Client needs RSA Security Console setup so that when you connect to the VPN, it asks for a TOKEN (instead of a password).
The Big Idea
The TOKEN comes from a KEY FOB. It's a little device that you typically put on your keychain of your car/house. You press the only button on the device and it does one thing, give you a TOKEN. A TOKEN is a bunch of letters and numbers.
So it goes like this:
- -press button.
- -it displays: 123ABC
- -you connect to VPN.
- -you type in the USERNAME.
- -you type in the TOKEN.
- -you type in a PIN/PASSWORD.
- -you gain access.
The benefit here is that if your password gets compromised, it doesn't help the other person. They also need the TOKEN.
Think of it like you house. You need a key to access the house. If you don't have the physical key, you can't access the house. Same idea here. If you don't have the physical TOKEN, you can't access the house of data.
I've used this before but I've never set one up. Setting it up is a pain.
Purchase Equipment
The first hurdle to overcome is purchasing the equipment. I thought it was just software that installs on the WINDOWS SERVER 2012. Upon calling EMC (the company that owns RSA) they talked for about 15 minutes. When I asked for the next step, they prompted me to call one of their authorized dealers. Hmmmm... Not that I'm not grateful for the talk but in my mind, it would have been nice to know that upfront.
Getting the quote from CDW that only included software, I ran it by my new friend at EMC to make sure I had all the necessary parts. I want it working right the first time. EMC quickly pointed out that I also needed a hardware appliance (since the client isn't using virtual server).
Installing the Equipment
I've often said before that large companies are nothing more than crappy software with great marketing. The same holds true here. Upon getting the equipment and inspecting it, the hardware appliance is some sort of 1U server from MBX-like house that will powder coat your brand on the faceplate.
The rails are different in that they don't use typical holders. It has some type of quick setup rail system. Kinda cool. I always disliked the whole screw thing anyway.
First Impressions
Upon starting it up, it seems to running some type of Linux with an apache/httpd server (update: it's actually SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3 with an Oracle WebLogic Server). Make a change in the web-console and the value is changed in the config file and the service is restarted. I get the idea. Sounds familiar.
Everything is controlled via the web console. The web console is comprised of 3 areas:
SECURITY-CONSOLE:
(assign tokens)
https://rsa-server/sc
OPERATIONS-CONSOLE:
(sync users between systems, date, time, network, etc)
https://rsa-server/oc
SELF-SERVICE-CONSOLE:
(users can set PIN's and update their info)
https://rsa-server/ssc
Setup Users
You can setup the users via INTERNAL DATABASE or sync the users with an EXTERNAL DATABASE. This external database is typically an LDAP read-only database. This means it can be WINDOWS SERVER ACTIVE DIRECTORY or it can be an OPEN LDAP on RHEL/CENTOS.
The sync will only happen via a SECURE CONNECTION meaning LDAPS. So funny thing is that WINDOWS SERVER 2012 has their own way of dealing with CERTIFICATES which makes this nearly impossible. What's worse is that if the sync fails, it simply says "failed." It doesn't say why or what happened or give any log info.
I tried a couple of times but I couldn't get mine to sync with AD. So I threw in the towel and went to INTERNAL DATABASE.
- -login to https://rsa-server/sc
- -click IDENTITY > USERS > MANAGE-EXISITING
- -nothing shows up because it's an LDAP. You have to do a search.
- -click SEARCH (on the bottom right).
- -all the users show.
- -click ADD NEW (at the top).
- -add the user.
- -repeat if necessary.
Import Tokens
While the example at the beginning of the article talked about a KEY FOB (or hard-token), in recent years, most will simply use their smart phone (or soft-token). In either case (I suppose), the tokens have to imported into the system.
The tokens come on a CD package. The password for the tokens come on a second package.
- -put the CD into the system you are sitting at and using to access the web console.
- -copy the file on the CD to the DESKTOP (it's an XML file).
- -login to https://rsa-server/sc
- -click AUTHENTICATION > SECUREID-TOKENS > IMPORT-TOKEN-JOB > ADD-NEW.
- -keep the defaults.
- -browse for the file and select the XML on the DESKTOP.
- -type in the password (from the second package).
