This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
AleksMarfunenko
Beginner
Beginner
‎2016-08-22 10:09 AM

SecureID for RRAS 2012 R2 SSTP\L2TP

Jump to solution

Hi,

we have an following network infrastructure (two offices in one AD Domain, all servers are virtualized):

Now i have to implement two-factor authentication for VPN. I have few beginner questions:

 

Do i have to install RSA Authentication Manager 8.2 for central management of Tokens and users?
Where i have to install Authentication Manager 8.2? on VPN servers or on RADIUS servers?
Do i have to install Authentication Manager 8.2 in each network or only one will be enough?

 

Is it necessary to open some ports on Router for SecureID?

 

Do i have to install RSA SecurID Software Token 5.0 on each client PC (outside from LAN) if user will use software Token?
That i have to install on client PC if user will use hardware Token?

 

Thank you very much.

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
AleksMarfunenko
Beginner
Beginner
In response to JayGuillette
‎2016-09-08 08:03 AM

Jump to solution
but the big problem here is we do not have anything that can protect an RRAS SSTP/L2TP VPN

yes, this is big problem. RSA AM doesn't support Windows 2008, Windows 7 and above...

i should use non-microsoft VPN. but in my company we don't have other VPN solution and don't planning it.

 

it will be better, if you correct in your documentation a supported solutions: Windows VPN 2003 only

View solution in original post

0 Likes
Reply
7 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-08-22 10:46 AM

Jump to solution

Aleks,

Authentication Manager protects (through 2 Factor Authentication) trusted resources like Windows servers and VPNs, through agents that you install, or configuration changes you make based on our Partner Implementation Guides, but the big problem here is we do not have anything that can protect an RRAS SSTP/L2TP VPN.  We do not have a way to get in front of the Microsoft Credential provider in this specific situation, which I believe relies on EAP.  

 

If you are still interested, I have attached two PowerPoints, one on SecurID introduction titles SecurID-speak, and a second one on Software Tokens.

Regards,

Preview file
2701 KB
Preview file
4552 KB
0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to JayGuillette
‎2016-08-22 11:01 AM

Jump to solution

Hi Jay,

we do not have anything that can protect an RRAS SSTP/L2TP VPN.  We do not have a way to get in front of the Microsoft Credential provider in this specific situation, which I believe relies on EAP.

whether correctly I have understood, if i implement RSA SecureID, this doesn't give for VPN the second authentication factor???
How it works now:

- user logs in OS
- starts a VPN client
- connects to VPN using his credentials
- gets access to internal resources

 

how it must be:

- user logs in OS
- starts a VPN client
- connecting to VPN using users credentials (first authentication)
- enters Passcode from RSA Token (second authentication)
- VPN connection is established

- gets access to internal resources

 

 

is it realizable?

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
‎2016-08-25 09:56 AM

Jump to solution

1) yes, i have to

2) the RSA Authentication Manager 8.2 is separate OS based on Linux Suse. It could be installed on Hyper-V.
3) only one will be enough

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-08-25 11:13 AM

Jump to solution

RSA 2-factor has to get in front of the original logon or Credential provider.  With Windows, Linux, 100s of VPN appliances, etc... we have a way to get in front of that Logon or Credential provider, and work the way you want (though in Windows you enter the RSA Passcode 1st and the Windows Password second if not configured for Windows Password integration.)  

 

Even back when SSTP\L2TP VPNs were setup on a Windows 2003 server, we had an option with our 32-bit old version 6.1 agent for Windows called remote server, which allowed you to setup 2 Factor on SSTP\L2TP VPNs, but only on Windows 2003.  The Product Manager and Engineering decided not to port this feature to the 64-bit Windows agents, so it is no longer supported and that is why you cannot get it to work on a Win2012 R2 SSTP\L2TP VPN.  If you have a Sales contact you could ask them to push Engineering on this, but there are no promises or guarantees. 

 

version 8.x of Authentication Manager is an appliance that runs on Suse Linux 11, and since AM 8.1 SP1 has been available as either a VMWare .ova Virtual Machine file, as a Hyper-V virtual appliance, or as a physical appliance running on either Dell or Intel Hardware.  Version 8.2 is the latest, and has many new Certificate / Cipher / encryption features that allow you to avoid SSLv3 completely and exclusively use TLSv.1.2 as the protocol - whereas in AM 8.1 SP1 and earlier there was always a preference for TLS but a browser could negotiate down to SSLv3 for a connection.  In the latest patches on AM 8.1 SP1 there was the ability to disable SSLv3 for everything except RADIUS

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
‎2016-08-31 02:24 PM

Jump to solution

so, what i have right now.

i configured NPS Radius to forward requests to RADIUS of AuthManager. But in the configuration i set up Sourse not as "Unspecified", but "Remote Access Server (VPN-Dial up)". With "Unspecified" source AuthManager ignors requests (or NPS doesn't forward the requests).

After this configuration i get errors.

and why VPN (Windows 10) client doesn't ask any Passcode ???

 

 

 

Look like i must configure RSA RADIUS profile, and assign this to user.

Are there some examples of configuration exactly for VPN ? Radius profile has a lot of attributes....

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to JayGuillette
‎2016-09-08 08:03 AM

Jump to solution
but the big problem here is we do not have anything that can protect an RRAS SSTP/L2TP VPN

yes, this is big problem. RSA AM doesn't support Windows 2008, Windows 7 and above...

i should use non-microsoft VPN. but in my company we don't have other VPN solution and don't planning it.

 

it will be better, if you correct in your documentation a supported solutions: Windows VPN 2003 only

0 Likes
Reply
AleksMarfunenko
Beginner
Beginner
In response to JayGuillette
‎2016-09-23 12:11 PM

Jump to solution
Even back when SSTP\L2TP VPNs were setup on a Windows 2003 server, we had an option with our 32-bit old version 6.1 agent for Windows called remote server, which allowed you to setup 2 Factor on SSTP\L2TP VPNs, but only on Windows 2003.

tomorrow i will try with Windows server 2003.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.