Enviar búsqueda
Cargar
How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3
•
0 recomendaciones
•
807 vistas
Hai Nguyen
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 19
Descargar ahora
Descargar para leer sin conexión
Recomendados
Mobile authentication
Mobile authentication
Hai Nguyen
Rsa two factorauthentication
Rsa two factorauthentication
Hai Nguyen
Session 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
Sms based otp
Sms based otp
Hai Nguyen
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
Scc soft token datasheet
Scc soft token datasheet
Hai Nguyen
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Hai Nguyen
Recomendados
Mobile authentication
Mobile authentication
Hai Nguyen
Rsa two factorauthentication
Rsa two factorauthentication
Hai Nguyen
Session 7 e_raja_kailar
Session 7 e_raja_kailar
Hai Nguyen
Sms based otp
Sms based otp
Hai Nguyen
Securing corporate assets_with_2_fa
Securing corporate assets_with_2_fa
Hai Nguyen
Scc soft token datasheet
Scc soft token datasheet
Hai Nguyen
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Quest defender provides_secure__affordable_two-factor_authentication_for_okla...
Hai Nguyen
Pg 2 fa_tech_brief
Pg 2 fa_tech_brief
Hai Nguyen
Ouch 201211 en
Ouch 201211 en
Hai Nguyen
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Hai Nguyen
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Hai Nguyen
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Hai Nguyen
Identity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
Hotpin datasheet
Hotpin datasheet
Hai Nguyen
Gambling
Gambling
Hai Nguyen
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Hai Nguyen
Datasheet two factor-authenticationx
Datasheet two factor-authenticationx
Hai Nguyen
Csd6059
Csd6059
Hai Nguyen
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Hai Nguyen
Citrix sb 0707-lowres
Citrix sb 0707-lowres
Hai Nguyen
Bi guardotp
Bi guardotp
Hai Nguyen
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Hai Nguyen
Ams 2 fa april 2013
Ams 2 fa april 2013
Hai Nguyen
10695 sidtfa sb_0210
10695 sidtfa sb_0210
Hai Nguyen
9697 aatf sb_0808
9697 aatf sb_0808
Hai Nguyen
2012 1 wp securit trustbuilder two-factor authentication
2012 1 wp securit trustbuilder two-factor authentication
Hai Nguyen
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Más contenido relacionado
Más de Hai Nguyen
Pg 2 fa_tech_brief
Pg 2 fa_tech_brief
Hai Nguyen
Ouch 201211 en
Ouch 201211 en
Hai Nguyen
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Hai Nguyen
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Hai Nguyen
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Hai Nguyen
Identity cues two factor data sheet
Identity cues two factor data sheet
Hai Nguyen
Hotpin datasheet
Hotpin datasheet
Hai Nguyen
Gambling
Gambling
Hai Nguyen
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Hai Nguyen
Datasheet two factor-authenticationx
Datasheet two factor-authenticationx
Hai Nguyen
Csd6059
Csd6059
Hai Nguyen
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Hai Nguyen
Citrix sb 0707-lowres
Citrix sb 0707-lowres
Hai Nguyen
Bi guardotp
Bi guardotp
Hai Nguyen
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Hai Nguyen
Ams 2 fa april 2013
Ams 2 fa april 2013
Hai Nguyen
10695 sidtfa sb_0210
10695 sidtfa sb_0210
Hai Nguyen
9697 aatf sb_0808
9697 aatf sb_0808
Hai Nguyen
2012 1 wp securit trustbuilder two-factor authentication
2012 1 wp securit trustbuilder two-factor authentication
Hai Nguyen
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Hai Nguyen
Más de Hai Nguyen
(20)
Pg 2 fa_tech_brief
Pg 2 fa_tech_brief
Ouch 201211 en
Ouch 201211 en
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
Multiple credentials-in-the-enterprise
Multiple credentials-in-the-enterprise
Ijcsi 9-4-2-457-462
Ijcsi 9-4-2-457-462
Identity cues two factor data sheet
Identity cues two factor data sheet
Hotpin datasheet
Hotpin datasheet
Gambling
Gambling
Ds netsuite-two-factor-authentication
Ds netsuite-two-factor-authentication
Datasheet two factor-authenticationx
Datasheet two factor-authenticationx
Csd6059
Csd6059
Cryptomathic white paper 2fa for banking
Cryptomathic white paper 2fa for banking
Citrix sb 0707-lowres
Citrix sb 0707-lowres
Bi guardotp
Bi guardotp
Attachment 1 – mitigation measures for two factor authentication compromise
Attachment 1 – mitigation measures for two factor authentication compromise
Ams 2 fa april 2013
Ams 2 fa april 2013
10695 sidtfa sb_0210
10695 sidtfa sb_0210
9697 aatf sb_0808
9697 aatf sb_0808
2012 1 wp securit trustbuilder two-factor authentication
2012 1 wp securit trustbuilder two-factor authentication
1208 wp-two-factor-and-swivel-whitepaper
1208 wp-two-factor-and-swivel-whitepaper
Último
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
naman860154
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
Sinan KOZAK
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Digital Insurer
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Sujit Pal
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
gurkirankumar98700
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Pooja Nehwal
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
Último
(20)
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3
1.
Replacing legacy two- factor
authentication with YubiRADIUS for corporate remote access How to Guide May 15, 2012
2.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 2 of 19 yubico cococo Introduction Yubico is the leading provider of simple, open online identity protection. The company’s flagship product, the YubiKey®, uniquely combines driverless USB hardware with open source software. More than a million users in 100 countries rely on YubiKey strong two-factor authentication for securing access to computers, mobile devices, networks and online services. Customers range from individual Internet users to e-governments and Fortune 500 companies. Founded in 2007, Yubico is privately held with offices in California, Sweden and UK. Disclaimer The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. Contact Information Yubico Inc 228 Hamilton Avenue, 3rd Floor Palo Alto, CA 94301 USA info@yubico.com
