Protect Stormshield VPN with RSA MFA
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Printer Friendly Page
- Report Inappropriate Content
Stormshield network security is a strong UTM help customer protect infrastructures. This firewall offers ipsec and SSL VPN for end user.
In this blog i show you how integrate Stormshield with IDR to protect user remote access.
Stormshield supports radius for integration with Authentication manager or Identity Router.
At Stormshield level you need to configure the radius server (your IDR or AM) and your share secret.
Define radius at anthentication policy
At CAS i define my radius client
And ask to the cloud to validate only the policy. Because of timeout issue at Stormshield level i can used only RSA Securid Authenticate app authenticate Tokencode.
For security purpose add a PIN or Device Biometrics to view the Authenticate Tokencode at CAS level.
After this push your policies and you are ready to authenticate.
At password unlock your RSA Securid Authenticate app and enter the tokencode to access the VPN
1 - In the integration with Authentication Manager, Stormshield not support PIN Creation, we need to used self service console to initate the PIN or used another protected ressource (laptop with RSA agent for window for example).
2 - If you want to used VPN client is better to use Openvpn client inside of Stormshield VPN client, Stormshield vpn client sends 2 times the same authentication request is like replay attack at AM/IDR side.
3 - Timeout issue: at the time i write this blog there are no way to modify Stormshield timeout radius in UI or CLI.
Hi @AngeOAmbemou , just a tip for using 2FA with Stormshield SSL VPN client.
If you want to use a native Stormshiled SSL client it's enough that you on the client site "remove" the flag for "automatic", in this way the client will not do the "double authentication" and you can avoid the replay attack on AM/IDR side.
In the next version of firmware in Stormshield's firewall, the RADIUS timeout can be managed and allow to have high latency response for MFA features.
Hope to be useful
you welcome 😉
Hi @AngeOAmbemou ,
Finally i'm preparing a "how-to" article for integration between Stormshield SN firewall with firmware 4.3 and MFA with AM/IDR. I will let you know.
Hi Luca, Ange and SecurID / StormShield fans,
I am integrating these two technologies, and it works the way Ange is describing here, through the auth portal and also with the OpenVPN client. But with the StormShield client I am unable to find the "automatic" flag that Luca mentioned, where is it located?
By the other hand, it would be great if we could concatenate two factors, first one AD password and second one a SecurID tokencode. Is it possible to configure this in the StormShield Authentication Policy section?
Finally, the latest StormShield client also allows a second auth factor, could this be used for use with SecurID?
Automatic flag is in the StormShield SSL-VPN client options available by right-clicking the icon:
Hi @NicanorPulido, @AngeOAmbemou , @npulido and all...
Forgive me for the huge delay, but a lot of activities, Covid-19, and unexpected events in life took me a lot of time.
From the release SNS4.3.x it's possible to change the radius timeout through the CLI (console/SSH/GUI form). Starting from this release, the authentication it's done in asynchronous mode (before it was synchronous) and allow to use 2FA/MFA authentication with cloud/SaaS service like RSA SecurID using also the dedicated Stormshield SSL VPN client version 3.1.1.
for changing the default radius timeout, the commands are:
CONFIG AUTH RADIUS timeout=3000 retry=1 btimeout=3000 bretry=1
CONFIG AUTH ACTIVATE
timeout=<value> in milliseconds for main RADIUS server
retry=<value> the number or re-try to connect to radius server
btimeout=<value> in milliseconds for main BACKUP RADIUS server
bretry=<value> the number or re-try to connect to BACKUP RADIUS server
(it's also available as a second way to configure/modify it, modifying the configuration files, but the above solution it's the preferred way. If you also need the workaround, you can contact me with a message)
If you need to use SSL VPN, it's mandatory that you use the Stormshield SSL VPN client release 3.1.1, which allow to use 2FA or MFA
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.