Professional Documents
Culture Documents
SASolutions@gemalto.com
January 2008
www.gemalto.com
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its
subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property
protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any
intellectual and/or industrial property rights of or concerning any of Gemaltos information.
This document can be used for informational, non-commercial, internal and personal use only provided that:
The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all
copies.
This document shall not be posted on any network computer or broadcast in any media and no modification of any
part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise
expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the
information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and noninfringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use
or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves
according to the state of the art in security and notably under the emergence of new attacks. Under no
circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any
successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any
liability with respect to security for direct, indirect, incidental or consequential damages that result from any
use of its products. It is further stressed that independent testing and verification by the person using the
product is particularly encouraged, especially in any application in which defective, incorrect or insecure
functioning could result in damage to persons or property, denial of service or loss of privacy.
Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service
marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.
GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE.
Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
200802-004-SASEP-00
Table of contents
Use case ................................................................................................................................... 4
Overview.................................................................................................................................. 5
Architecture ............................................................................................................................ 7
Configure Check Point FW.................................................................................................... 8
Configure Check Point IPSec VPN .................................................................................... 13
Configure Check Point SSL VPN ........................................................................................ 15
Configure RADIUS connection .......................................................................................... 18
Declare RADIUS resource .......................................................................................... 18
Configure RADIUS resource ...................................................................................... 19
Create users ................................................................................................................. 21
Create a security rule ................................................................................................. 29
Open the connection to the Intranet using SA Server ................................................. 33
IPSec VPN Client ......................................................................................................... 33
SSL VPN Client ............................................................................................................. 39
Appendix 1: Configure an IAS RADIUS Server with SA Server ............................... 43
IAS RADIUS prerequisites ......................................................................................... 43
Add a RADIUS Client................................................................................................... 44
Install and configure SA Server agent for IAS ...................................................... 50
Restart IAS ................................................................................................................... 53
Appendix 2: Configure Juniper Steel-Belted RADIUS Server .................................. 54
SBR pre-requisites ...................................................................................................... 54
Add RADIUS Client...................................................................................................... 55
Install and configure SA Server agent for SBR ..................................................... 56
Restart SBR .................................................................................................................. 59
Appendix 3: Configure Free RADIUS Server on Linux............................................... 61
Free RADIUS pre-requisites ...................................................................................... 61
Add RADIUS Client...................................................................................................... 61
Install and configure SA Server agent for Free RADIUS ..................................... 61
Restart Free RADIUS .................................................................................................. 62
Appendix 4:
200802-004-SASEP-00
Use case
To provide Mobile Users an access to their Corporate Network, it is usual to install a VPN
Gateway.
As only recognized users should be entitled to access to the Intranet, the gateway should be
able to authenticate a Mobile Users. This is the main feature provided by the Gemalto SA
Server.
The link between the VPN Gateway and the SA Server is usually realized through the
standard RADIUS protocol implemented by an AAA server.
Mobile Users
Corporate Network
Internet
VPN Gateway
Authentication
Authentication
Radius Server
Gemalto SA Server
200802-004-SASEP-00
Overview
This document provides a deployment scenario to show you how it is possible to configure a
Check Point IPSec VPN or a Check Point SSL VPN to use Gemalto SA Server to
authenticate Mobile Users.
The deployment scenario describes an example that has been tested by Gemalto. It is
possible that other configurations will work equally well but you should bear in mind that these
have not been tested.
Caution:
To provide SA Server authentication for Check Point IPSec VPN or Check Point SSL VPN,
your system requires the following pre-requisites:
A Check Point FW appliance,
We used the Check Point NGX R65 software version with this firewall.
The appliance hosts two physical interfaces and is able to act as a gateway from
the Internal Network to the External Network.
o <IP Check Point FW Internal Address> represents the IP address of the
physical interface visible from the Internal Network.
This network is seen as a trusted network.
In our laboratory <IP Check Point FW Internal Address> was
10.0.4.198/24
o <IP Check Point FW External Address> represents the IP address of the
physical interface visible from the External Network
The External Network is seen as an unsecured network.
In our laboratory <IP Check Point FW External Address> was
192.168.1.1/24
An AD Domain machine hosting an Active Directory LDAP and acting as domain
controller.
In our laboratory the domain hosted by AD Domain was gemalto.fr
We will use the term Mobile Users to refer to users who have an account in AD
Domain and who will access from the External Network to the Internal Network
through the Check Point FW. Their accounts must be configured to allow remote
access control.
A Gemalto SA Server,
The server must be installed in mixed mode and connected to the AD Domain. It is
supposed to be provisioned for devices and users.
<Base URL SA Server> will be used to refer to the URL that should be used to
access SA Server.
In our laboratory <Base URL SA Server> was http://10.0.4.216:8080
A RADIUS Server,
This server is the link between Check Point FW and Gemalto SA Server.
We have validated three configurations using
o IAS RADIUS for which <IP IAS address> will be used to refer to IAS
RADIUS server IP address.
In our laboratory, <IP IAS address> was 10.0.4.60
o Juniper Steel-Belted RADIUS for which <IP SBR address> will be used
to refer to Juniper Steel-Belted RADIUS server IP address.
In our laboratory, <IP SBR address> was 10.0.4.87
o Free RADIUS for which <IP FreeR address> will be used to refer to Free
RADIUS server IP address.
In our laboratory, <IP FreeR address> was 10.0.4.192
Each RADIUS configuration is described in the appendices of this document.
200802-004-SASEP-00
200802-004-SASEP-00
Architecture
The following figure shows the architecture associated with the deployment scenarios
described in this document.
200802-004-SASEP-00
Check Point components have some restriction about the Password length: this
length could not be more than 16 characters!
As the OTP value is sent to SA Server through the Password field, this is the
concatenation OTP + LDAP Password which is limited to 16 characters.
Using 6 digits OTP token, the LDAP Password cannot be more than 10
characters!
To configure the Check Point FW for Check Point IPSEC VPN or Check Point SSL VPN, you
have to use the SmartDashboard tool. Installation is not part of this document; please refer to
the Check Point one.
Using SmartDashboard:
200802-004-SASEP-00
200802-004-SASEP-00
10
200802-004-SASEP-00
11
200802-004-SASEP-00
12
200802-004-SASEP-00
13
200802-004-SASEP-00
14
200802-004-SASEP-00
15
200802-004-SASEP-00
16
200802-004-SASEP-00
In SSL clients allowed to connect to this gateway tick SSL Network Extender choice
Note: SSL Network Extender is an ActiveX component that is downloaded on the client PC
during the first connection to VPN SSL gateway. It encapsulates all the traffic to the
Internal Network in an SSL tunnel.
17
200802-004-SASEP-00
18
200802-004-SASEP-00
Select New
Select RADIUS
19
200802-004-SASEP-00
20
200802-004-SASEP-00
Create users
We can use different ways to manage Check Point users.
We can declare all users (i.e. define all login) in Check Point and associate each of them to a
selected RADIUS server. With that way, when an authentication request is sent, Check Point
validate the user (login) is present in the internal database and forward the request to the
associated RADIUS.
We can also forward all authentication requests to RADIUS servers when no user is define in
Check Point.
In our laboratory, we implemented both solutions taking advantage of the multiple RADIUS
servers.
Solution based on a user duplicated in Check Point internal base
For this solution, we created the Grp_Users_IAS group, the Grp_Users_SBR group and
the Grp_Users_FreeRadius group.
Using SmartDashboard:
21
200802-004-SASEP-00
22
200802-004-SASEP-00
23
200802-004-SASEP-00
24
200802-004-SASEP-00
25
200802-004-SASEP-00
26
200802-004-SASEP-00
27
200802-004-SASEP-00
28
200802-004-SASEP-00
29
200802-004-SASEP-00
In User Group: select the user groups that are concerned by this rule
In Location: select No restriction choice
Note: The No restriction choice is used to avoid Check Point restrictions to the Client IP
addresses. When selected, the @any suffix is added to the User Group name.
Click on [OK]
30
200802-004-SASEP-00
31
200802-004-SASEP-00
Validate All Users is available in Remote Access User Groups: from Participant User
Group entry in the tree presented on the left side.
32
200802-004-SASEP-00
Double-Click on [
First connection
The first time you launch the client, the following message is displayed.
Click on [Yes]
The Site Wizard window is displayed
33
200802-004-SASEP-00
In User name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
In Password: enter a value made by the concatenation of the 6 OTP digits with the
LDAP Password.
34
200802-004-SASEP-00
Click on [No]
Note: In our configuration we didnt implement this feature allowing downloading security
rules in the firewall embedded in the VPN Client.
35
200802-004-SASEP-00
If the network administrator has provided the Internal CA Certificate Fingerprint: then
the user can validate it. This allows to validate the client is connected to the expected
site.
