AnsweredAssumed Answered

Securing OpenVPN with RSA SecurID

Question asked by Manuel Holzner on Feb 28, 2019
Latest reply on Mar 22, 2020 by Tom Menezes

Like • Show 0 Likes0
Comment • 9

Hi,

I'm very new to RSA SecurID and we are actually in launch phase with RSA SecurID for RDS (with Windows Agent).
This was really easy and works great!
As we are using OpenVPN for a couple of years now, I wan't to secure the OpenVPN-Login (on server side) with RSA SecurID CloudAuthenticationService.

As we have users who only have a HardwareToken (SID700), users who have the SecurID Authenticate App and some with both, I want OpenVPN to support all Authentication-Methods. Also OpenVPN should ask for user's password.
I tried already via configuring OpenVPN as radius-client for CAS. But here I have the problem that only On-Premise is working and I don't know how to get Authenticate-Passcode or HardwareToken-Passcode working. Also On-Premise only is working even if user's last successful authentication-method was on-premise.

Does anybody have some experience with securing OpenVPN?

Thanks in advance.

Manuel

Ted Barbour

Feb 28, 2019 12:17 PM

Correct Answer

Hi Manuel - glad to hear you had a good experience with Windows Agent configuration.

Regarding your OpenVPN/RADIUS questions I think we could help you more quickly if you open an RSA Support case so that we can get all of the details of your configuration and the issues you are encountering.

Thanks,

Ted

See the reply in context

No one else had this question

Outcomes

9 Replies

Ted Barbour Feb 28, 2019 12:17 PM
Unmark Correct
Correct Answer
Hi Manuel - glad to hear you had a good experience with Windows Agent configuration.
Regarding your OpenVPN/RADIUS questions I think we could help you more quickly if you open an RSA Support case so that we can get all of the details of your configuration and the issues you are encountering.

Thanks,
Ted
Like • Show 1 Like1
Actions
Manuel Holzner Mar 1, 2019 4:43 AM
Mark Correct
Correct Answer
Hi Ted,
thank you for your fast answer.
I will open an RSA Support case as you mentioned.

Thanks,
Manuel
Like • Show 0 Likes0
Actions
- Tom Menezes @ Manuel Holzner on Mar 20, 2020 1:43 AM
  Mark Correct
  Correct Answer
  Hi Manuel,
  
  Have you managed to configure your OpenVPN with RSA SecurID?
  
  Regards,
  Tom
  Like • Show 0 Likes0
  Actions
  - Jay Guillette @ Tom Menezes on Mar 20, 2020 9:39 AM
    Mark Correct
    Correct Answer
    OpenVPN sounds like it could be configured as a RADIUS Client on Authentication Manager, any version really but all of version 8.x for sure.
    Like • Show 0 Likes0
    Actions
    - Jay Guillette @ Jay Guillette on Mar 20, 2020 10:22 AM
      Mark Correct
      Correct Answer
      How to configure an NTRadPing RADIUS client.
      
      First, you need the IP address of the PC where the NTRadPing.exe and raddict.dat files are, as this will be your RADIUS client.
      Next you need to Add New under RADIUS – RADIUS Clients in the Security Console, like this
      So this is an example of adding a RADIUS client with IP address 10.100.40.205. Name resolution is not important with RADIUS Client, so you do not have to have the real DNS name or FQDN.
      
      What’s important here is the Shared Secret. You will have to use the exact same secret on the NTRadPing screen on your PC.
      Leave the Make/Model as – Standard RADIUS -, and do not check any of the boxes. Then “Save and Create Associated RSA Agent” in the lower right. You will have a RADIUS Client and an Authentication Agent Entry.
      
      Now the Server side is done, the RSA Server knows that a RADIUS clients will be sending Authentication Requests.
      
      Next, on your PC, start the NTRadPing.exe (raddict.dat must be in same directory). It looks like this:
      
      Here are the things you need to fill in;
      IP address of the RSA Authentication Manager Server with RADIUS Server configured
      RADIUS port, usually 1645, but 1812 is also supported
      RADIUS Shared Secret – exact same as you entered for RADIUS Client above
      UserID or login ID from Authentication Manager
      PassCode or fixed PassCode. Cannot login with Password to Authentication Manger from agent or RADIUS client. Also New PIN or Next Token code not supported by NTRadPing, so test this user login from the Self-Server Console or another agent 1^st
      Send.
      
