Whitepaper: Digipass Authentication for Pulse Connect Secure

DIGIPASS Authentication for
Pulse Connect Secure
INTEGRATION GUIDE

1 DIGIPASS Authentication for Pulse Connect Secure
DIGIPASS Authentication for Pulse Connect Secure
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright © 2010 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO®
, Vacman®
, IDENTIKEY®
, aXsGUARD™™, DIGIPASS®
and ®
logo
are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data
Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc.
and/or VASCO Data Security International GmbH own or are licensed under all title, rights and
interest in VASCO Products, updates and upgrades thereof, including copyrights, patent
rights, trade secret rights, mask work rights, database rights and all other intellectual and
industrial property rights in the U.S. and other countries. Microsoft and Windows are
trademarks or registered trademarks of Microsoft Corporation. Other names may be
trademarks of their respective owners.

Table of Contents
Disclaimer ......................................................................................................................1
Table of Contents ...........................................................................................................2
Reference guide .............................................................................................................4
1 Overview...................................................................................................................5
2 Technical Concepts ...................................................................................................6
2.1 Pulse Secure......................................................................................................... 6
2.1.1 Pulse Connect Secure ...................................................................................... 6
2.2 VASCO................................................................................................................. 6
2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance ................................... 6
3 Installation ...............................................................................................................7
3.1 Pulse Connect Secure ............................................................................................ 7
3.2 IDENTIKEY Appliance............................................................................................. 8
4 Setup without IDENTIKEY....................................................................................... 14
4.1 Architecture........................................................................................................ 14
4.2 Pulse Connect Secure Settings .............................................................................. 14
4.2.1 Authentication Servers................................................................................... 14
4.2.2 User Realms ................................................................................................. 16
4.2.3 User Roles.................................................................................................... 17
4.2.4 Sign-in......................................................................................................... 18
4.3 Testing the Solution............................................................................................. 19
5 Solution .................................................................................................................. 21
5.1 Architecture........................................................................................................ 21
5.2.2 User Realms ................................................................................................. 22
5.2.3 Sign-in......................................................................................................... 24

5.3 IDENTIKEY Authentication Server Settings ............................................................. 25
5.3.1 Policies ........................................................................................................ 25
5.3.2 Client .......................................................................................................... 26
5.3.3 User ............................................................................................................ 27
5.3.4 DIGIPASS .................................................................................................... 28
6 Solution with Virtual DIGIPASS .............................................................................. 32
6.1 Architecture........................................................................................................ 32
6.3 IDENTIKEY Authentication Server Settings ............................................................. 34
6.3.1 MDC Configuration ........................................................................................ 34
6.3.2 Policies ........................................................................................................ 35
6.3.3 DIGIPASS .................................................................................................... 36
6.3.4 User ............................................................................................................ 38

Reference guide
ID Title Author Publisher Date ISBN

1 Overview
This whitepaper describes how to configure Pulse Connect Secure together with VASCO
IDENTIKEY Authentication Server. This setup will enable securing the sign-in to the SSL VPN with
two-factor authentication.

2 Technical Concepts
2.1 Pulse Secure
2.1.1 Pulse Connect Secure
Pulse Connect Secure offers setting up remote access to the company’s intranet through an SSL
VPN solution, in a way that is easy to use though still flexible. The solution is available as a
hardware appliance or a virtual appliance.
2.2 VASCO
2.2.1 IDENTIKEY Authentication Server or IDENTIKEY Appliance
IDENTIKEY Authentication Server is an off-the-shelf centralized server that provides two-factor
authentication with DIGIPASS devices. It offers complete functionality and management features
without the need for significant budgetary or personnel investments.
IDENTIKEY Appliance is a standalone authentication appliance that offers the features of
IDENTIKEY Authentication Server, being ready to be deployed right away.
The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY
Appliance is similar.

3 Installation
3.1 Pulse Connect Secure
Follow the installation steps on the console of the Pulse Connect Secure appliance.
Start the installation.
Configure the network settings.
Create an admin user.

Finalize the configuration with certificate information and a random string.
3.2 IDENTIKEY Appliance
Open the console of the IDENTIKEY appliance. Log on with ‘rescue’ for the basic configuration.
Choose n for network configuration.

Configure the IP address of the appliance by typing i.
Configure the gateway of the appliance by typing g.
Navigate to the appliance’s IP address using https, and open the configuration wizard by logging
on with the default credentials ‘sysadmin’ – ‘sysadmin’.

Follow the configuration wizard, and configure the sysadmin password, network settings and
certificate information.

Configure the license for the appliance. You can request a temporary license from the Vasco
Customer Portal http://cp.vasco.com.

Finish the wizard with the IDENTIKEY configuration and an administrator user.