- -bullet OVERWRITE ALL DUPLICATE TOKENS.
- -click SUBMIT JOB.
The job should go through smoothly. If not, double-check the password and make sure you are using the file copied to the desktop. Sometimes, the system cannot "consume" the file if it is read-only.
Setup a Software Token Profile
A Software Token Profile has to be created before assigning the tokens. The profile determines items like:
- -what kind of device the token can be used on.
- -how long the token lasts.
- -the length of the token.
So to setup the SOFTWARE TOKEN PROFILE:
- -login to https://rsa-server/sc
- -click AUTHENTICATION > SOFTWARE-TOKEN-PROFILE > ADD-NEW.
- -name the profile anything you want.
- -select the device type.
- -select the length of the token (6 digits or 8 digits).
- -select the time-frame of the token.
- -select PIN INTEGRATED WITH TOKENCODE.
- -select CT-KIP.
In the ATTRIBUTES section, there are 2 attributes. The first is the STRING that only allows it to be installed on the DEVICE TYPE you selected. For example, it can only be installed on APPLE DEVICES. The second section is the default name of the token. I'll explain later. For now, type "MY TOKEN."
So for ATTRIBUTES:
- -leave the first attribute as the default value.
- -type: MY TOKEN (for software token nickname).
- -click SAVE.
Install RSA APP on IPHONE
Before you dish out the TOKENS, the users must have the RSA APP installed on their device, in this case the IPHONE. This sucks because now everyone has to have an APPLE-ID to continue which is it's own set of instructions.
Nevertheless, go to the APP STORE and install the RSA SECURID SOFTWARE TOKEN.
Note that the RSA APP won't work until it has a TOKEN installed. This is what confuses most people. They think, "I just installed the APP. Why doesn't it just work?"
Assign Token to Users
Now here is the fun part. We assign the tokens to the users. You can either assign the tokens in bulk or you can assign them one-by-one. I would love to think that going bulk would work but realistically, going one-by-one is probably easier in the long run.
- -login to https://rsa-server/sc
- -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING
- -click the UNASSIGNED tab (at the top).
- -click the top token.
- -click ASSIGN TO USER.
- -the user-panel shows but since it's LDAP, nothing shows.
- -click SEARCH (in the bottom-right) to show all the users.
- -bullet the user-you-want.
- -click ASSIGN (at the bottom).
Distribute the Tokens
Distributing the TOKENS is an additional step. Without distributing the TOKENS, the users have nothing more than an APP installed on their phone.
Go back to the token list (assigned):
- -login to https://rsa-server/sc
- -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING.
- -click the token-you-want-to-distribute.
- -click DISTRIBUTE.
- -select the SOFTWARE-TOKEN-PROFILE already created.
Now remember those attributes? Here's where you can customize them for each user. The first attribute (DeviceSerialNumber) can be changed so that the TOKEN will only install on the IPHONE belonging to the user (rather than just any IPHONE). The second attribute will let you customize what the user will see when they click on the RSA APP.
To get the specific DEVICE-SERIAL-NUMBER:
- -get the iphone.
- -open the RSA app.
- -click INFO button (at the bottom-right).
- -the BINDING-ID is the ID that needs to be typed into the DeviceSerialNumber attribute.
- -you can either email this to the super-admin (by clicking the email button next to the number) or you can tell him the number or you can just hand your phone to him/her.
- -type in a NICKNAME (so that it shows something other than just "Token 1").
- -select SYSTEM-GENERATED-CODE if the ACTIVATION-CODE (keep reading) is random or if the ACTIVATION-CODE is known as the DEVICESERIALNUMBER.
- -click SAVE & DISTRIBUTE.
Upon doing so, the admin has the option to distribute the TOKEN. Typically, that is done via email. After all, if it will only work on the specified device, there's really no harm in emailing the token. Is there?
At this point, you have another option, you can either:
- -email the whole token.
- -or you can email part of the token and force it require an ACTIVATION CODE.
If you require the ACTIVATION CODE, you will have to get that ACTIVATION CODE to the user. Good luck.
This whole process is complicated but it allows you to put as much security into your system as possible.
I opt to make it easy as possible while still maintaining security and assign the token directly to the device and I opt to email the whole token with activation code for a push-one-button install.
