Copyright © 2004 - 2005, CRYPTOCard Corporation, All Rights Reserved. http://www.cryptocard.com 2005.04.01

Nortel Contivity VPN Concentrator

Quick Start Guide

For assistance mailto:support@cryptocard.com i

Table of Contents

SECTION 1...............................................................................................................1

OVERVIEW ..............................................................................................................1 Preparation and Prerequisites ......................................................................................2

SECTION 2...............................................................................................................3

CONFIGURE THE CRYPTO-SERVER...........................................................................3 RadiusProtocol NAS.# keys..........................................................................................4 Verifying the CRYPTO-Server RADIUS Protocol Settings...................................................5

SECTION 3...............................................................................................................6

CONFIGURING NORTEL CONTIVITY.........................................................................6 Adding a RADIUS Server .............................................................................................6 Creating Group Profile.................................................................................................7 Group Authentication Settings .....................................................................................8 RADIUS Authenication Settings ....................................................................................8

SECTION 4.............................................................................................................11

CONFIGURE NORTEL VPN CLIENT..........................................................................11 Creating A New Profile .............................................................................................. 11

SECTION 5.............................................................................................................14

TROUBLESHOOTING TIPS......................................................................................14 Testing Contivity Configuration .................................................................................. 14

For assistance mailto:support@cryptocard.com 1

S e c t i o n 1

Overview

The Nortel Contivity concentrator is used to create encrypted tunnels between hosts. The

concentrator is able to control access to LAN resources and assign local IP addresses based

upon authentication information such as a username and password. CRYPTOCard

authentication replaces static passwords with strong two-factor authentication to prevent

the use of lost, stolen, shared, or easily guessed passwords, to establish a tunnel and gain

access to protected resources.

1. Using the Contivity VPN Client, the user establishes a connection to the internal network

using their logon name and a one-time password from their CRYPTOCard software, or

hardware token.

2. The VPN concentrator passes the authentication information to the CRYPTO-Server (via

RADIUS).

3. The username and password are verified by the CRYPTO-Server, and an “Access-Accept”

message is sent to the Contivity concentrator, allowing the user to access the network.

The intent of this document is to present the necessary steps to configure Contivity VPN

concentrators for use with CRYPTOCard tokens.

For assistance mailto:support@cryptocard.com 2

Preparation and Prerequisites

The following systems must be installed and operational prior to configuring the VPN

concentrator to use CRYPTOCard authentication.

• CRYPTO-Server 6.x.

• RADIUS Server: The VPN concentrator can be configured to use the RADIUS Server

facility provided by the CRYPTO-Protocol Server module included with CRYPTO-Server1,

or use a third-party RADIUS server, such as Cisco Secure ACS2, Funk Steel-Belted

RADIUS3, or IAS4.

• CRYPTOCard user account and token: In order to authenticate to the VPN concentrator,

a user account must exist on the CRYPTO-Server and a token must be assigned to that

user5.

• VPN Client application: The VPN client application software must be installed on the user

machine.

Ensure that the client system can connect to the concentrator using a fixed

username and password before configuring the concentrator to use CRYPTOCard

authentication.

• The following information will be required when completing this configuration.

IP Address of the RADIUS server:

Port number used by the RADIUS server:

Shared Secret:

1 See section 2 for details. 2 Refer to the Cisco Secure ACS QuickStart for details.

3 Refer to the Funk SBR QuickStart for details

4 Refer to the Microsoft IAS QuickStart for details.

5 Refer to the CRYPTO-Server Administrators Guide for details.

For assistance mailto:support@cryptocard.com 3

S e c t i o n 2

Configure the CRYPTO-Server

If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the

Protocol Server is configured to accept RADIUS communications from the VPN concentrator.

Connect to the CRYPTO-Server using the

Console, and choose Server -> System

Configuration & Status… from the menu.

In the “Entity” column choose “RadiusProtocol”.

Next look at the “Value” corresponding to the key “NAS.2”.

The data in this value field defines which RADIUS clients are allowed to connect to the

CRYPTO-Server, and the shared secret they must use.

For assistance mailto:support@cryptocard.com 4

RadiusProtocol NAS.# keys

By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port

1812, from any host on the same subnet, using a shared secret of “testing123”. You can

manually define as many RADIUS clients as desired by adding NAS.# entries to the

CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows:

<First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>,

<Authentication Protocols>

Where:

<First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key.

<Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key.

If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the

same.

<Hostname>: Only applies in cases where the NAS.# key is for one host. Required for

performing reverse lookup.

<Shared Secret>: A string used to encrypt the password being sent between the CRYPTO-

Server and the RADIUS client (i.e. the VPN concentrator). You will need to enter the exact

same string into the VPN concentrator in Section 3 – “Configuring Nortel Contivity” (see

below). The <Shared Secret> string can be any combination of numbers and uppercase and

lowercase letters.

<Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its

ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the

Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a

RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to

the DNS using the hostname set in the NAS.# entry. The DNS should respond with the

same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes

that the RADIUS packet is coming from some other host posing as the RADIUS client, and

ignores the request completely (also known as a “man in the middle” attack).

<Authentication Protocols>: Many different authentication protocols can be used during

RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting

determines which authentication protocols the CRYPTO-Server will allow from a given

RADIUS client. Currently PAP and CHAP are the only available authentication protocols for

RADIUS clients.

NOTE: After changing or adding a NAS.# entry, click the “Apply” button.

For assistance mailto:support@cryptocard.com 5

Verifying the CRYPTO-Server RADIUS Protocol Settings

The RADIUSProtocol.dbg log7 on the CRYPTO-Server will include information about its

RADIUS configuration. Each time the Protocol Server starts, the following information is

logged:

Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false

Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false

RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099

RADIUS Receiver Started: listening on port 1812 UDP.

RADIUS Receiver Started: listening on port 1813 UDP.

This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port

1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range

of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed.

7 See section 6 Troubleshooting Tips for the location of the RADIUSProtocol.dbg file

For assistance mailto:support@cryptocard.com 6

S e c t i o n 3

Configuring Nortel Contivity

In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS

authentication must be enabled, an IPSec group must be created for token users and the

correct RADIUS authentication settings must be configured.

Adding a RADIUS Server

Ensure that the RADIUS authentication protocol is enabled on the interface that VPN clients

connect to. In the example below, RADIUS authentication is only enabled for connections

coming in through the Public interface.

For assistance mailto:support@cryptocard.com 7

Creating Group Profile

Create a group to assign CRYPTOCard authentication to.

For assistance mailto:support@cryptocard.com 8

Group Authentication Settings

Edit the group settings to allow RADIUS Authentication based on User Name and Password,

and set a group name and password

RADIUS Authenication Settings

Enable RADIUS authentication

For assistance mailto:support@cryptocard.com 9

The RADIUS Server-Supported Authentication Options should be set to match the RADIUS

server being used. The following example shows the authentication options supported by

most RADIUS servers

Enter the information needed to connect to at least one RADIUS server configured for

CRYPTOCard authentication.

For assistance mailto:support@cryptocard.com 10

Use the RADIUS Diagnostic Report to verify the RADIUS server is responding to requests

from the Nortel Contivity. Click “OK” to save the RADIUS authentication settings before

running the RADIUS Diagnostic Report

For assistance mailto:support@cryptocard.com 11

S e c t i o n 4

Configure Nortel VPN Client

The Nortel Contivity VPN Client software is used to create VPN connections to the Contivity.

After installing the application on an end-user system, a connection profile must be created.

Creating A New Profile

The Connection Wizard can be used to create

a new profile

Select Username and Password

authentication

For assistance mailto:support@cryptocard.com 12

Enter the CRYPTOCard token name to be

used with this connection

Enter the Group ID and Password for the

CRYPTOCard group

Enter the Destination IP address or Host

Name of the Contivity switch

For assistance mailto:support@cryptocard.com 13

Select whether to start a Dial-up Connection

before launching the VPN connection.

Finish the Wizard

For assistance mailto:support@cryptocard.com 14

S e c t i o n 5

Troubleshooting Tips

When troubleshooting issues with setting up RADIUS authentication on a Contivity VPN

concentrator it may be helpful to refer to the log files on the VPN concentrator. Refer to

Contivity documentation for more details on the VPN concentrator logging facility.

The CRYPTO-Server stores a log of all RADIUS traffic in

C:\Program Files\CRYPTOCard\CRYPTO-Server\bin\RADIUSProtocol.dbg

A number of problems may occur when configuring the VPN concentrator to authenticate

users on a CRYPTO-Server during the initial setup. These issues include problems with port

assignments, network connectivity, and shared secrets.

Testing Contivity Configuration

Test the RADIUS connection using the RADIUS Diagnostic Tool in the Contivity Manager. If

this test fails, consult the RADIUS server log to verify that the Contivity is at least able to

reach the RADIUS server.

Some possible causes of a connection failure are:

1. RADIUS server is not running

2. RADIUS server is listening on a different port than the Contivity is communicating on

3. Shared secrets don’t match between the Contivity configuration and the RADIUS server

configuration.

4. Network routing problems between the Contivity and the RADIUS server

Verify network connectivity to the RADIUS server by Pinging it from the Contivity. If the

Contivity cannot ping the RADIUS server, then focus on correcting points 1 and 4 above.

If the Contivity can Ping the RADIUS server, then focus on correcting points 2 and 3 above.

If the RADIUS server logs record the connection from the Contivity switch, then it may be

that the Contivity is not configured as a valid client to the RADIUS server. Verify that this is

correct in the RADIUS server configuration.

If you encounter a problem that cannot be solved using the tips above, contact

support@cryptocard.com or call us at (800) 307-7042 or +1-613-599-2441 Monday through

Friday 8:30 am to 5:00 pm EST.