Using SSL VPN with radius challenge and response h...

muttbarker_ · ‎11-04-2008

I recently had to implement an SSL-VPN solution with a customer who was using the radius PassGo Defender solution (now Quest). I thought I would share my results as I had some struggles with the implementation.

Overview: There are two type of token based challenge response modes that can be invoked using tokens. The first is called synchronous. In this case the token is used in response only mode. The end-user logs in and uses their ID and some form of password which is either just the token response, token plus LDAP password, token plus pin, token plus defender password - all dependent on radius configuration.

The second is called asynchronous. In this case the token is used in a challenge / response mode. The end-user logs and uses their ID and if desired a password (LDAP or defender). They then receive a second login screen which presents the Defender challenge. This is then entered into the token which generates a response which is then entered into the second login screen for authentication. This second response can again include the challenge and a LDAP or Defender password concatenated onto it.

Sychronous Token: I have tested this scenario with the Defender solution. This is a piece of cake. Simply configure the radius information as usual on the SSL-VPN - server, port, shared secret. The SSL-VPN will pass whatever the user keys into the password field over to the raidus server and the authentication will occur.

Asynchronous Token: I also tested this scenario with the Defender solution. This solution is VERY dependent on the backend radius server. The Defender component consists of the token code and may or may not include a radius server. The standard radius Windows server implementation works exactly the same as the synchronous solution. User logs in with ID and or ID/Password. SSL-VPN automatically returns with response and prompt for challenge entry. Challenge entry and/or challenge entry with concatenated password can then be made.

If using other back-end radius servers the SSL-VPN requires some additional configuration. The test environment that I used had the radius authentication being handled by OpenRadius, an open-source based Linux implementation. In order to get the second login screen with the displayed reponse and a prompt for challenge/password entry I had to do a bit of extra work.

In this case it was necessary to build a "custom radius authentication rule" - the rule was quite simple. If an incoming packet type was AccessChallenge then create a rule based on the radius attribute of Reply-Message and do an expression match of "(.*)" --- enter this without the quotes.

Then take the action of "show GENERIC LOGIN page"

Other radius server backends make look for different expression strings. A Juniper KB refers to another string of "([0-9a-zA-Z/+=]+)" again, entered without the quotes. This DID NOT work with the OpenRadius backend.

If you read the documentation you might think that you could do a packet capture and enter in the expression that the radius server returns as the expression - This is incorrect. I also tried the other actions with various expressions and again, only what I refer to in the prior paragraph with work correctly.

I spent some quality time troubleshooting this problem and trying every permutation out there and this solution, derived at with help from JTAC works.

I hope somewhere down the road that this may be of assistance to other community members.

BB_ · ‎12-14-2007

Hello,

thanks for your answer. I've found it, Defender can pass the info in "11: Filter ID" attribute. It works fine.

Thanks again

bullyrag_ · ‎11-19-2008

As you may have seen I am having a problem with SafeWord tokens that authenticate with a static password but not with a tokencode. I tried your .* custom method but no joy. Tomorrow I have been given access to customers RADIUS server to see if I can get any more information. If you can offer any further troubleshooting hints from your experience it would be very helpful.

muttbarker_ · ‎11-19-2008

Interesting problem - very similar to mine - I would guess that your radius server is NOT the problem. When you say it is not working can you describe the problem in any more detail? Is it synchronus or async that you are attempting? Any specific details as how/where the process is failing would help.

Do you have any packet captures, or can you take them from SA box? I got pretty good at reading them while troubleshooting. The behavior for sync versus async is different.

bullyrag_ · ‎11-19-2008

Kevin thanks for your reply. I will look at this again in the morning as it is a bit late now and give you some more detai then. Simon.

bullyrag_ · ‎11-20-2008

I believe it to be Async. The login page I have created askes for Username, Domain Password and TokenCode. Username is the same for both. When I look at the RADIUS on Safeword it displays a security error: Failed MAC check on message, then failed authentication; eap return code: 3 swec result code: 3 statusMsg: failed authentication. Juniper have now told me that Safeword is not supported but it works okay with a static password and the way safeword works is that unlike RSA with a changing passcode, here you can request passcodes that remain valid until they are used (almost like a static one time password). Also this works with Citrix Application Gateway so surely it can't be that difficult??

muttbarker_ · ‎12-04-2008

Hey bullyrag - did you get this working? Sorry for never replying to your post. Got super sick and way behind on my real work... So dropped off for a while. Curious how this turned out.

bullyrag_ · ‎12-04-2008

Hi Kevin

I got this working and it was nothing to do with the Juniper. The customer has not set up the replication correctly for his SafeWord environment so the server we were pointing at had an incomplete configuration. I think I was looking too deeply into this as once this was done it just worked by configing a RADIUS Authentication Server and ticking the box to say that it was using one time passwords or tokens. So I dont know why Juniper say it is not supported, my guess is that they assumed I wanted to use an Auth Server similar to the ACE Server used for RSA, not sure. Anyhow thanks for your help and interest.

Regards

Simon

JNCIA-SSL

JNCIA-FWV

BB_ · ‎01-27-2009

Hello!

I have a little off-topic issue but with SA 2500 and Defender.

I just don't know how is it possible to pass Winidows domain group membership with Defender to the SA?

Authentication works, but at the SA I can only select group user mapping role with Windows Auth.

Thanks in advance,

regards, Bal‡zs

bullyrag_ · ‎01-27-2009

Sorry butI have no experience of this and can't offer any advise.

Using SSL VPN with radius challenge and response hard token (asynchronous)

Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)

Re: Using SSL VPN with radius challenge and response hard token (asynchronous)