3.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 3 of 19 yubico cococo Contents Introduction..........................................................................................................................................2 Disclaimer............................................................................................................................................2 Trademarks .........................................................................................................................................2 Contact Information.............................................................................................................................2 1 Document Information.....................................................................................................................5 1.1 Purpose...................................................................................................................................5 1.2 Audience .................................................................................................................................5 1.3 References..............................................................................................................................5 1.4 Version ....................................................................................................................................5 1.5 Definition .................................................................................................................................5 2 Introduction......................................................................................................................................6 2.1 Legacy Two-Factor Authentication (TFA) Systems ................................................................6 3 Overview .........................................................................................................................................7 3.1 Legacy TFA authentication architecture .................................................................................7 3.2 Yubico open source TFA authentication architecture .............................................................8 3.3 Yubico Open Source Solution.................................................................................................8 3.3.1 YubiKey...............................................................................................................................8 3.3.2 YubiRADIUS........................................................................................................................8 3.3.3 YubiCloud vs. On-board Validation Server .......................................................................10 3.3.4 Supports both single domain as well as multi domain ......................................................11 4 Prerequisites .................................................................................................................................12 4.1 Remote Access Product supporting RADIUS .......................................................................12 4.2 Virtualization platform to host YubiRADIUS..........................................................................12 4.2.1 Image requirements ..........................................................................................................12 4.3 One or more YubiKey(s) .......................................................................................................12 4.4 Active Directory or LDAP Directory server............................................................................12 5 Planning and preparations ............................................................................................................13 5.1 Access GW supporting RADIUS...........................................................................................13 5.2 YubiCloud vs. Built in validation Server ................................................................................13 5.3 Virtual Appliance Platform.....................................................................................................13 5.4 Internet connection for downloading .....................................................................................14 5.4.1 YubiRADIUS image...........................................................................................................14 5.4.2 Personalization (Programming) tool..................................................................................14 5.5 Firewall considerations..........................................................................................................14 5.6 Failover – Multi Master planning ...........................................................................................15
