Stonesoft Integration

From Swivel Knowledgebase
Revision as of 17:28, 20 August 2015 by Rallen (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Introduction

This document describes steps to configure a Stonesoft Firewall SSL VPN with Swivel as the authentication server.

Swivel integration is made using RADIUS authentication protocol with an option to configure the login page. Depending on your needs, you can modify the default customization object or create a new customization object. There are many ways to configure it to work with Swivel.

To use the Single Channel Image such as the TURing Image and PINpad, the Swivel server must be made accessible. The client requests the images from the Swivel server, and is usually configured using a NAT (Network Address Translation), often with a proxy server. The Swivel appliance is configured with a proxy port to allow an additional layer of protection.


Prerequisites

Stonesoft Firewall

Swivel 3.x

Modified login page for TURing

Modified login page for PINpad


Baseline

Stonesoft 4.9.9|1050

Swivel 3.9


Architecture

Stonesoft makes authentication requests against the Swivel server by RADIUS.

The client makes TURing requests against the Swivel server using HTTP/HTTPS


Swivel Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the Swivel Administration console by selecting RADIUS Server. To turn on RADIUS authentication set Server Enabled to YES. The Host or IP address is the interface which will accept RADIUS requests, leave this blank (or use 0.0.0.0) to allow RADIUS requests on any interface.

For troubleshooting RADIUS debug can be enabled together with the debug log option, see Debug how to guide

Note: for appliances, the Swivel VIP should not be used as the server IP address, see VIP on PINsafe Appliances


PINsafe36RADIUSserver.JPG


Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the Swivel Administration console. Enter a name for the VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the Swivel server and VPN RADIUS configuration.


PINsafe 36 generic RADIUS NAS.JPG


You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP are supported. All users will be able to authenticate via this NAS unless authentication is restricted to a specific repository group.


Enabling Session creation with username

The Swivel server can be configured to return an image containing a TURing image by presenting the username via the XML API or the SCImage servlet.

Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.

To test your configuration you can use the following URL using a valid Swivel username:

Appliance

https://Swivel_server_IP:8443/proxy/SCImage?username=testuser

For a software only install see Software Only Installation


Stonesoft Configuration

Create a Radius Authentication Method

On the Stonesoft management console select the Manage System tab and then Authentication Methods, select Add Authentication Method...


Stonesoft Authentication Method.jpg


Select the General RADIUS authentication method


Stonesoft Authentication Method selection.jpg


Ensure the following are checked:

  • Enable authentication method
  • Visible in authentication menu

Enter a Display Name, then click on Next.


Stonesoft Authentication Method General Settings.jpg


Enter the following information and when complete click Next:

Host: Hostname/IP address of the Swivel server

Port: RADIUS authentication port, 1812 is the default for Swivel

Time-out: default 15000 milliseconds

Shared Secret: The shared secret entered on the Swivel NAS entry for the Stonesoft server


Stonesoft Authentication Method General Settings Network.jpg


Leave the RADIUS Reply settings as default unless a specific RADIUS configuration is required


Stonesoft Authentication Method complete.jpg


On the Extended Properties page click on Add Extended Property then select Allow user not listed in any User Storage and set it to true

The Reveal RADIUS reject reason can be used for troubleshooting if set to true.


Stonesoft Authentication Method Extended Allow User.jpg


possibly not use: Stonesoft Authentication Method RADIUS Extended Properties.jpg


The configured RADIUS authentication method will appear under the list of Registered Authentication Methods.


Stonesoft Authentication Method Added SwivelRadius.jpg


Select Authentication Services then Add Authentication Service


Stonesoft Authentication Services.jpg


On the RADIUS Authentication tab, ensure that Proxy unknown users is checked.


Stonesoft Authentication Services Manage RADIUS.jpg


When the configuration is complete then select publish


Stonesoft publish.jpg


Optional: Create a Secondary Authentication Server

These modifications are used only if some of the single channel features are required. The prerequisites section contains login pages for TURing and PINpad.


Login Page Customisation

The login page, GenericForm.html can be modified to allow a variety of different login methods.

To select a different login page browse to the files in:

 /opt/portwise/administration-service/files/access-point/built-in-files/wwwroot/wa/authmech/base

select browse to select the source file, then click on Upload


Stonesoft upload modified page.jpg


Testing

Browse to the login page and view the login page for the required configuration.

Stonesoft login page with Dual Channel using SMS, Mobile Client


Stonesoft Dual Channel login.jpg


Stonesoft login page with Single Channel TURing image


Stonesoft TURing login2.jpg


Stonesoft login page with PINpad


Stonesoft Pinpad.jpg


Additional Configuration Options

Two Stage Authentication

Swivel can be configured under the RADIUS/NAS settings to use Two Stage Authentication, whereby a password is entered and if correct the user is then prompted for a One Time Code, either from a graphical TURing image, mobile phone client or a Challenge and Response SMS sent to the user.


Troubleshooting

Check the Swivel logs for Turing images and RADIUS requests.

Image from PINsafe server absent


Known Issues and Limitations

None


Additional Information

For assistance in the Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com