Configuring Two-Factor Authentication

Two-factor authentication is an authentication method that requires two independent pieces of information to establish identity and privileges. Two-factor authentication is stronger and more rigorous than traditional password authentication that only requires one factor (the user’s password).

For more information on how two-factor authentication works see Two-Factor Authentication Overview .

Dell SonicWALL’s implementation of two-factor authentication either uses two separate RADIUS authentication servers, or partners with two of the leaders in advanced user authentication: RSA and VASCO. If you are using RSA, you must have the RSA Authentication Manager and RSA SecurID tokens. If you are using VASCO, you must have the VASCO IdentiKey and Digipass tokens.

To configure two-factor authentication, you must first configure a RADIUS domain. For information see Adding or Editing a Domain with RADIUS Authentication .

The following sections describe how to configure the supported third-party authentication servers:
Configuring the RSA Authentication Manager
Configuring the VASCO IdentiKey Solution

Configuring the RSA Authentication Manager

The following sections describe how to configure the RSA Authentication Manager version 6.1 to perform two-factor authentication with your SRA appliance:
Adding an Agent Host Record for the SRA Appliance
Adding the SRA Appliance as a RADIUS Client
Setting the Time and Date
Importing Tokens and Adding Users
* 
NOTE: This configuration procedure is specific to RSA Authentication Manager version 6.1. If you are using a different version of RSA Authentication Manager, the procedure will be slightly different.

If you will be using VASCO instead of RSA, see Configuring the VASCO IdentiKey Solution .

Adding an Agent Host Record for the SRA Appliance

To establish a connection between the SRA appliance and the RSA Authentication Manager, an Agent Host record must be added to the RSA Authentication Manager database. The Agent host record identifies the SRA appliance within its database and contains information about communication and encryption.

To create the Agent Host record for the SRA appliance:
1
Launch the RSA Authentication Manager.
2
On the Agent Host menu, select Add Agent Host. The Add Agent Host window displays.

3
Enter a hostname for the SRA appliance in the Name field.
4
Enter the IP address of the SRA appliance in the Network address field.
5
Select Communication Server in the Agent type window.
6
By default, the Enable Offline Authentication and Enable Windows Password Integration options are enabled. Dell SonicWALL recommends disabling all of these options except for Open to All Locally Known Users.
7
Click OK.
Adding the SRA Appliance as a RADIUS Client

After you have created the Agent Host record, you must add the SRA appliance to the RSA Authentication Manager as a RADIUS client. To do so, perform the following steps:

1
In RSA Authentication Manager, go to the RADIUS menu and select Manage RADIUS Server. The RSA RADIUS Manager displays.
2
Expand the RSA RADIUS Server Administration tree and select RADIUS Clients.

3
Click Add. The Add RADIUS Client window displays.

4
Enter a descriptive name for the SRA appliance.
5
Enter the IP address of the SRA in the IP Address field.
6
Enter the shared secret that is configured on the SRA in the Shared secret field.
7
Click OK and close the RSA RADIUS Manager.
Setting the Time and Date

Because two-factor authentication depends on time synchronization, it is important that the internal clocks for the RSA Authentication Manager and the SRA appliance are set correctly.

Importing Tokens and Adding Users

After you have configured the RSA Authentication Manager to communicate with the SRA appliance, you must import tokens and add users to the RSA Authentication Manager.

To import tokens and add users:
1
To import the token file, select Token > Import Tokens.

2
When you purchase RSA SecurID tokens, they come with an XML file that contains information on the tokens. Navigate to the token XML file and click Open. The token file is imported.
3
The Import Status window displays information on the number of tokens imported to the RSA Authentication Manager.

4
To create a user on the RSA Authentication Manager, click on User > Add user.

5
Enter the user’s First and Last Name.
6
Enter the user’s username in the Default Login field.
7
Select either Allowed to Create a PIN or Required to Create a PIN. Allowed to Create a PIN gives users the option of either creating their own PIN or having the system generate a random PIN. Required to Create a PIN requires the user to create a PIN.
8
To assign a token to the user, click on the Assign Token button. Click Yes on the confirmation window that displays. The Select Token window displays.

9
You can either manually select the token or automatically assign the token:
To manually select the token for the user, click Select Token from List. In the window that displays, select the serial number for the token and click OK.
To automatically assign the token, you can optionally select the method by which to sort the token: the token’s import date, serial number, or expiration date. Then click the Unassigned Token button and the RSA Authentication Manager assigns a token to the user. Click OK.
10
Click OK in the Edit User window. The user is added to the RSA Authentication Manager.
11
Give the user their RSA SecurID Authenticator and instructions on how to log in, create a PIN, and user the RSA SecurID Authenticator. See the Dell SonicWALL SRA User Guide for more information.

Configuring the VASCO IdentiKey Solution

The VASCO IdentiKey solution works with SRA 5.0 or higher. The following sections describe how to configure two-factor authentication using VASCO’s IdentiKey version 3.2:
Setting the Time
Setting DNS and the Default Route on page 172
Setting NetExtender Client Address Range and Route on page 172
Creating a Portal Domain with RADIUS Authentication on page 173
Configuring a Policy on VASCO IdentiKey on page 173
Registering the SRA as a Client on page 173
Configuring a VASCO IdentiKey User on page 174
Importing DIGIPASS on page 174
Assigning a DIGIPASS to a User on page 174
Verifying Two-Factor Authentication on page 174
* 
NOTE: This configuration procedure is specific to VASCO IdentiKey version 3.2. If you are using a different version of VASCO IdentiKey, the procedure will be slightly different.

