[KB3510] How do I configure my Cyberoam® UTM device for use with ESET Secure Authentication?

Riešenie

Dôležité:

Tento článok momentálne nie je k dispozícii v slovenčine.

autentifikácia autorizácia dvojfaktorová

Introduction


This article describes how to configure a Cyberoam® UTM appliance to authenticate users against an ESA Server. Cyberoam® SSL VPN, Captive Portal and IPsec VPN applications are supported. Before proceeding, verify that you've installed the RADIUS Server component of ESET Secure Authentication and can access the RADIUS service that allows external systems to authenticate users.

Before your Cyberoam® device can use the ESA Server to authenticate users via RADIUS, it must be set up as a RADIUS client on the ESA Server. Next, your server running the ESA RADIUS service must be setup as a RADIUS Server on the Cyberoam® device. Once these configurations have been specified, you can start logging into your Cyberoam® device using ESA OTPs.

Step I - RADIUS client configuration


To allow the Cyberoam® device to communicate with your ESA Server, you must configure the device as a RADIUS client on your ESA Server:

  1. Launch the ESA Management Console (found under Administrative Tools).
  2. Navigate to RADIUS Servers and locate the hostname of the server running the ESA RADIUS service.
  3. Right-click the hostname and select Add Client from the context menu.
  4. Configure a RADIUS client (see Figure 1-1).
  5. Click OK - you will be prompted to restart the RADIUS Service, do so from the Services control panel.

Configuring your RADIUS client

  • To prevent locking any existing, non-2FA enabled AD users out of your VPN we recommend that you allow Active Directory passwords without OTPs during the transitioning phase. It is also recommended that you limit VPN access to a security group (for example VPNusers).
  • Make sure that the check box next to Compound Authentication is selected.

Figure 1-1

ESA has now been configured to communicate with the Cyberoam® device. You must now configure the Cyberoam® device to communicate with the ESA Server.

Step II - Configure the RADIUS server settings for your Cyberoam® device


Follow the steps below:

  1. Log in to the Cyberoam® Web Admin Console as an administrator.
  2. Navigate to Identity Authentication Authentication Server.
  3. Click Add (see Figure 2-1).

    Figure 2-1

  4. Enter the following:
    1. Select RADIUS Server from the Server Type drop down.
    2. Server Name: A name for this server (for example, ESA-RADIUS).
    3. Server IP: The IP address of your ESA RADIUS Server.
    4. Authentication Port: 1812
    5. Shared Secret: Your RADIUS server shared secret (see Figure 1-1)
    6. Integration Type: Loose Integration
  5. Click Test Connection. Enter the credentials of your test user.  Make sure that you are using a user with Mobile Application 2FA using ESA enabled. When prompted for a password, append the OTP generated by the ESA Mobile Application to your AD password. For example, if the user has an AD password of Esa123 and an OTP of 999111, you should type Esa123999111.
  6. Click on Test Connection. You should see a success status message in the bottom left, (see Figure 2-2). Do not proceed to Step III until the connectivity test is successful.

Figure 2-2

Step III - Enable ESA Authentication


  1. In the left panel, navigate to IdentityAuthentication VPN.
  2. Configure the relevant VPN Authentication Methods. For example, for SSL VPN Authentication, select "ESA RADIUS" as the authentication method, as per Figure 3-1.
  3. Click Apply, then OK.

Figure 3-1

Step IV - Test the connection


 To test the newly configured connection:

  1. Navigate to your sign-in page. 
  2. Enter the following credentials using your test account:
    1. AD username in the Username field.
    2. AD password, concatenated with an OTP from their ESA Mobile application in the Password field.

Troubleshooting

If you are unable to authenticate via the ESA RADIUS server, make sure that you have performed the following steps:

  1. Run a smoke test against your RADIUS server, as per the Verifying ESA RADIUS Functionality.
  2. If no faults were fixed and you are still unable to connect, revert to an existing sign-in configuration that does not use 2FA and verify that you are able to connect.
  3. If you are able to connect using the old settings, restore the new settings and verify that there is no firewall blocking UDP 1812 between you VPN device and your RADIUS server.
  4. If you are still unable to connect, contact ESET Customer Care.