[KB3571] How do I configure my Netasq IPSec VPN Client for use with ESET Secure Authentication?

Solution

Introduction

This article describes how to configure the Netasq IPSec VPN Client™ to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before the Netasq IPSec VPN Client™ can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Netasq IPSec VPN Client™. Once these configurations have been specified, you can start logging into your Netasq IPSec VPN™ using ESA OTPs.

NOTE:

This integration guide utilizes Client does not validate user name and password Client type for this particular VPN appliance. If you wish to utilize other Client type, refer to generic description of Client types and verify with the vendor if the VPN appliance supports it.

 

Step I - RADIUS client configuration



The RADIUS protocol requires that access requests to RADIUS servers include the IP address for the RADIUS client (for example, the Netasq IPSec VPN Client™).

To allow the Netasq IPSec VPN Client™ to communicate with your ESA Server, you must configure it as a RADIUS client on your ESA RADIUS Server:

  1. Log in to ESA Web Console.
  2. Navigate to Components > RADIUS and locate the hostname of the server running the ESA RADIUS service.
  3. Click the hostname, then click Create New Radius Client.
  4. In the Basic Settings section:
    1. Give the RADIUS client a memorable name for easy reference.
    2. Configure the IP Address and Shared Secret for the Client so that they correspond to the configuration of your VPN appliance. The IP address is the internal IP address of your appliance. If your appliance communicates via IPv6, use that IP address along with the related scope ID (interface ID).
    3. The shared secret is the RADIUS shared secret for the external authenticator that you will configure on your appliance.
  5. In the Authentication section apply the settings shown in Figure 1-1 below.

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Non-2FA users during the transitioning phase. It is also recommended that you limit VPN access to a security group in the Users section.
  • Make sure that the check box next to Mobile Application is selected.

Figure 1-1

ESA has now been configured to communicate with the Netasq IPSec VPN Client™. You must now configure the Netasq IPSec VPN Client™ to communicate with the ESA Server. First, create a new authentication scheme, then configure the settings for your RADIUS server.

  1. Open the Netasq Web GUI and navigate to Users→ Authorization Portal → available methods. Add the Radius method and set the server address to the IP address of the server where ESET Secure Authentication is installed.
  2. Navigate to Users VPN access privileges → Default authentication method and select Radius. You can set this parameter for individual users under UsersVPN access privilegesRules for users.

 

Step II - VPN Tunnel Configuration



Use your Active Directory password and Token ID, without any spaces, to complete the following steps:

Create a new Certificate Authority (CA)

  1. Navigate to Objects Certificates and click Add → Add root CA.
  2. Follow the instructions from the Wizard to create a CA.
  3. Navigate to Objects Certificates Add→ Add a server certificate and select your newly created CA as the default server certificate for Netasq.
  4. Navigate to VPN→ IPSec VPN→ Peers, select AddNew anonymous (mobile) peer.
  5. Select Certificate Xauth (iPhone) and then select your new CA.

Define Tunnel settings

  1. Navigate to VPN → IPSec VPN → Encryption Policy → Tunnels AddNew Policy
  2. Select Mobile peer in the Mobile peer used field and select the objects to which the user has access in the Local resources field. When you are finished, click Activate.
  3. Navigate to User → VPN → IPSec VPN → Peers and click AddNew anonymous (mobile) peer.
  4. Select Certificate Xauth (iPhone) and then select your new CA.
  5. Navigate to VPN IPSec VPNEncryption PolicyAdd → New policy.
  6. Select Mobile peer in the Mobile peer used field and select the objects to which the user has access in the Local resources field. When you are finished, click Activate.
  7. Navigate to VPN VPN Access PrivilegesVPN Access and add a rule to allow access for the user.

Activate notifications

  1. Navigate to NotificationsEmail alerts Configuration.
  2. Select Enable e-mail notification and enter the appropriate parameters for your email application.
  3. Click Add new recipient group under Recipients and then add users that you want to receive email notifications.

User Enrollment

  1. Navigate to Users Authentication Captive Portal.
  2. Enable the Captive Portal and select the check box next to external interfaces.
  3. Under Certificate options enter the private key for the certificate that you created earlier.
  4. Under External Interfaces, select Allow Web enrollment for users. Create new certificates for users under Advanced properties and specify the user group to assign the certificate to.

Certificate Assignment

  1. Navigate to the Captive Portal (https://netasq_IP_address/auth).
  2. Log into the user account for which you want to get a certificate.
  3. Navigate to the Certificate section and get the certificate for your user.
  4. Navigate to UsersEnrolment and approve any outstanding requests.
  5. In the Captive Portal, navigate to the Certificate section and click Download Certificate.
  6. Once the certificate is finished downloading, click Export to save it to a file.

 

Step III - Testing the Connection


Configure your VPN client as per the screenshots below in order to test your connection:


Figure 3-1

Figure 3-2

Figure 3-3

Figure 3-4

Figure 3-5

 


 

Troubleshooting

If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality document.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.

 

Zusätzliche Hilfestellung

Mehr Informationen