Click on [Next >]
Click on [Finish]
36
200802-004-SASEP-00
In User name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
In Password: enter a value made by the concatenation of the 6 OTP digits with the
LDAP Password.
37
200802-004-SASEP-00
Click on [Connect ]
Click on [Disconnect]
38
200802-004-SASEP-00
In User Name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
In Password: enter a value made by the concatenation of the 6 OTP digits with the
LDAP Password.
Click on [OK]
39
200802-004-SASEP-00
The Check Point FW gateway tries to install the SSL Network Extender on the client PC.
This installation can generate actions request like the following one:
Those elements are dependent from the security parameters of the browser. You have to
acknowledge them.
When this component is installed, you can see the following window:
If the network administrator has provided the Internal CA Certificate Fingerprint: then
the user can validate it. This allows to validate the client is connected to the expected
site!
Click on [Yes]
40
200802-004-SASEP-00
In User Name: enter the name associated to a Mobile User as it is defined in the LDAP
(Active Directory).
In Password: enter a value made by the concatenation of the 6 OTP digits with the
LDAP Password.
Click on [OK]
41
200802-004-SASEP-00
Then, it is possible to access to resources from Internal Network, according to the security
policy.
Note: The Office Mode IP: displayed in the previous figure is used internally by the gateway.
Its value is arbitrary.
To close the SSL tunnel
Click on [Disconnect]
42
200802-004-SASEP-00
43
200802-004-SASEP-00
44
200802-004-SASEP-00
45
Select Set up a custom policy choice in How do you want to set up this policy and
add a friendly name in Policy name.
Click on [Next >]
200802-004-SASEP-00
46
Enter <IP Check Point FW Internal Address> in Type a word or a wild card (for
example, abc.*): and click on [OK]
200802-004-SASEP-00
47
200802-004-SASEP-00
48
200802-004-SASEP-00
49
200802-004-SASEP-00
50
200802-004-SASEP-00
Select I accept the terms in the license agreement and click on [Next >]
Caution:
During the installation, you have to replace localhost by the real IP address of
SA Server. You also have to set the port if this is not the standard port 80.
Dont forget to replace the proposed protiva path by saserver as it is now the
default choice used during SA Server installation.
51
200802-004-SASEP-00
52
Click on [Install]
Click on [Finish]
200802-004-SASEP-00
Restart IAS
To launch the installed agent, you now have to re-start IAS.
53
Then, click on the green arrow in the same toolbar to restart the server and take
the changes into account.
200802-004-SASEP-00
SBR pre-requisites
Juniper Steel-Belted RADIUS installation is not described in this document.
Launch SBR admin portal
To open Juniper Steel-Belted RADIUS admin portal:
You have to fill User Name and Password using an account with administrator
privileges on the Juniper Steel-Belted RADIUS server.
Port is automatically filled with the default 1813 value.
Click on [Login]
54
200802-004-SASEP-00
55
200802-004-SASEP-00
56
200802-004-SASEP-00
57
Select I accept the terms in the license agreement and click on [Next >]
200802-004-SASEP-00
Select the Service folder in the SBR installation directory so that it appears in
Folder name:
Usually, this is under \Program Files\Juniper Networks\Steel-Belted Radius
Click on [Next >]
Enter
<Base URL SA Server>/saserver/servlet/UserRequestServlet
in Protiva Authentication Servlet URL:
Caution:
During the installation, you have to replace localhost by the real IP address of
SA Server. You also have to set the port if this is not the standard port 80.
Dont forget to replace the proposed protiva path by saserver as it is now the
default choice used during SA Server installation.
58
200802-004-SASEP-00
Click on [Install]
Click on [Finish]
Restart SBR
To launch the installed agent, you now have to re-start SBR service.
Select Start,
Select Control Panel,
Select Administrative Tools
Select Services
59
200802-004-SASEP-00
200802-004-SASEP-00
61
200802-004-SASEP-00
Look for the authenticate section and add the following element:
Auth-Type protiva {
protiva
}
Save radiusd.conf
Open users usually located in /etc/raddb/ directory with a text editor
Look for the following section:
DEFAULT Auth-Type = System
Fall-Through = 1
Add an additional Auth-Type before those line to obtain:
DEFAULT Auth-Type = protiva
Fall-Through = Yes
62
200802-004-SASEP-00
Mobile Users must also have the Remote Access Permission. You can check this is done
using the following process:
Click on Users, right click on the target user and select Properties
63
Select Dial-in tab and check the box Allow access in Remote Access Permission
section.
200802-004-SASEP-00