      On the RSA Server side you’ll want to watch two places when you do this Send.
      
      RADIUS Statistics will tell if the packet is reaching RSA from Juniper. Security Console, under RADIUS – RADIUS Statistics – RADIUS Client Statistics. You can filter on a specific RADIUS Client.
      
      RSA RADIUS should hand over the authentication request to AM, which you can watch in the Real Time Auth Monitor. Security Console – Reporting – Real Time Authentication Monitors – Authentication Activity Monitor. Then [Start Monitor>]
      
      If you need to run a TCPdump, filter on either port 1812 or 1645,and write to file;
      SSH to the Virtual Appliance with the operating system account rsaadmin.
                      sudo su -
      <same password again>                                               This makes you root
      #             cd /usr/sbin
      ./tcpdump -i eth0 -s 1514 -Z root host 10.100.40.205 -w /tmp/JayPC.pcap                                 This writes to a file in /tmp
      ./tcpdump -i eth0 -s 1514 -Z root port 1645 -w /tmp/radius.pcap
      chmod 777 /tmp/ radius.pcap                                 This grants full permissions to everyone, makes it easy to copy file off with WinSCP
      You will be able to see return attributes in a RADIUS packet capture.
      Regards,
      Jay Guillette |
      Like • Show 0 Likes0
      Actions
      - Tom Menezes @ Jay Guillette on Mar 21, 2020 2:14 AM
        Mark Correct
        Correct Answer
        Hi Jay,
        
        Thank you for your reply.
        I already use RSA Authentication Manager with OpenVPN and I can confirm it works, but due to the requirement to allow MFA for more users I am migrating to the cloud.
        
        I need help to configure RSA SecurID Access to use MFA for OpenVPN on a pfsense firewall.
        
        The resource I am trying to protect is the OpenVPN running on a Pfsense firewall from Netgate, unfortunately it is not in the list of official solutions supported by RSA.
        However, an RSA System Engineer has advised me he uses it for OpenVPN on his lab so we can confirm it works.
        
        I have done the following steps. from this guide: https://community.rsa.com/docs/DOC-54324
        
        *   Deploy identity router
        *   Enabled Radius cluster
        *   Connected LDAP directory
        *   Add Access policy
        *   Enabled My page
        *   Protect resource
        
        But for the next step it did not work.
        *   Test - My pfsense cannot contact the Identity router for some reason error: /diag_authentication.php: Error during RADIUS authentication : No valid RADIUS responses received
        
        So I used as radius sever my Identity router IP address and as my radius client my pfsense firewall IP.
        
        Any help is welcome.
        
        Regards,
        Tom
        Like • Show 0 Likes0
        Actions
        Ted Barbour @ Tom Menezes on Mar 21, 2020 11:04 AM
        Mark Correct
        Correct Answer
        Hi Tom - be sure your RADIUS client is targeting the IDR <management IP> port 1812. Also ensure that nothing in your network is blocking traffic between the client and IDR.
        You could determine if any traffic is reaching the IDR by running tcpdump on the IDR command line (SSH) while attempting the RADIUS login:
        
        $ sudo /usr/sbin/tcpdump -i eth0 port 1812
        
        Beyond that I would recommend that you open a support case for more detailed troubleshooting.
        
        Hope that helps,
        Ted
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
        Jay Guillette @ Ted Barbour on Mar 21, 2020 12:07 PM
        Mark Correct
        Correct Answer
        Tom,
        To Ted's point, since your pfsense gets "No valid RADIUS responses received" then a tcpdump filtered on RADIUS port 1812 on the IDR would show if any packets are getting through your network to the IDR. If we see something, we analyze what came through in the trace (source IP, packet details, any response) and if there is anything in the IDR logs, if we do not see any packets, then either your pfsense did not send anything or the network blocked, mis-routed or dropped it.
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
        Tom Menezes @ Jay Guillette on Mar 22, 2020 4:53 AM
        Mark Correct
        Correct Answer
        Thank you Jay and Ted for your assistance.
        I work with multiple Vlans and my Identity router is configured on a specific subnet.
        I found that on the authentication clients > radius client > it must be configured with the pfsense interface IP address which is used as the gateway for the identity router subnet and it worked as expected, it was a network configuration issue.
        
        Regards,
        Tom
        Like • Show 0 Likes0
        Actions

Securing OpenVPN with RSA SecurID

Outcomes

Related Content

Recommended Content