4.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 4 of 19 yubico cococo 5.7 Master Slave Considerations ................................................................................................15 5.8 Getting YubiKeys ..................................................................................................................16 6 YubiRADIUS Setup and Configuration .........................................................................................17 6.1 Process overview ..................................................................................................................17 7 YubiKey Deployment.....................................................................................................................18 7.1 Deployment for YubiCloud vs. On-board Val. Server ...........................................................18 7.2 Auto-deployment ...................................................................................................................18 7.3 Helpdesk Considerations ......................................................................................................18 7.4 Programming considerations ................................................................................................18 8 Summary.......................................................................................................................................19 8.1 Benefits when switching to YubiRADIUS..............................................................................19 8.2 Summary of the steps involved in the switch ........................................................................19 8.3 Auto-Deployment ..................................................................................................................19
5.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 5 of 19 yubico cococo 1 Document Information 1.1 Purpose The purpose of this document is to guide readers through the steps of replacing an existing legacy two factor authentication infrastructure (such as RSA Authentication Manager/ACE Server infrastructure) with the open source based YubiRADIUS infrastructure from Yubico. 1.2 Audience This document is intended for technical staff of Yubico customers that want to replace existing two-factor authentication such as RSA SecurID with YubiKey based authentication for securing access to corporate resources via such techniques as Remote Access service or VPN. 1.3 References Part of the Yubico YubiRADIUS solution is based on the Open Source FreeRADIUS and WebMin software. 1.4 Version This version is released to the Yubico community as a “how to” guide. 1.5 Definition Term Definition YRVA Yubico’s YubiRADIUS Virtual Appliance VPN Virtual Private Network SSL Secure Sockets Layer RADIUS Remote Authentication Dial In User Service. The RADIUS protocol is used to communicate between access equipment such as an VPN GW and the RADIUS server) PIN Personal Identification Number OTP One Time Password OVF Open Virtualization Format – standard format supported by the major virtualization platform vendors YubiKey ID The 12 character (48 bit) public identifier of a YubiKey AD Active Directory LDAP Lightweight Directory Access Protocol – refers both the communication protocol as well as to a lightweight directory service for finding information about users and other resources in a network. TFA Two-Factor Authentication
6.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 6 of 19 yubico cococo 2 Introduction Yubico’s mission is to “make Internet identification secure, easy, and affordable for everyone”. The Company offers a physical authentication device/token, the YubiKey, which is used to provide secure authentication to web services and various other applications. The YubiKey device is a tiny key-sized one-button authentication device, emulating a USB keyboard and designed to generate a unique user identity and a one-time password (OTP) without requiring any software installed on end users computers. 2.1 Legacy Two-Factor Authentication (TFA) Systems Organizations frequently utilize the powerful and flexible authentication mechanism provided by the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL based VPN solution provides a robust and flexible remote access solution. In any remote access scenario two-factor authentication is highly recommended and in many cases required for compliance with industry regulation such as for achieving PCI compliance. However, many organizations have a legacy Two-Factor Authentication (TFA) solutions which they for different reasons would like to replace with an open source solution from Yubico. In the sections below we will look at the considerations in planning and steps involved in replacing a legacy TFA solution with YubiKey tokens and YubiRADIUS TFA infrastructure.
7.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 7 of 19 yubico cococo 3 Overview When looking at replacing legacy TFA authentication solutions with a solution from Yubico, you will frequently find that there are many similarities and the task is therefore easier than perhaps first anticipated. Depending on the size of the organization the logistics leading up to the actual switchover will be the biggest planning part. However, Yubico has in YubiRADIUS implemented three important features in relation to the switchover to ease the logistics and coordination otherwise required. The following features help in the switchover from legacy solutions: 1. Users may use their regular Active Directory (or LDAP) Username and Password – no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs – Making it possible to gradually switch users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment – YubiKey is assigned at first login (binding at first use) We will go through the list above in more detail in the sections below. 3.1 Legacy TFA authentication architecture The diagram below describes at a high level the infrastructure of the legacy solution to be replaced. Access/VPN GW Internet Legacy Authentication Server Legacy Token Organization End user device The Legacy solution usually has an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is connected via RADIUS protocol to a Legacy Authentication Server. The Legacy Token is either based on Hardware (as in the picture) or a software client (or combination) on the end users computers or access equipment.
8.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 8 of 19 yubico cococo 3.2 Yubico open source TFA authentication architecture The diagram below describes the new Yubico open source based infrastructure replacing the legacy. Similarly to the Legacy solution usually an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is connected via RADIUS protocol to YubiRADIUS. The Legacy Token is either based on Hardware (as in the picture) or a software client (or combination) on the end users computers or access equipment. 3.3 Yubico Open Source Solution The YubiKey is small USB connected OTP device that combined with the organizations Active Directory (or LDAP) and the Yubico open source based YubiRADIUS server provides simple and secure TFA access to applications. 3.3.1 YubiKey The YubiKey USB connected OTP device is recognized as a USB keyboard so it works on all computer platforms without any client software needed (Windows, Linux, Mac, iPad and newer Android etc.). With a simple touch on the YubiKey it automatically generates and enters a unique identity and One-Time Password (OTP). Combined with a PIN or password (from your LDAP or Active Directory database), the YubiKey provides strong two-factor authentication. The YubiKey is manufactured in Sweden with an auditable process for secrets. 3.3.2 YubiRADIUS The Yubico YubiRADIUS Virtual Appliance is a FreeRADIUS based solution built on open source components which provides an organization with Yubikey based two-factor authentication for remote access where the password part can checked against the organization’s own (existing) AD (Active Directory) or LDAP so that users only have to remember their normal network password and the Yubikey part can be validated either using YubiCloud – the Yubico Online Validation Service or an onsite Yubico Validation and Key Management Server combination.
9.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 9 of 19 yubico cococo YK-KSM Key Server Management Webmin Organization’s Active Directory PAM (Pluggable Auth Mod) Request ProxyServer Cisco ASA Or other Radius Equipment RADIUS Protocol Free Radius YubiRADIUS - Virtual Appliance PW via LDAP Int. OR Ext. OpenLDAP *(Optional Internal) OTP/PW Separator OTP via YubiCloud OR Internal YubiCloud UID - YubiKey Mapping & Database YK-VAL Validation Server Optional - YubiHSM HSM (Hardware Security Module) for Additional Key Protection Deployment of Yubikeys can be as easy as sending out Yubikeys to users without prior registration and the Yubikey to User binding will be handled automatically upon first use by YubiRADIUS Virtual Appliance which also supports several other more traditional deployment methods. Deployment of Yubico YubiRADIUS Virtual Appliance solution itself requires no changes to the organizations AD/LDAP schema which is an important factor for most organizations. Further standard authentication interface with username and password is used also for the Yubico two-factor authentication so there is no client side software to be installed. Additionally the YubiRADIUS Virtual Appliance solution supports multiple domains in order to also support more involved deployments such as used by a large organization or a Security Service Provider. Each domain configuration works separately and has its own configuration settings. Finally in order to make it easy for customers to quickly deploy a solution Yubico provides a ready to deploy “YubiRADIUS Virtual Appliance” OVF and VMware based image with all needed components.
10.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 10 of 19 yubico cococo 3.3.3 YubiCloud vs. On-board Validation Server YubiRADIUS can be configured to validate YubiKeys either by using the YubiCloud (easiest deployment) or using the built in internal Validation Server. YK-KSM Key Server OTP via YubiCloud OR Internal YubiCloud YK-VAL Validation Server OTP validation through YubiCloud or On-board Validation Server
11.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 11 of 19 yubico cococo 3.3.4 Supports both single domain as well as multi domain YubiRADIUS can be used in a ISP setting for multiple organizations or in an organization that has multiple domains with separate Ads or LDAPs per domain. The only difference between single and multiple domains/organizations are that in a multiple domain/organization deployment the user name must be followed with a fully qualified domain name. Domain1 LDAP/AD Server RADIUS Client Domain2 LDAP/AD Server RADIUS Client RADIUS LDAP Yubico YubiRADIUS Virtual Appliance YubiRADIUS Virtual Appliance Admin UI based on Webmin YubiCloud Online Validation Service LDAP RADIUS Internet Yubico Local Validation Server OR Yubico WebService API YubiRADIUS Virtual Appliance VM Image YubiRADIUS supports multi domain deployment with seperate AD/LDAPs per domain Single domain ID: Username PW: Password + OTP Multi domain or Multi organization ID: Username@domain.orgainzation.com PW: Password + OTP
12.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 12 of 19 yubico cococo 4 Prerequisites The following are the prerequisites to deeply YubiRADIUS in order to replace a legacy two-factor authentication solution. 4.1 Remote Access Product supporting RADIUS The Access Product must support RADIUS protocol 4.2 Virtualization platform to host YubiRADIUS You need a virtualization platform such as VMware Server/ESX or similar to host the YubiRADIUS image. The image is available in two formats. Either VMware format or OVF (Open Virtualization Format) supported by many vendors such as Red Hat, IBM, VMware and others. Read more about the platforms below. http://en.wikipedia.org/wiki/Open_Virtualization_Format 4.2.1 Image requirements The following is the out of the box recommended image requirements 1 Processor 256 MB memory 8 GB Disk 4.3 One or more YubiKey(s) For more information regarding YubiKey, please visit the following link: http://www.yubico.com/products/yubikey/ 4.4 Active Directory or LDAP Directory server Yubico YubiRADIUS virtual appliance (YVA) server supports username and password authentication with external Active Directory/LDAP directory or internal LDAP using the built- in OpenLDAP server. In order to deploy and test YVA solution, either external (to the image) Active Directory/LDAP or the on the image configurable OpenLDAP server must be used.
13.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 13 of 19 yubico cococo 5 Planning and preparations In order to replace a legacy TFA solution the following prerequisites, planning and preparations must be taken into consideration. In brief we will cover the following in this section. 1. Access GW supporting RADIUS 2. YubiCloud or Built in Database 3. Virtual Appliance Platform 4. Internet connection for downloading of 5. YubiRADIUS image 6. YubiKey Personalization (Programming) tool 7. Firewall planning and preparation 8. YubiRADIUS Failover – Multi Master YubiRADIUS 9. Master Slave considerations 10. Getting YubiKeys 5.1 Access GW supporting RADIUS The first requirement is that the Access Gateway of any other Access equipment such as a Firewall with VPN functionality or VPN Gateway has support for RADIUS and related requirements listed below. Please verify the following: 1. RADIUS protocol must be supported 2. RADIUS Authentication port must be set to UDP port 1812 3. Authentication method PAP (not CHAP nor CHAP2) 4. RADIUS Server IP or DNS name can be configured 5. RADIUS Shared Secret can be configured 5.2 YubiCloud vs. Built in validation Server The YubiRADIUS virtual appliance can use either the built in Validation Server or the YubiCloud. In order to use the built in Validation server you will need an import file for the YubiKeys. There are two ways to get this. 1. If you order at least 500 YubiKeys you can ask that Yubico program the YubiKeys in such way that you will get an encrypted CD copy of the information (AES keys etc.) needed to import on the Validation server. 2. You can alternatively reprogram any number of YubiKeys you get from Yubico store using the Personalization (programming) tool. See below. 5.3 Virtual Appliance Platform The YubiRADIUS virtual appliance is available as a VMware Player/Server format or as an Open Virtualization Format (OVF) for infrastructure such as VMware ESX.
