Resumen del contenido incluido en la página 1
Nortel Networks
VPN Gateway 3050
RSA SecurID Ready Implementation Guide
Last Modified: March 14, 2008
Partner Information
Product Information
Partner Name
Nortel Networks
Web Site www.nortelnetworks.com
Product Name
VPN Gateway 3050
Version & Platform
7.0.1.0
Product Description
The Nortel Networks VPN Gateway 3050 is a remote access
security solution that extends the reach of enterprise applications
and resources to remote users. The gateway performs on-the-fly
content tran
Resumen del contenido incluido en la página 2
Solution Summary The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote employees, partners, and customers. By using the native capability of widely deployed Web browsers, the SSL VPN Gateway offers a convenient clientless alternative for securely provisioning resources for remote users, without the need to install and manage client tunneling software on their PCs. Due to the clientless nature of
Resumen del contenido incluido en la página 3
Product Requirements Partner Product Requirements: Nortel VPN Gateway 3050 Firmware Version 7.0.1.0 Hardware Platform Platform Required Patches VPN 3050, ASA 310, ASA 410, ASA 310 FIPS N/A Additional Software Requirements Application Additional Patches Internet Explorer 5.0, 5.5 and 6.0 RSA SecurID files RSA SecurID Authentication Files Files Location sdconf.rec In Memory Node Secret In Memory sdstatus.12 In Memory sdopts.rec Not implemented Go to t
Resumen del contenido incluido en la página 4
Agent Host Configuration Important: “Agent Host” and “Authentication Agent” are synonymous. “Agent Host” is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term “Authentication Agent”. Important: All “Authentication Agent” types for 7.1 should be set to “Standard Agent”. To facilitate communication between the Nortel VPN Gateway and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be ad
Resumen del contenido incluido en la página 5
Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to insta
Resumen del contenido incluido en la página 6
Creating and Configuring a RSA SecurID or RADIUS User Group 1. From the admin console, expand VPN Gateways and click Add to add a VPN Gateway. 2. Click Create VPN. 3. Now click on the VPN Gateway you just created and click on Groups. 4. Click on the button Add New Group. 5. Fill out the form with the desired group name, user type and description. 6. Click Update and then Apply to add the new group to the configuration. 7. From the Groups menu on the administration console, click on
Resumen del contenido incluido en la página 7
Configure the RSA Server record 1. Open the Management Interface (MIP) of the Nortel VPN Gateway using a web browser. Authenticate with administrative user account and select the Config tab. 2. From the SSL-VPN admin menu select Administration > RSA Servers item. 3. Click the Add button and complete the form. 4. Click Apply to commit changes to the IOS configuration. Note: You must Update and Apply the RSA Server Group entry before you import the sdconf.rec file 5. To import your sdco
Resumen del contenido incluido en la página 8
Configuring the RADIUS Authentication Servers 6. From the admin console, select VPN Gateways > Authentication. 7. Click Add. 8. Enter information for the Authentication Server such as Name and Display Name. The Authentication Mechanism will be RADIUS. Then click update to complete additional RADIUS authentication options. 9. Select the Servers tab and click Add. 10. Enter the appropriate information for you server and click Update. Note: You can add a maximum of three RSA RADIUS serve
Resumen del contenido incluido en la página 9
Configuring RADIUS Authentication Servers for Administrative Access 1. From the admin console, select Administration > RADIUS. 2. Click Add. 3. Enter information for the RADIUS Authentication Server. 4. Click update. 5. Enable authentication by selecting enabled for RADIUS Authentication Status. 6. Click update then Apply. NEW-PIN mode does not work via the admin console. See the Known issues section of this guide for more information. 9
Resumen del contenido incluido en la página 10
Testing the configuration 1. Open a web browser and point to the portal address. 2. For user credentials enter a SecurID username and Passcode. 3. From the Login Service list select your RSA SecurID or RSA RADIUS challenge group. 4. Click Login to authenticate and enter the Portal Server. Note: The user name does not need to exist on the VPN Gateway 3050 in order to be authenticated. The VPN Gateway 3050 will pass off authentication to the RSA Authentication Manager as a trusted authe
Resumen del contenido incluido en la página 11
Certification Checklist Date Tested: September 26, 2007 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 6.1 Windows 2003 Server RSA RADIUS Server 6.1 Windows 2003 Server VPN Gateway 3050 7.0.1.0 IOS Router Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN User Defined (4-8 Alpha
Resumen del contenido incluido en la página 12
Certification Checklist For RSA Authentication Manager 7.x Date Tested: March 14, 2008 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 7.1 Windows 2003 RSA RADIUS Server 7.1 Windows 2003 VPN Gateway 3050 7.0.1.0 IOS Router Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN User
Resumen del contenido incluido en la página 13
Known Issues PIN Rejection: When a PIN is rejected by the Authentication Manager Server the user is questioned by the client to try a different PIN but the program flow is not intuitive. 1. The user first authenticates using either Token or Password. The user is next prompted to create a new PIN. 2. The user must re-enter the new PIN to validate input from the previous step. 3. If rejected, the client displays the question to the user with an empty text box for input. 4. The client
Resumen del contenido incluido en la página 14
Administration Logon. NEW-PIN mode does not work via the admin console. The user is prompted to create or accept a PIN but the PIN never gets sent to the server and the user gets redirected to a blank web page. 14
Resumen del contenido incluido en la página 15
Appendix Delete Node Secret 1. Navigate to Config > Administration > RSA Servers and click on the link for the RSA Authentication Server Label you created. 2. Click the button labeled Remove Node Secret. Remove sdconf.rec and sdstatus.12 1. Navigate to Config > Administration > RSA Servers. 2. Check the box for the RSA Authentication Server Label you created. 3. Click delete. 4. You now need to add a new record for an RSA Authentication Managers for authentication. 15