Nortel VPN Integration

From Swivel Knowledgebase
Jump to: navigation, search


Nortel VPN Gateway
Integration Guide

Version 1.0 March 2009

Introduction

This document describes how to integrate PINsafe with the Nortel VPN Gateway. The integration is based on Nortel 3050 Release 7.1.1.0 This guide covers the Nortel integration only and does not cover the general steps required for configuring the VPN Gateway. This integration requires the PINsafe server to be available from the internet. An appliance install can use the proxy to protect the PINsafe server in this respect.


RADIUS Integration

The main integration required is to get the Nortel VPN Gateway to use RADIUS for authentication and to use PINsafe as its RADIUS server.


To do this on the VPN Gateway Config screen select the VPN Gateway you wish to integrate with PINsafe and then select the Authentication option.


A new authentication server needs to be created. To do this select the Add option and create a new Authentication Server called PINSAFE. The domain name can be left blank.

AddAuthServer.jpg

Then select Update.


Once this stage has been completed the authentication server you have just added will appear on the Authentication Servers screen. Select the server to configure the details. The only essential element is on the Servers tag.


Select this tag and enter the details of the PINsafe server on this screen and click Update.

AddRadiusServer.jpg


You must now click Apply on the top right of the screen for these changes to take effect


The VPN is now configured to use PINsafe for authentication. The Nortel allows multiple authentication servers to be defined, if you only wish to use PINsafe then on the Authentication Order tab ensure that it is the only server defined.


You now need to configure PINsafe to accept authentication requests from the Nortel VPN gateway


To do this ensure that the RADIUS server is active and running on the same ports as defined on the Nortel VPN gateway. A NAS then needs to be added that has entries for IP address and shared secret that match those of the Nortel VPN Gateway.


The value for IP address that you need to enter may need to match that of the VPN host defined on the Config – Hosts screen on the VPN.


TURING Integration

The Nortel VPN Gateway supports login page customization and this allows a TURing image to be requested and displayed on the logon page to allow seamless integration between PINsafe and the Nortel VPN Gateway.


This is achieved by going to the VPN Gateway → Portal page and selecting the Login tab.

CustomisingLogin.jpg


The html code required to include the TURing image can then be inserted. A sample is shown below.


<script language="JavaScript">
function addButton(e){
var t = document.getElementById('f');
var d = t.getElementsByTagName('td');
d[3].innerHTML = '<input name="user" id="user" size="20" type="text" onblur = "ShowTuring()">';
var i = d.length - 1;
var h = d[i - 1].innerHTML;
d[i-1].innerHTML = h + '  <input type=button name=btnTuring value="Get Another Image" onclick=ShowTuring()>';
var ta = t.getElementsByTagName('table')[0];
r = ta.insertRow(2);
c1 = r.insertCell(0);
c2 = r.insertCell(1);
c1.innerHTML = '&nbsp';
c2.innerHTML = '<img id=turing style="visibility:hidden;">';
r = ta.insertRow(3);
c1 = r.insertCell(0);
c2 = r.insertCell(1);
c1.innerHTML = '&nbsp';
c2.innerHTML = '<font color="red">* Case Sensitive<br></font>';>
}
	
function ShowTuring() {
ppText = document.getElementById("ptext");
if(ppText != null){
 ppText.innerHTML = "One-Time Code:";
}
var img = document.getElementById("turing");
var usr = document.getElementById("user").value;
var imgUrl = "http://83.111.60.59:81/pinsafe/SCImage?username=";
if (usr=="") {
 alert ("Please enter your username first!");
 document.getElementById("user").focus();
}else{
 //Set the image SRC and make it visible
 var t = document.getElementById('f');
 var d = t.getElementsByTagName('td');
 img.src = imgUrl + usr + "&random=" + Math.ceil(10000*Math.random());
 img.style.visibility = "visible";
 }
}
</script>
<script  language="JavaScript" type="text/javascript">
window.onload = addButton;
</script>


The url http://pinsafe:8080/pinsafe/SCImage?username= needs to be changed to match the IP address of the PINsafe server. Note that for an appliance this is likely to be in the format https://pinsafe:8443/proxy/SCImage?username=


Once these changes have been inserted click UPDATE.


You must now click Apply on the top right of the screen for these changes to take effect


You can then view the modified page by going to the ip address associated with the VPN on the Config → VPN Screen.


CustomLogin.jpg


Notes

This integration requires the PINsafe server to be available from the internet. An appliance install can use the proxy to protect the PINsafe server in this respect.


To test the integration ensure that there is a user that exists on both PINsafe and the VPN Gateway and check the PINsafe logs to see that it is receiving the authentication requests.