14.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 14 of 19 yubico cococo Select a Virtualization Platform, either: 1. Virtualization Platform supporting OVF image format or 2. VMware Server or VMware Player using native format Once you selected a virtualization platform make sure it is prepared to have an image uploaded to it. 5.4 Internet connection for downloading An internet connection is needed to download Yubico open source YubiRADIUS image and Yubico Personalization Tool. The latter not needed if YubiRADIUS is used with YubiCloud. If your server environment does not allow direct downloading then download to a USB drive and use that for transferring the image and applications. 5.4.1 YubiRADIUS image Both the latest YubiRADIUS image in the selected format and the latest YubiRADIUS Configuration Guide can be downloaded using the following link. http://www.yubico.com/yubiradius Downloading the image will require about 1 GB of disk space. 5.4.2 Personalization (Programming) tool Personalization tool for programming YubiKeys for use of the internal database can be found using the following link. http://www.yubico.com/personalization-tool Choose between the cross platform tool (Windows, Mac OSX or Linux) or the Multi- configuration tool for Windows. Both can program multiple YubiKeys quickly. Download and install the tool. 5.5 Firewall considerations If your network is segmented please make sure that Your Firewall(s) allows for UDP traffic on port 1812 (RADIUS Authentication) between any Access GW and YubiRADIUS appliance(s). Furthermore if YubiCloud is used for validation of the YubiKeys using YubiCloud then outbound port 443 (SSL) and port 80 needs to be open allowing YubiRADIUS server to contact YubiCloud via the REST based Web services API. Please note that YubiCloud supports automatic failover if you want to use the automatic failover you must configure all five servers i.e. api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com, api5.yubico.com. The first api.yubico.com does not have a number in order to be backwards compatible with older clients using only one server. Firewall settings 1. Allow RADIUS Authentication protocol i.e. Open port 1812 UDP between any Access GW and YubiRADIUS server(s)
15.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 15 of 19 yubico cococo 2. Make sure AD or the LDAP server can be reached from YubiRADIUS server. Open Port 389 for standard communication or Port 636 for (LDAPS protocol) to AD and LDAP. 3. For use with YubiCloud – also allow port 80 and port 443 from YubiRADIUS to api.yubico.com including api2, 3, 4 and 5 (for failover). 4. The same ports port 80 and port 443 are used in the Multi Master setting and YubiRADIUS Master Slave setting as described below. If any of these are used make sure your Firewall has these posts open between the YubiRADIUS servers. 5. For any trouble shooting SSH access on TCP Port 22 is needed 5.6 Failover – Multi Master planning YubiRADIUS can be deployed in a Multi Master setting allowing up to Three YubiRADIUS servers to synchronize data between the servers in order to work in a failover setting. When used in this setting the different YubiRADIUS servers should preferably be hosted on different virtual platform hosts. YubiRADIUS Instance 2 Optional Sync YubiRADIUS Instance 1 Drawing of two YubiRADIUS in Multi Master Configuration. Please note that the VK-VAL database in synchronized between all YubiRADIUS Servers (Multi Master). However for other databases i.e. YK-KSM, YK-MAP, YK-ROP and general configuration only Master-Slave mode is supported. This means that you should plan which server that should be the real master. 5.7 Master Slave Considerations Multiple YubiRADIUS instances can be configured in a Master Slave configuration. This can be useful if you use internal database in a setup with a large number of YubiRADIUS slaves i.e. small offices/home offices having their own YubiRADIUS but where you would like to minimize communication or when you don’t want the YubiKey database to be local at remote locations.
16.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 16 of 19 yubico cococo Master Salve uses the master’s database for requests for authentication. Internet Local Office Sites YubiRADIUS Network Main Office YubiRADIUS (slaves) YubiRADIUS Instance 1 YubiRADIUS Instance 2 Optional Sync Failover 5.8 Getting YubiKeys To test and deploy YubiRADIUS you will need some YubiKeys. You can purchase YubiKeys from Yubico Web store https://store.yubico.com/ or from one of Yubico’s partners and resellers (contact sales@yubico.com for Partners and Resellers).
17.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 17 of 19 yubico cococo 6 YubiRADIUS Setup and Configuration The Setup and configuration is handled in a separate document using the following link. http://www.yubico.com/yubiradius Scroll down to the configuration guide. 6.1 Process overview If possible, for companies with multiple Access GWs, use a spare or commission one of the GWs to be the initial GW for the switchover. Then follow the steps below. At a high level the following needs to be done: Identify the Virtual Appliance Platform infrastructure to use Load the YubiRADIUS image Check Firewall settings to allow Radius port 1812, 389 for AD/LDAP communication and Web services port 80/443 if YubiCloud shall be used Importing YubiKeys for use of internal validation server or point to YubiCloud Import users from AD or LDAP Set up Failover and potential Slaves Set up Access GW or other equipment (called RADIUS Clients) to use RADIUS protocol port UDP 1812 to communicate with YubiRADIUS Create the RADIUS clients for the domain(s) in YubiRADIUS Follow the configuration guide for details
18.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 18 of 19 yubico cococo 7 YubiKey Deployment Once the YubiRADIUS system has been set up there are only a few things left to do. Some will depend on whether you used YubiCloud or the On-board Validation Server. 7.1 Deployment for YubiCloud vs. On-board Val. Server YubiCloud is the simplest way to deploy keys but even using the Built-in Validation server deployment is also quite easy. When using YubiCloud you can use standard Yubikeys directly from the Store. In some situations you can even ask your users to buy their YubiKeys online so that you don’t have to keep any inventory of YubiKeys and the first time the users use their YubiKey it will be tied to them in the system. When using the on-board Validation server you will need to import the corresponding YubiKeys AES keys before the YubiKeys can be used with the system. 7.2 Auto-deployment YubiRADIUS supports Auto-deployment which is the absolutely easiest way to deploy keys. Using the Auto-Deployment feature you don’t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk person needed to be involved in the process (unless you want them to). YubiRADIUS auto deployment feature will automatically tie a YubiKey to valid user the first time the key is used and the user name and password portion is successfully authenticated by AD or LDAP. 7.3 Helpdesk Considerations Order some extra YubiKeys to have on hand in the help desk for people that call in to the Helpdesk function and have forgotten their YubiKeys at home. 7.4 Programming considerations When programming YubiKeys for using the internal you have several options. Most convenient is to ask Yubico to program the YubiKeys to work with your own Validations Server. Second best thing is to order Standard YubiKeys and reprogram them when they arrive. Go to http://www.yubico.com/personalization-tool For more information on how to program see info using the link.
19.
YubiRADIUS Legacy Replacement
© 2012 Yubico. All rights reserved. Page 19 of 19 yubico cococo 8 Summary It is very straightforward to replace your Legacy Two-Factor Authentication (TFA) with the YubiKey/YubRADIUS solution. 8.1 Benefits when switching to YubiRADIUS Compared to many other Legacy Solutions you will benefit the following way when using YubiRADIUS. The following features help in the switchover from legacy solutions: 1. Users may use their regular Active Directory (or LDAP) Username and Password – no need for a different or temporary password 2. Import of users based on Active Directory Group belonging or OUs – Making it possible to gradually switch users to the new solution. 3. Import YubiKeys without initial binding to users (see Auto Deployment) 4. Auto-deployment – YubiKey is assigned at first login (binding at first use) 8.2 Summary of the steps involved in the switch At a high level the following needs to be done: Load the YubiRADIUS on the Virtualization Platform infrastructure Firewall to allow Radius, AD/LDAP and Web services (if YubiCloud) Import YubiKeys if internal validation server is used (not YubiCloud) Import users from AD or LDAP Set up Failover and Slaves Create the RADIUS clients for the domain(s) in YubiRADIUS Test functionality with built in RadTest RADDIUS client Configure Access GW for RADIUS and YubiRADIUS This process only takes a few hours of time to complete after which you will be ready to start using the Yubico solution. 8.3 Auto-Deployment Using the Auto-Deployment feature you don’t have to worry about any manual steps in assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to his/her user id at first use. No administrator or helpdesk needed to be involved in the process (unless you want them to).
Descargar ahora