Knowledgebase business article search

How do I configure my Netasq IPSec VPN Client for use with ESET Secure Authentication?

Solution

Introduction

This article describes how to configure the Netasq IPSec VPN Client™ to authenticate users against an ESA Server. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before the Netasq IPSec VPN Client™ can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Netasq IPSec VPN Client™. Once these configurations have been specified, you can start logging into your Netasq IPSec VPN™ using ESA OTPs.

NOTE:

This integration guide utilizes VPN does not validate AD user name and password VPN type for this particular VPN appliance. If you wish to utilize other VPN type, refer to generic description of VPN types and verify with the vendor if the VPN appliance supports it.

Step I - RADIUS client configuration



The RADIUS protocol requires that access requests to RADIUS servers include the IP address for the RADIUS client (for example, the Netasq IPSec VPN Client™).

To allow the Netasq IPSec VPN Client™ to communicate with your ESA Server, you must configure it as a RADIUS client on your ESA RADIUS Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1).

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN, we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Mobile Application is selected.

Figure 1-1

ESA has now been configured to communicate with the Netasq IPSec VPN Client™. You must now configure the Netasq IPSec VPN Client™ to communicate with the ESA Server. First, create a new authentication scheme, then configure the settings for your RADIUS server.

  1. Open the Netasq Web GUI and navigate to Users→ Authorization Portal → available methods. Add the Radius method and set the server address to the IP address of the server where ESET Secure Authentication is installed.
  2. Navigate to Users VPN access privileges → Default authentication method and select Radius. You can set this parameter for individual users under UsersVPN access privilegesRules for users.
     

Step II - VPN Tunnel Configuration



Use your Active Directory password and Token ID, without any spaces, to complete the following steps:

Create a new Certificate Authority (CA)

  1. Navigate to Objects Certificates and click Add → Add root CA.
  2. Follow the instructions from the Wizard to create a CA.
  3. Navigate to Objects Certificates Add→ Add a server certificate and select your newly created CA as the default server certificate for Netasq.
  4. Navigate to VPN→ IPSec VPN→ Peers, select AddNew anonymous (mobile) peer.
  5. Select Certificate Xauth (iPhone) and then select your new CA.

Define Tunnel settings

  1. Navigate to VPN → IPSec VPN → Encryption Policy → Tunnels AddNew Policy
  2. Select Mobile peer in the Mobile peer used field and select the objects to which the user has access in the Local resources field. When you are finished, click Activate.
  3. Navigate to User → VPN → IPSec VPN → Peers and click AddNew anonymous (mobile) peer.
  4. Select Certificate Xauth (iPhone) and then select your new CA.
  5. Navigate to VPN IPSec VPNEncryption PolicyAdd → New policy.
  6. Select Mobile peer in the Mobile peer used field and select the objects to which the user has access in the Local resources field. When you are finished, click Activate.
  7. Navigate to VPN VPN Access PrivilegesVPN Access and add a rule to allow access for the user.

Activate notifications

  1. Navigate to NotificationsEmail alerts Configuration.
  2. Select Enable e-mail notification and enter the appropriate parameters for your email application.
  3. Click Add new recipient group under Recipients and then add users that you want to receive email notifications.

User Enrollment

  1. Navigate to Users Authentication Captive Portal.
  2. Enable the Captive Portal and select the check box next to external interfaces.
  3. Under Certificate options enter the private key for the certificate that you created earlier.
  4. Under External Interfaces, select Allow Web enrollment for users. Create new certificates for users under Advanced properties and specify the user group to assign the certificate to.

Certificate Assignment

  1. Navigate to the Captive Portal (https://netasq_IP_address/auth).
  2. Log into the user account for which you want to get a certificate.
  3. Navigate to the Certificate section and get the certificate for your user.
  4. Navigate to UsersEnrolment and approve any outstanding requests.
  5. In the Captive Portal, navigate to the Certificate section and click Download Certificate.
  6. Once the certificate is finished downloading, click Export to save it to a file.

Step III - Testing the Connection


Configure your VPN client as per the screenshots below in order to test your connection:

 


Figure 3-1

Click the image to view larger in new window

Figure 3-2

Click the image to view larger in new window

Figure 3-3

Click the image to view larger in new window

Figure 3-4

Click the image to view larger in new window

Figure 3-5

Click the image to view larger in new window

 


Troubleshooting

If you are unable to authenticate via the ESA RADIUS server, ensure you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality document.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration (that does not use 2FA) and verify that you are able to connect
  3. If you are still able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server
  4. If you are still unable to connect, contact ESET technical support.

 



Was this information helpful?