Post on 22-Jun-2018
transcript
Copyright © 2004 - 2005, CRYPTOCard Corporation, All Rights Reserved. http://www.cryptocard.com 2005.04.01
Nortel Contivity VPN Concentrator
Quick Start Guide
For assistance mailto:support@cryptocard.com i
Table of Contents
SECTION 1...............................................................................................................1
OVERVIEW ..............................................................................................................1 Preparation and Prerequisites ......................................................................................2
SECTION 2...............................................................................................................3
CONFIGURE THE CRYPTO-SERVER...........................................................................3 RadiusProtocol NAS.# keys..........................................................................................4 Verifying the CRYPTO-Server RADIUS Protocol Settings...................................................5
SECTION 3...............................................................................................................6
CONFIGURING NORTEL CONTIVITY.........................................................................6 Adding a RADIUS Server .............................................................................................6 Creating Group Profile.................................................................................................7 Group Authentication Settings .....................................................................................8 RADIUS Authenication Settings ....................................................................................8
SECTION 4.............................................................................................................11
CONFIGURE NORTEL VPN CLIENT..........................................................................11 Creating A New Profile .............................................................................................. 11
SECTION 5.............................................................................................................14
TROUBLESHOOTING TIPS......................................................................................14 Testing Contivity Configuration .................................................................................. 14
For assistance mailto:support@cryptocard.com 1
S e c t i o n 1
Overview
The Nortel Contivity concentrator is used to create encrypted tunnels between hosts. The
concentrator is able to control access to LAN resources and assign local IP addresses based
upon authentication information such as a username and password. CRYPTOCard
authentication replaces static passwords with strong two-factor authentication to prevent
the use of lost, stolen, shared, or easily guessed passwords, to establish a tunnel and gain
access to protected resources.
1. Using the Contivity VPN Client, the user establishes a connection to the internal network
using their logon name and a one-time password from their CRYPTOCard software, or
hardware token.
2. The VPN concentrator passes the authentication information to the CRYPTO-Server (via
RADIUS).
3. The username and password are verified by the CRYPTO-Server, and an “Access-Accept”
message is sent to the Contivity concentrator, allowing the user to access the network.
The intent of this document is to present the necessary steps to configure Contivity VPN
concentrators for use with CRYPTOCard tokens.
For assistance mailto:support@cryptocard.com 2
Preparation and Prerequisites
The following systems must be installed and operational prior to configuring the VPN
concentrator to use CRYPTOCard authentication.
• CRYPTO-Server 6.x.
• RADIUS Server: The VPN concentrator can be configured to use the RADIUS Server
facility provided by the CRYPTO-Protocol Server module included with CRYPTO-Server1,
or use a third-party RADIUS server, such as Cisco Secure ACS2, Funk Steel-Belted
RADIUS3, or IAS4.
• CRYPTOCard user account and token: In order to authenticate to the VPN concentrator,
a user account must exist on the CRYPTO-Server and a token must be assigned to that
user5.
• VPN Client application: The VPN client application software must be installed on the user
machine.
Ensure that the client system can connect to the concentrator using a fixed
username and password before configuring the concentrator to use CRYPTOCard
authentication.
• The following information will be required when completing this configuration.
IP Address of the RADIUS server:
Port number used by the RADIUS server:
Shared Secret:
1 See section 2 for details. 2 Refer to the Cisco Secure ACS QuickStart for details.
3 Refer to the Funk SBR QuickStart for details
4 Refer to the Microsoft IAS QuickStart for details.
5 Refer to the CRYPTO-Server Administrators Guide for details.
For assistance mailto:support@cryptocard.com 3
S e c t i o n 2
Configure the CRYPTO-Server
If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the
Protocol Server is configured to accept RADIUS communications from the VPN concentrator.
Connect to the CRYPTO-Server using the
Console, and choose Server -> System
Configuration & Status… from the menu.
In the “Entity” column choose “RadiusProtocol”.
Next look at the “Value” corresponding to the key “NAS.2”.
The data in this value field defines which RADIUS clients are allowed to connect to the
CRYPTO-Server, and the shared secret they must use.
For assistance mailto:support@cryptocard.com 4
RadiusProtocol NAS.# keys
By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port
1812, from any host on the same subnet, using a shared secret of “testing123”. You can
manually define as many RADIUS clients as desired by adding NAS.# entries to the
CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows:
<First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>,
<Authentication Protocols>
Where:
<First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key.
<Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key.
If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the
same.
<Hostname>: Only applies in cases where the NAS.# key is for one host. Required for
performing reverse lookup.
<Shared Secret>: A string used to encrypt the password being sent between the CRYPTO-
Server and the RADIUS client (i.e. the VPN concentrator). You will need to enter the exact
same string into the VPN concentrator in Section 3 – “Configuring Nortel Contivity” (see
below). The <Shared Secret> string can be any combination of numbers and uppercase and
lowercase letters.
<Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its
ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the
Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a
RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to
the DNS using the hostname set in the NAS.# entry. The DNS should respond with the
same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes
that the RADIUS packet is coming from some other host posing as the RADIUS client, and
ignores the request completely (also known as a “man in the middle” attack).
<Authentication Protocols>: Many different authentication protocols can be used during
RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting
determines which authentication protocols the CRYPTO-Server will allow from a given
RADIUS client. Currently PAP and CHAP are the only available authentication protocols for
RADIUS clients.
NOTE: After changing or adding a NAS.# entry, click the “Apply” button.
For assistance mailto:support@cryptocard.com 5
Verifying the CRYPTO-Server RADIUS Protocol Settings
The RADIUSProtocol.dbg log7 on the CRYPTO-Server will include information about its
RADIUS configuration. Each time the Protocol Server starts, the following information is
logged:
Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false
Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false
RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099
RADIUS Receiver Started: listening on port 1812 UDP.
RADIUS Receiver Started: listening on port 1813 UDP.
This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port
1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range
of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed.
7 See section 6 Troubleshooting Tips for the location of the RADIUSProtocol.dbg file
For assistance mailto:support@cryptocard.com 6
S e c t i o n 3
Configuring Nortel Contivity
In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS
authentication must be enabled, an IPSec group must be created for token users and the
correct RADIUS authentication settings must be configured.
Adding a RADIUS Server
Ensure that the RADIUS authentication protocol is enabled on the interface that VPN clients
connect to. In the example below, RADIUS authentication is only enabled for connections
coming in through the Public interface.
For assistance mailto:support@cryptocard.com 7
Creating Group Profile
Create a group to assign CRYPTOCard authentication to.
For assistance mailto:support@cryptocard.com 8
Group Authentication Settings
Edit the group settings to allow RADIUS Authentication based on User Name and Password,
and set a group name and password
RADIUS Authenication Settings
Enable RADIUS authentication
For assistance mailto:support@cryptocard.com 9
The RADIUS Server-Supported Authentication Options should be set to match the RADIUS
server being used. The following example shows the authentication options supported by
most RADIUS servers
Enter the information needed to connect to at least one RADIUS server configured for
CRYPTOCard authentication.
For assistance mailto:support@cryptocard.com 10
Use the RADIUS Diagnostic Report to verify the RADIUS server is responding to requests
from the Nortel Contivity. Click “OK” to save the RADIUS authentication settings before
running the RADIUS Diagnostic Report
For assistance mailto:support@cryptocard.com 11
S e c t i o n 4
Configure Nortel VPN Client
The Nortel Contivity VPN Client software is used to create VPN connections to the Contivity.
After installing the application on an end-user system, a connection profile must be created.
Creating A New Profile
The Connection Wizard can be used to create
a new profile
Select Username and Password
authentication
For assistance mailto:support@cryptocard.com 12
Enter the CRYPTOCard token name to be
used with this connection
Enter the Group ID and Password for the
CRYPTOCard group
Enter the Destination IP address or Host
Name of the Contivity switch
For assistance mailto:support@cryptocard.com 13
Select whether to start a Dial-up Connection
before launching the VPN connection.
Finish the Wizard
For assistance mailto:support@cryptocard.com 14
S e c t i o n 5
Troubleshooting Tips
When troubleshooting issues with setting up RADIUS authentication on a Contivity VPN
concentrator it may be helpful to refer to the log files on the VPN concentrator. Refer to
Contivity documentation for more details on the VPN concentrator logging facility.
The CRYPTO-Server stores a log of all RADIUS traffic in
C:\Program Files\CRYPTOCard\CRYPTO-Server\bin\RADIUSProtocol.dbg
A number of problems may occur when configuring the VPN concentrator to authenticate
users on a CRYPTO-Server during the initial setup. These issues include problems with port
assignments, network connectivity, and shared secrets.
Testing Contivity Configuration
Test the RADIUS connection using the RADIUS Diagnostic Tool in the Contivity Manager. If
this test fails, consult the RADIUS server log to verify that the Contivity is at least able to
reach the RADIUS server.
Some possible causes of a connection failure are:
1. RADIUS server is not running
2. RADIUS server is listening on a different port than the Contivity is communicating on
3. Shared secrets don’t match between the Contivity configuration and the RADIUS server
configuration.
4. Network routing problems between the Contivity and the RADIUS server
Verify network connectivity to the RADIUS server by Pinging it from the Contivity. If the
Contivity cannot ping the RADIUS server, then focus on correcting points 1 and 4 above.
If the Contivity can Ping the RADIUS server, then focus on correcting points 2 and 3 above.
If the RADIUS server logs record the connection from the Contivity switch, then it may be
that the Contivity is not configured as a valid client to the RADIUS server. Verify that this is
correct in the RADIUS server configuration.
If you encounter a problem that cannot be solved using the tips above, contact
support@cryptocard.com or call us at (800) 307-7042 or +1-613-599-2441 Monday through
Friday 8:30 am to 5:00 pm EST.