What happens
What happens if you try to install a TOKEN onto a device that isn't in the DEVICESERIALNUMBER?
It will ask you for the ACTIVATION CODE. Then it will say, "Token import failed. Invalid activation code. Contact your administrator."
Pretty cool. The TOKEN will only work on the device assigned to the TOKEN.
Everywhere, users are screaming "SECURITY!!!"
Integrating the RSA into Something
What's cool here is that the RSA appliance can be used to protect a few different items. Possibly you want it to protect a web site, a VPN or simply the computer system itself. It can protect all of these and integrate into just about anything. Theoretically anyway.
So far, I have witnessed protecting a web site. Protecting a computer system.
The VPN protection can be via Windows VPN or it can be via SonicWall VPN. The SonicWall has RSA integration capabilities.
To be able to secure an item, typically the item will use a SECURITY AGENT. This is a fancy term for a bit of code that integrates into the item you are protecting so that the USER/PASS request is sent to the RSA SERVER rather than the web site, AD server, etc.
Integrating the RSA into the RRAS (Windows VPN)
As of this writing, this isn't possible. I talked to RSA tech support. RSA doesn't integrate into RRAS/Windows 2012 VPN. It's on the roadmap and I'll be notified once it's complete.
Some items suggest that the RSA integration is via an authentication agent found here:
http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm
Other items suggest this may be possible via RADIUS. For example, the horses-mouth docs say that VPN is done through RADIUS here:
http://blogs.technet.com/b/networking/archive/2014/01/13/configuring-native-vpn-client-through-pc-settings.aspx
And it gives instructions here:
http://technet.microsoft.com/en-us/library/jj900206.aspx
Integrating the RSA into SonicWall VPN
The RSA can be integrated into the SonicWall VPN without too much trouble. SonicWall is it's own topic unto itself. I won't go into all the details of the SonicWall or else we will be writing/reading a book.
The SonicWall has 2 types of VPN. The GLOBAL-VPN (GVPN) and the SSLVPN. For many reasons, pretend like the GLOBAL-VPN doesn't exist and simply go straight to the SSLVPN.
On this regard, to get the SSLVPN working, I'll simply refer to this awesome YouTube video:
https://www.youtube.com/watch?v=qPv-tz-zN6A&index=6&list=PLC909885E4476986B
At some point, I'll write out the instructions but for now, the above link will suffice.
After the VPN is up and running, we have to integrate the RSA users into the SONICWALL. On this section, to get the RSA users into the SONICWALL, I'll simply refer to this awesome DELL KB post:
https://support.software.dell.com/kb/sw9818
It uses RADIUS, so the RADIUS SERVER must be setup on the RSA and the RADIUS CLIENT must be setup on the SONICWALL.
Final VPN steps
So to get this working, you must have the SONICWALL VPN software setup on the laptop. What's cool here is that the software is embedded into firmware in the SONICWALL. This software should install automatically upon visting the VPN/SONICWALL web site but I'm finding that if the SSL is SELF-SIGNED and not originated from a TRUSTED-STORE then the software doesn't download/install correctly.
To get around this, you can manually install the software from the SONICWALL VPN web site here:
https://your-sonicwall-public-ip-address.tld:4433/NXSetupU.exe
Recap
So to recap, here are the steps why the RSA is so secure and the high-level steps needed:
-must have company iphone/device.
-token can only be installed on company iphone/device.
-enter PASSCODE for general iphone access.
-press RSA token app.
-type pin.
-press enter.
-see token.
-type token into vpn software.
NOTES:
-token is one time use only. Once you try it, it won't work again. You will have to wait for another token.
-just be clear, you cannot test token and then use it.
-if you don't enter the pin before getting a TOKEN, it will give a TOKEN but it will be the wrong one.
Internals
The RSA package lives in:
/opt/rsa/
It has it's own SERVICE. Rather than the typical:
service biztier status
RSA calls it rsaserv puts it here:
/opt/rsa/am/server
So checking the RSA services goes like this:
./rsaserv status all
RSA puts all the unique services here:
/opt/rsa/am/server/servers/
This is different than placing it in the typical directory of:
/etc/rc.d/init.d/
External References
This has helped: