Stonesoft Integration

From Swivel Knowledgebase
Revision as of 12:52, 11 May 2017 by Admin (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


This document describes steps to configure a Stonesoft Firewall SSL VPN with Swivel as the authentication server.

Swivel integration is made using RADIUS authentication protocol with an option to configure the login page. Depending on your needs, you can modify the default customization object or create a new customization object. There are many ways to configure it to work with Swivel.

To use the Single Channel Image such as the TURing Image and PINpad, the Swivel server must be made accessible. The client requests the images from the Swivel server, and is usually configured using a NAT (Network Address Translation), often with a proxy server. The Swivel appliance is configured with a proxy port to allow an additional layer of protection.


Stonesoft Firewall

Swivel 3.x

Modified login page for TURing

Modified login page for PINpad


Stonesoft 4.9.9|1050

Swivel 3.9


Stonesoft makes authentication requests against the Swivel server by RADIUS.

The client makes TURing requests against the Swivel server using HTTP/HTTPS

Swivel Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the Swivel Administration console by selecting RADIUS Server. To turn on RADIUS authentication set Server Enabled to YES. The Host or IP address is the interface which will accept RADIUS requests, leave this blank (or use to allow RADIUS requests on any interface.

For troubleshooting RADIUS debug can be enabled together with the debug log option, see Debug how to guide

Note: for appliances, the Swivel VIP should not be used as the server IP address, see VIP on PINsafe Appliances


Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the Swivel Administration console. Enter a name for the VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the Swivel server and VPN RADIUS configuration.

PINsafe 36 generic RADIUS NAS.JPG

You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP are supported. All users will be able to authenticate via this NAS unless authentication is restricted to a specific repository group.

Enabling Session creation with username

The Swivel server can be configured to return an image containing a TURing image by presenting the username via the XML API or the SCImage servlet.

Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.

To test your configuration you can use the following URL using a valid Swivel username:



For a software only install see Software Only Installation

Stonesoft Configuration

Create a Radius Authentication Method

On the Stonesoft management console select the Manage System tab and then Authentication Methods, select Add Authentication Method...

Stonesoft Authentication Method.jpg

Select the General RADIUS authentication method

Stonesoft Authentication Method selection.jpg

Ensure the following are checked:

  • Enable authentication method
  • Visible in authentication menu

Enter a Display Name, then click on Next.

Stonesoft Authentication Method General Settings.jpg

Enter the following information and when complete click Next:

Host: Hostname/IP address of the Swivel server

Port: RADIUS authentication port, 1812 is the default for Swivel

Time-out: default 15000 milliseconds

Shared Secret: The shared secret entered on the Swivel NAS entry for the Stonesoft server

Stonesoft Authentication Method General Settings Network.jpg

Leave the RADIUS Reply settings as default unless a specific RADIUS configuration is required

Stonesoft Authentication Method complete.jpg

On the Extended Properties page click on Add Extended Property then select Allow user not listed in any User Storage and set it to true

The Reveal RADIUS reject reason can be used for troubleshooting if set to true.

Stonesoft Authentication Method Extended Allow User.jpg

possibly not use: Stonesoft Authentication Method RADIUS Extended Properties.jpg

The configured RADIUS authentication method will appear under the list of Registered Authentication Methods.

Stonesoft Authentication Method Added SwivelRadius.jpg

Select Authentication Services then Add Authentication Service

Stonesoft Authentication Services.jpg

On the RADIUS Authentication tab, ensure that Proxy unknown users is checked.

Stonesoft Authentication Services Manage RADIUS.jpg

When the configuration is complete then select publish

Stonesoft publish.jpg

Optional: Create a Secondary Authentication Server

These modifications are used only if some of the single channel features are required. The prerequisites section contains login pages for TURing and PINpad.

Login Page Customisation

The login page, GenericForm.html can be modified to allow a variety of different login methods.

To select a different login page browse to the files in:


select browse to select the source file, then click on Upload

Stonesoft upload modified page.jpg


Browse to the login page and view the login page for the required configuration.

Stonesoft login page with Dual Channel using SMS, Mobile Client

Stonesoft Dual Channel login.jpg

Stonesoft login page with Single Channel TURing image

Stonesoft TURing login2.jpg

Stonesoft login page with PINpad

Stonesoft Pinpad.jpg

Additional Configuration Options

Two Stage Authentication

Swivel can be configured under the RADIUS/NAS settings to use Two Stage Authentication, whereby a password is entered and if correct the user is then prompted for a One Time Code, either from a graphical TURing image, mobile phone client or a Challenge and Response SMS sent to the user.


Check the Swivel logs for Turing images and RADIUS requests.

Image from PINsafe server absent

Known Issues and Limitations


Additional Information

For assistance in the Swivel installation and configuration please firstly contact your reseller and then email Swivel Secure support at