconf.recfileintheRSAACEauthenticationserveryou'reconfiguringontheappliance.
Step3:
Logintoyourappliance'sRSArealm. TheloginprocesswilllooklikethisforauserwhohasjustreceivedakeyfobtokenandneedstosetaPIN:
1.Userconnectstoappliance,andselectstheRSArealm. Theyentertheirusernameandtokencode. Theyhaven'tyetcreatedaPIN,sotheyjustputinthecodeontheirkeyfob:
2.AfterclickingLogintheuserispresentedwiththefollowingpageaskingthemtosettheirPIN. TheyenteraPINandclickOK:
NewPINrequired!
PleaseenteryournewPIN. MinimumLength:
4 MaximumLength:
8.
3.NowthataPINhasbeenset,theuserhastoenterthepasscode(thePINplustokencode)andthenclickOK:
Newpasscodeneeded. Pleaseenterthepasscodeafteritchangesonyourtoken.
4.Theuserthenreceivesamessagethatthepasscodewasacceptedand,afterclickingOK,istakentoWorkPlace:
PasscodeAccepted
KnownIssues
Authenticationfailsafterupgradingappliancetoversion10.0.1
MoredetailsareavailableinKBitem#6517
Nodesecretmismatchafterconfigurationreplication
MoredetailsareavalableinKBitem#6870
Nodesecretmismatchwhenloggingintoappliance
DuringthecreationofthisKB,supportranintothefollowingerrorthefirsttimetheyattemptedtologauserintoanRSArealm. Whenlookingatthereal-timereportingintheRSASecurityConsole,theysawthefollowingerror:
Nodesecretmismatch. Clearedonagentbutnotonserver.
Toresolvethisissue,thenodesecrethadtobeclearedontheRSAserverandontheAventailappliancesoitcouldberesentfromtheRSAserver. TheseinstructionsareforRSAAuthenticationManager7.1. KBs6517and6870containinstructionsonhowtoclearthenodesecretinversion5.2.
OntheRSAserver:
1.IntheRSASecurityConsolegotoAccess>AuthenticationAgents>ManageExisting:
2.Clickthearrowontheauthenticationagentthat'shavingdifficultiesandselectManageNodeSecret...
3.SelectthecheckboxnexttoClearthenodesecretandthenclickSave:
4.Now,youmustremovetheassociatedfileontheAventailappliance.
OntheAventailappliance:
Warning SonicWALLstronglyrecommendsthatusersnotfamiliarorcomfortablewiththecommandlinecontactSonicWALLproductsupportforassistance. Usethecommandlineatyourownrisk.
PleaseseeKBitem#2500forsomesuggestionsonenablingSSHaccesstotheapplianceandgettingontothecommandline.
1.LogintotheconsoleusingaserialcableorSSH.
2.Changetothe/var/acedirectory:
cd/var/ace
3.Removethenodesecretfiles(ststatus.12,securid)fromtheappliance:
rmsdstatus.12securid
4.Restartpolicyserver. Note:
Thiswillrestartallaccessservicesanddropusersessions.
/etc/init.d/policyserverrestart
5.LogintoWorkPlaceagainusingaRSAtoken. Ifyou'reusingreal-timeloggingontheRSAserver,you'llseethatanewnodesecretissent:
AppliancecontinuestoauthenticatetooldRSAserveraftercreatingnewRSAauthenticationserver
AnotherissueseenwhilecreatingthisKBarticlewasthatasdconf.recfilethathadalreadybeenimportedtoanappliancecontinuedtobeusedbythatapplianceuntilthepolicyservice(policyserver)wasrestartedfromthecommandlineoftheAventailapplianceusingthiscommand:
/etc/init.d/policyserverrestart