4 Setup without IDENTIKEY
Before adding two-factor authentication to the sign-in, it is important to validate a standard
configuration without a connection to IDENTIKEY Authentication Server. A standard
authentication setup in Pulse Connect Secure will be configured, based on users that are added
locally.
4.1 Architecture
4.2 Pulse Connect Secure Settings
Navigate to the administration interface of Pulse Connect Secure. This is hosted on
https://[server IP address]/admin.
4.2.1 Authentication Servers
An authentication server in Pulse Connect Secure configures a system that can handle the
authentication for the SSL VPN sign-in.
In order to authenticate using local users on Pulse Connect Secure, we will use the authentication
server called ‘System Local’ that is default configured.
Navigate to Authentication > Auth Servers > System Local

Create a local user in the System Local authentication server, to test the authentication. Open tab
Users and click on New.

 Username: userlocal
 Full Name: Local Test User
 Password: Test1234
Click on Save Changes.
4.2.2 User Realms
A User Realm is the central configuration for the SSL VPN sign-in, specifying how it will be
handled exactly. The authentication server to be used will be selected in the user realm.
Navigate to the default user realm ‘Users’, which specifies the authentication based on System
Local.
Users > User Realms > Users

4.2.3 User Roles
User roles are managed in Pulse Connect Secure to specify what a user is allowed to do in the
SSL VPN.
A default role ‘Users’ already exists with the most usual configuration for what regular users are
allowed to. Any role can be configured specific to the needs of the environment, regardless of the
authentication configuration.
Roles will be assigned to users based on the configured Role Mapping inside the user realm.
For the user realm Users, a default role mapping has been defined that assigns the Users role to
all users for the realm.
Navigate to the tab ‘Role Mapping’ of the user realm.

4.2.4 Sign-in
A sign-in policy will link the sign-in URL to the user realm that will be used to authenticate users.
The default sign-in policy links the root URL to the Users user realm.
Navigate to Authentication > Sign-in Policies > */

4.3 Testing the Solution
Browse to the SSL VPN Web portal, hosted on the root URL of the Pulse Secure Connect’s IP
address over https.
Authenticate with the test user userlocal and password Test1234. Check if you are redirected to
the Pulse Secure Connect main user interface.

5 Solution
When the basic setup is completed successfully, the solution is ready to be integrated with
IDENTIKEY. This will secure the SSL VPN with two-factor authentication. The users and DIGIPASS
will be managed in IDENTIKEY, and the authentication will use the RADIUS protocol.
5.1 Architecture
Navigate to the administration interface of Pulse Connect Secure. This is hosted on
https://[server IP address]/admin.
To connect to IDENTIKEY, a new Authentication Server should be defined in Pulse Connect
Secure. This will configure the RADIUS connection.
Navigate to Authentication > Auth Servers
Select Radius Server in the dropdown box and click New Server

 Name: Identikey
 Radius Server: IP of the IDENTIKEY server
 Shared Secret: Choose a shared secret to secure the Radius connection
 Enable ‘Users authenticate using tokens or one-time passwords’
Click on Save Changes at the bottom of the page.
5.2.2 User Realms
Now we have to specify a new user realm where we will link the new Authentication Server.
Navigate to Users > User Realms > New

 Name: Identikey
 Authentication: Identikey
Configure the Role Mapping for this user realm. For the setup, we will use a simple configuration
to assign the ‘Users’ role to all users.
Navigate to the tab ‘Role Mapping’ of the user realm, and choose New Rule.

 Name: All Users
 If username is: *
 Add role Users
5.2.3 Sign-in
The new user realm will have to be linked to the existing sign-in page. We will set this up in the
Sign-in Policy.
Navigate to Authentication > Sign-in Policies > */

Enable the Identikey realm. Select Users and click Remove. Select Identikey and click Add.
It is possible to select multiple user realms. This will provide a list of the available realms
on the sign-in page.
5.3 IDENTIKEY Authentication Server Settings
The incoming RADIUS connection needs to be configured in IDENTIKEY. With it, the required
authentication process also needs to be set up.
5.3.1 Policies
In the Policy, the behavior of the authentication is defined. There are different specific settings
possible, which need to be set according to the requirements of the environment. For the test
setup, only local authentication on IDENTIKEY will be performed, without any additional settings.
Navigate to the IDENTIKEY Web Administration. It is available on https://[IP of
IDENTIKEY]/webadmin . Log on with the administrator account.

Navigate to Policies > Create.
 Policy ID: Pulse Secure Integration
 Inherits From: Identikey Local Authentication
Click on Create.
If needed, specific settings can be modified in the policy details. However in this setup, the
default settings inherited from Identikey Local Authentication will be fine.
5.3.2 Client
A client specifies which applications are allowed to connect to IDENTIKEY through which protocol.
For the setup, a client will be registered to allow incoming RADIUS requests from Pulse Connect
Secure.

Navigate to Clients > Register.
 Client Type: RADIUS Client
 Location: The IP address of the Pulse Connect Secure server
 Policy ID: Pulse Secure Integration
 Protocol ID: RADIUS
 Shared Secret: The shared secret that you chose when configuring the Authentication
Server in Pulse Connect Secure. This secret has to be the same on both sides of the
connection.
 Confirm Shared Secret: repeat the shared secret
Click on Create.
5.3.3 User
A user has to be configured to test the authentication.
Navigate to Users > Create.

