Announcements

SecurID® Community Blog

Subscribe to the official SecurID Community blog for information about new product features, industry insights, best practices and more.

Protect Stormshield VPN with RSA MFA

AngeOAmbemou
Occasional Contributor Occasional Contributor
Occasional Contributor
4 7 3,359

Stormshield network security is a strong UTM help customer protect infrastructures. This firewall offers ipsec and SSL VPN for end user.

In this blog i show you how integrate Stormshield with IDR to protect user remote access.

 

Let's go 

 

Stormshield supports radius for integration with Authentication manager or Identity Router. 

 

 

Stomshield  configuration

 

At Stormshield level you need to configure the radius server (your IDR or AM) and your share secret.

 

pastedImage_18.png

 

Define radius at anthentication policy

 

pastedImage_19.png

 

IDR Configuration 

At CAS i define my radius client 

 

pastedImage_27.png

And ask to the cloud to validate only the policy. Because of timeout issue at Stormshield level i can used only RSA Securid Authenticate app authenticate Tokencode.

 

For security purpose add a PIN or Device Biometrics to view the Authenticate Tokencode at CAS level.

 

pastedImage_28.png

 

After this push your policies and you are ready to authenticate.

 

pastedImage_29.png

 

At password unlock your RSA Securid Authenticate app and enter the tokencode to access the VPN 

pastedImage_36.png

pastedImage_34.png

 

Caution 

 

1 - In the integration with Authentication Manager, Stormshield not support PIN Creation, we need to used self service console to initate the PIN or used another protected ressource (laptop with RSA agent for window for example).

 

2 - If you want to used VPN client is better to use Openvpn client inside of Stormshield VPN client, Stormshield vpn client sends 2 times the same authentication request is like replay attack at AM/IDR side.

 

3 -  Timeout issue:  at the time i write this blog there are no way to modify Stormshield timeout radius  in UI or CLI.

 

7 Comments
LucaAstori
New Contributor
New Contributor

Hi @AngeOAmbemou , just a tip for using 2FA with Stormshield SSL VPN client.

If you want to use a native Stormshiled SSL client it's enough that you on the client site "remove" the flag for "automatic", in this way the client will not do the "double authentication" and you can avoid the replay attack on AM/IDR side.

In the next version of firmware in Stormshield's firewall, the RADIUS timeout can be managed and allow to have high latency response for MFA features.

Hope to be useful
Luca

AngeOAmbemou
Occasional Contributor Occasional Contributor
Occasional Contributor

Hi @LucaAstori  thanks for feedback 

 

LucaAstori
New Contributor
New Contributor

you welcome 😉

LucaAstori
New Contributor
New Contributor

Hi @AngeOAmbemou ,
Finally i'm preparing a "how-to" article for integration between Stormshield SN firewall with firmware 4.3 and MFA with AM/IDR. I will let you know.

Regards

Luca

NicanorPulido
Occasional Contributor
Occasional Contributor

Hi Luca, Ange and SecurID / StormShield fans,

I am integrating these two technologies, and it works the way Ange is describing here, through the auth portal and also with the OpenVPN client. But with the StormShield client I am unable to find the "automatic" flag that Luca mentioned, where is it located?

By the other hand, it would be great if we could concatenate two factors, first one AD password and second one a SecurID tokencode. Is it possible to configure this in the StormShield Authentication Policy section?

Finally, the latest StormShield client also allows a second auth factor, could this be used for use with SecurID?

Best Regards.

npulido
New Contributor
New Contributor

Automatic flag is in the StormShield SSL-VPN client options available by right-clicking the icon:

g is kk.jpg

LucaAstori
New Contributor
New Contributor

Hi @NicanorPulido, @AngeOAmbemou , @npulido and all...

Forgive me for the huge delay, but a lot of activities, Covid-19, and unexpected events in life took me a lot of time.

From the release SNS4.3.x it's possible to change the radius timeout through the CLI (console/SSH/GUI form). Starting from this release, the authentication it's done in asynchronous mode (before it was synchronous) and allow to use 2FA/MFA authentication with cloud/SaaS service like RSA SecurID using also the dedicated Stormshield SSL VPN client version 3.1.1.

for changing the default radius timeout, the commands are:


CONFIG AUTH RADIUS timeout=3000 retry=1 btimeout=3000 bretry=1
CONFIG AUTH ACTIVATE


where:

timeout=<value> in milliseconds for main RADIUS server
retry=<value> the number or re-try to connect to radius server
btimeout=<value> in milliseconds for main BACKUP RADIUS server
bretry=<value> the number or re-try to connect to BACKUP RADIUS server

 

(it's also available as a second way to configure/modify it, modifying the configuration files, but the above solution it's the preferred way. If you also need the workaround, you can contact me with a message)

If you need to use SSL VPN, it's mandatory that you use the Stormshield SSL VPN client release 3.1.1, which allow to use 2FA or MFA

2022-12-28 13_51_00-Protect Stormshield VPN with RSA MFA - RSA Community - 517961.png 2022-12-28 13_51_27-About.png