If you will be using RSA instead of VASCO, see Configuring the RSA Authentication Manager .

Setting the Time

The DIGIPASS token is based on time synchronization. Since the two-factor authentication depends on time synchronization, it is important that the internal clocks for the SRA appliance and the VASCO IdentiKey are set correctly.

Navigate to System > Time on the SRA appliance to select the correct time zone.

Setting DNS and the Default Route

The default route for the SRA appliance is an interface on the firewall that corresponds with the DMZ Zone. The IP address of this firewall DMZ interface needs to be configured as the default route for the SRA appliance.

To configure Domain Name Service and the default route:
1
On the SRA management interface, navigate to Network > DNS and set the correct DNS settings and/ or WINS Settings.
2
Navigate to Network > Routes and set the correct Default Route for the SRA X0 interface.
Setting NetExtender Client Address Range and Route
To configure the NetExtender client address range and route on the SRA appliance:
1
Navigate to NetExtender > Client Addresses to set the NetExtender Client Address Range.

Client Addresses will be assigned in the same subnet of the SRA X0 interface. Exclude the SRA appliance X0 interface and the firewall DMZ interface IP address.

2
Navigate to NetExtender > Client Routes.

Click the Add Client Route button to select the correct Client Routes for the authenticated remote users accessing the private networks via the SRA connection.

The client route corresponds with the subnet connected to the X0 (LAN) interface of the Dell SonicWALL NSA or TZ firewall.

Creating a Portal Domain with RADIUS Authentication
To create a domain using RADIUS authentication on the SRA appliance:
1
Navigate to Portal > Domains and click Add Domain.
2
Select Radius from the Authentication Type drop-down list.
3
Enter the Domain Name that users will use in order to log into the SRA appliance portal.
Configuring a Policy on VASCO IdentiKey
To add a new policy in the VASCO Identikey Web Administration interface:
1
Log in to the Vasco Identikey Web Administration window.
2
Click the Policies tab and select Create.
* 
NOTE: There are policies available by default, and you can also create new policies to suit your needs
3
Fill in a policy name and choose the option most suitable in your situation. If you want the policy to inherit a setting from another policy, choose the inherit option. If you want to copy an existing policy, choose the copy option, and if you want to make a new policy, choose the create option.
* 
NOTE: Configure the policy properties to use the appropriate back-end server. This may be the same authentication service as previously used in the SRA appliance.

Use the following settings for the policy:

 

Table 25. Policy settings

Local Auth

Default (DIGIPASS/Password)

Back-End Auth

Default (None)

Dynamic User Registration

Default (No)

Password Autolearn

Default (No)

Stored Password Proxy

Default (No)

Windows Group Check

Default (No Check)
Registering the SRA as a Client
To register the SRA appliance as a VASCO client:
1
In the Vasco Identikey Web Administration window, click the Clients Tab and choose Register.
2
Select RADIUS Client for Client Type.
3
Enter the IP address of the SRA appliance.
4
In the Policy ID field, select your new policy.
5
Fill in the Shared Secret you entered for the RADIUS server properties on the SRA appliance.
6
Click Create.
Configuring a VASCO IdentiKey User
To create a new user:
1
In the Vasco Identikey Web Administration window, click the Users tab and select Create.
2
Fill in the User ID field.
3
Select the Domain.
4
Select the Organizational Unit.
5
Click the Create button.

The user appears in the list of users in the Vasco Identikey Web Administration management interface.

Importing DIGIPASS
To import a DIGIPASS:
1
In the Vasco Identikey Web Administration window, click on the DIGIPASS tab and select Import.
2
Browse for the *.DPX file.
3
Enter the Transport Key.
4
Click UPLOAD.

A confirmation message pops up when the DIGIPASS is imported successfully.

Assigning a DIGIPASS to a User

There are two ways to assign a DIGIPASS to a user. You can search for a DIGIPASS and assign it to a user or search for a user and assign the user to a DIGIPASS.

1
Do one of the following:
On the Users tab, select the check box next to the user and then click Assign DIGIPASS.
On the DIGIPASS tab, select the check box next to the DIGIPASS and then click NEXT.
* 
NOTE: If the User ID is left blank, press the Find button and a list of all the available users in the same domain will appear. If no users appear, make sure the domains of the DIGIPASS and the user match.

When a user is assigned to a DIGIPASS, a confirmation message will pop up.

Verifying Two-Factor Authentication
To test the two-factor authentication SRA connectivity with VASCO IdentiKey:
1
Connect your PC on the WAN (X1) interface of the Dell SonicWALL firewall by pointing your browser to its IP address.
2
Login to the Local Domain as an Administrator.
3
Navigate to Portal > Domains and click Configure to test the RADIUS connectivity to VASCO IdentiKey.
4
If the RADIUS Authentication is successful, log out of the Administrator account and log in to the WAN (X1) interface of the Dell SonicWALL firewall with the User Name you created.