 User ID: user1
 Domain: master
Click on Create.
5.3.4 DIGIPASS
The DIGIPASS record will be able to check the one-time password that is submitted by the user
during authentication. This DIGIPASS is unique and identified by its serial number. It will be
assigned to the user account, so the correct link is established between the user ID and the
DIGIPASS.
To be able to use a DIGIPASS, the records should be imported into IDENTIKEY. For testing
purposes, demo DIGIPASS licenses can be used. The import happens by following the wizard
DIGIPASS > Import.
For assigning the DIGIPASS to user1, navigate to the user account. Select the tab Assigned
DIGIPASS.

Click Assign and follow the wizard.
Select ‘Search now to select DIGIPASS to assign’ to select the required DIGIPASS in the next
step. Click Next.

Select the correct DIGIPASS and click Next.
Select a grace period of 0 days, and click Assign.
The DIGIPASS is now assigned to the user and ready for use. Click on Finish.
Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .

 Username: user1
 Password: OTP generated by the DIGIPASS assigned to user1
Click on Sign In.
In case of success, you will be redirected to the SSL VPN homepage.

6 Solution with Virtual DIGIPASS
The solution is now secured with one-time passwords generated by a DIGIPASS. In another
setup, Pulse Connect Secure can also handle authentications by a virtual DIGIPASS. The virtual
DIGIPASS generates OTP’s on the server and these are delivered to the user through email, SMS
or phone calls.
The SSL VPN sign-in will now consist of two steps. The first step is to request the OTP from the
server, and the next step to submit the OTP for authentication.
An SMS gateway has to be configured to send the virtual OTP over SMS.
6.1 Architecture
In order to authenticate using a virtual DIGIPASS, we have to modify the settings of the
Authentication Server in Pulse Connect Secure.
An extra authentication rule will specify that a second step needs to be added to the
authentication, if the RADIUS server notifies that a virtual OTP is generated.
Navigate to Authentication > Authentication Servers > Identikey

Click ‘New Radius Rule’ in the edit screen of the authentication server.
 Name: Virtual Digipass
 Response Packet Type: Access Challenge
 Attribute criteria:
Reply-Message matches the expression Enter One-Time Password
 Show Next Token page
Click Add next to the attribute criteria.
When a virtual OTP is requested from IDENTIKEY through RADIUS, it will send a special
value in the RADIUS Reply-Message attribute. This value is exactly equal to ‘Enter One-
Time Password’.

6.3 IDENTIKEY Authentication Server Settings
6.3.1 MDC Configuration
Navigate to the IDENTIKEY Appliance configuration, on https://[IP of IDENTIKEY]/application.
For an IDENTIKEY Authentication Server installation, the MDC configuration is in a
separate tool. The software is located at VASCO > IDENTIKEY Server >Virtual DIGIPASS
MDC Configuration.
Log on with a system administrator account.

Navigate to Authentication Server > Message Delivery Component
Enable the Message Delivery Component. Then configure an SMS gateway with its specific
connection details. Enable that gateway and click Save.
6.3.2 Policies
To test the virtual DIGIPASS, the setup has to be completed to allow for this scenario.
The policy defines how the virtual OTP is requested.
Open the IDENTIKEY web administration.

Navigate to Policies and open the policy Pulse Secure Integration.
Open the tab Virtual DIGIPASS.
All default values inherited from the IDENTIKEY Local Authentication policy are already correct for
the setup.
 Delivery Method: SMS
 MDC Profile: empty
 Request Method: Password
This means that the user will request an OTP from the server, by providing his static password.
Another option would be to request an OTP by a specific keyword.
6.3.3 DIGIPASS
The user will need a virtual DIGIPASS serial number to be assigned.
The specific DIGIPASS records should be imported by using the wizard DIGIPASS > Import.
Navigate to the user account and open the tab Assigned DIGIPASS.

Click on Assign and follow the wizard.
Choose a DIGIPASS type that is a virtual DIGIPASS, in this case DPVTL. Let IDENTIKEY
automatically select an available virtual DIGIPASS.

Click on Assign, and on Finish on the next page. A virtual DIGIPASS is now assigned to the user,
and ready to be used.
6.3.4 User
A password has to be set for the user, to request a virtual OTP. The mobile phone number also
has to be added, so the virtual OTP will be sent to that number.
Navigate to Users and select the user1 account.

Click on Set Password and choose a static password for the user.
Type the password and repeat it for confirmation. Click on Save.
In the user account, click on Edit to enter the mobile phone number.
Enter the number in the field ‘Mobile’ and click on Save.
Browse to the SSL VPN Web portal, available on https://[IP of Pulse Connect Secure]/ .

 Username: user1
 Password: the static password defined for user1
Click Sign In.
An additional page is shown where the received virtual OTP can be entered.
Normally, an SMS message should be delivered to the mobile phone number configured for user1.
The message contains the generated virtual OTP.
Enter the OTP on the page and click on Enter.

In case of success, you will be redirected to the SSL VPN homepage.

Whitepaper: Digipass Authentication for Pulse Connect Secure

More Related Content

Similar to Whitepaper: Digipass Authentication for Pulse Connect Secure (20)

More from Kappa Data (20)

Recently uploaded (20)

Whitepaper: Digipass Authentication for Pulse Connect Secure