Difference between revisions of "Array Networks SPX Integration"

From Swivel Knowledgebase
Jump to: navigation, search
 
m (1 revision imported)
 
(No difference)

Latest revision as of 12:52, 11 May 2017


Introduction

This configuration document outlines how to integrate Swivel with the Array Networks SPX using password authentication in addition to the Swivel authentication.

Additional Contributors

Swivel Secure would like to thank Wender Putters from Connect Data Solutions


Prerequisites

Array Network SPX 8.2, 8.3, 8.4

Swivel 3.x

If the TURing is required to be used a NAT is required to the Swivel virtual or hardware appliance

Website to host custom login page, this can be the Swivel virtual or hardware appliance.

Custom login page, this can be downloaded from here: here


Baseline

Array Networks SPX 8.2.2.0 and also 8.4.4.2 Build 9

Swivel 3.5 and Swivel 3.7


Architecture

The Array Networks SPX makes authentication requests against the Swivel virtual or hardware appliance by RADIUS. The login page is redirected from the Array Networks SPX onto another web server. The Swivel virtual or hardware appliance can be used to host this page. The hosted page must be accessible from the internet.

If the AD password is required to be used then these are added together into the RADIUS request, and Swivel has to have the require password and check password with repository set to yes. Remember that in Swivel 3.7 and earlier this is a global setting. In Swivel 3.8 it is possible to set password checks by NAS devic rather than being a global setting.


Installation

Swivel Configuration

Configuring the RADIUS server

On the Swivel Administration console configure the RADIUS Server and NAS, see RADIUS Configuration


Enabling Session creation with username

To allow the TURing image, PINpad and other single channel images, under Server/Single Channel set Allow session request by username to Yes.


Configure Password

Swivel 3.7 and earlier

If the AD Password is required to be used, on the Swivel Administration Console select Policy/Password, enable Require Password and check password with repository

Swivel 3.8 and later

If the AD Password is required to be used, on the Swivel Administration Console select RADIUS NAS, enable check password with repository


Configure the custom login page

Editing the Login Page

Edit the file login.html with the required values

The externally accessible IP address of the Swivel virtual or hardware appliance needs to be set for the following lines:

_AN_base_host = "http://192.168.100.100:8080";

_AN_base_path = "http://192.168.100.100:8080/login";

sUrl = "https://192.168.100.100:8443/proxy/SCImage?username=";


Change the IP address for that of the public URL. For a Swivel virtual or hardware appliance the sURL also needs to be changed as follows:

For a Virtual or hardware appliance:

sUrl = "https://IP:8443/proxy/SCImage?username=";

For a software only install see Software Only Installation


Copy the login page files

The login page can be hosted on a web server. Note that this page needs to be accessible from the internet by the client.

To use Swivel as a to host the login page:

Copy login.html to one of the following locations:

Swivel Virtual or hardware Appliance: create the folder ROOT in /usr/local/tomcat/webapps2 using a program such as WinSCP, see the WinSCP How To Guide, then ensure that the ownership/group of the folder and file are swivel and permissions for the ROOT folder are rwxrwxr-x. Copy in the file login.html and ensure the permissions are rw-rw-r--, and it is owned by the swivel user.

Software only install: <path to Tomcat>/webapps/ROOT

Test that the web page is accessible

Virtual or hardware appliance: http://IP of Swivel server:8443/login.html

For a software only install see Software Only Installation


Create a Failed Login Page

When a login fails, the page redirects, to ensure that this is a Swivel login page either redirect the login failure back to the Swivel login.html, or make a copy of that file and edit it as required, such as to indicate that a login has failed.


Configure the Array Networks SPX

Configure RADIUS authentication

On the Array Networks SPX Select under Site Configuration AAA, then method. Configure the RADIUS server on the authentication menu. Set the authentication method to RADIUS


Array Networks Authentication Method.JPG


On the Authentication tab, Swivel needs to be configured as the RADIUS server for the VPN, ensuring that the shared secret matches that set on the RADIUS->NAS screen on Swivel.

If you want to configure more RADIUS servers for failover, add more servers.

Array Networks Authentication.JPG


Link custom page to URL for login

The custom log-in page created then needs to be associated with the url of the log-in page. On the Array Networks SPX Select under Site Configuration Portal then External pages, enter the path to the Swivel virtual or hardware appliance. Note that this page needs to be accessible from the internet by the client.

The required settings are:

URL: Full address of where the login page can be reached

Username: default: uname, the username attribute used in the login page

Password: default: pwd, the password attribute used in the login page

Token: default: token, the token attribute used in the login page

Password: default: pwd2, the secondary password attribute

Other options

Change Password Page Full address of the ChangePIN page


Array Networks custom login URL.JPG


Link custom page to URL for failed login

The custom failed log-in page created then needs to be associated with the url of the log-in page. On the Array Networks SPX Select under Site Configuration Portal then External pages, select Error Pages, and for error type select failed login, enter either the path to the Swivel page or to a custom failed login page. Note that this page needs to be accessible from the internet by the client. Click save and the login page will now be listed.

Custom page for failed login:

Array SSL VPN failed login error page.jpg


The custom login page should be listed under Error Pages

Array SSL VPN failed login error pages list.jpg


Link custom page to URL for generic login error

It is also recommended to create another error page (as above) using the same custom login page URL (as above) but for a generic login error, which is a selectable Error Type. This prevents the default localhost login page of the Array being presented in the event of a generic login error.


Configure URL Policy

This page allows certain attributes to be used in the login page. On the Array Networks SPX Select under access methods/Web Access then URL Policies. Create the following policies:

Priority: 1 Type Public: keyword: SCImage

Priority: 2 Type Public: keyword: .gif

Priority: 3 Type Public: keyword: .jpg

Priority: 4 Type Public: keyword: .jsp


Array Networks custom URL Policy URL.JPG


Verifying the Installation

Browse to the login page, enter a username, click on the Request Turing button and the Turing image should appear. Check for Session requests with that username on Swivel, and RADIUS requests.

Array SSL VPN Turing login.jpg


Test using the SMS option without clicking on the Turing button. Note: If the Single Channel Turing image is clicked it will expect a Single Channel login for the length of the session request (usually 2 minutes). Check for RADIUS requests on Swivel.

Array SSL VPN SMS login.jpg


Ensure that the failed login redirects to a Swivel login page.

Array SSL VPN failed login redirect.jpg


Troubleshooting

Check the Swivel logs and system event logs for any errors or lack of communication as well as the Array Networks SPX logs.


Known Issues and Limitations

Additional Information

For assistance in the Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com