How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3

Replacing legacy two-
factor authentication
with YubiRADIUS for
corporate remote
access
How to Guide
May 15, 2012

YubiRADIUS Legacy Replacement © 2012 Yubico. All rights reserved. Page 2 of 19
yubico
cococo
Introduction
Yubico is the leading provider of simple, open online identity protection. The company’s
flagship product, the YubiKey®, uniquely combines driverless USB hardware with open
source software. More than a million users in 100 countries rely on YubiKey strong two-factor
authentication for securing access to computers, mobile devices, networks and online
services. Customers range from individual Internet users to e-governments and Fortune 500
companies. Founded in 2007, Yubico is privately held with offices in California, Sweden and
UK.
Disclaimer
The contents of this document are subject to revision without notice due to continued
progress in methodology, design, and manufacturing. Yubico shall have no liability for any
error or damages of any kind resulting from the use of this document.
The Yubico Software referenced in this document is licensed to you under the terms and
conditions accompanying the software or as otherwise agreed between you or the company
that you are representing.
Trademarks
Yubico and YubiKey are trademarks of Yubico Inc.
Contact Information
Yubico Inc
228 Hamilton Avenue, 3rd Floor
Palo Alto, CA 94301
USA
info@yubico.com

yubico
cococo
Contents
Introduction..........................................................................................................................................2
Disclaimer............................................................................................................................................2
Trademarks .........................................................................................................................................2
Contact Information.............................................................................................................................2
1 Document Information.....................................................................................................................5
1.1 Purpose...................................................................................................................................5
1.2 Audience .................................................................................................................................5
1.3 References..............................................................................................................................5
1.4 Version ....................................................................................................................................5
1.5 Definition .................................................................................................................................5
2 Introduction......................................................................................................................................6
2.1 Legacy Two-Factor Authentication (TFA) Systems ................................................................6
3 Overview .........................................................................................................................................7
3.1 Legacy TFA authentication architecture .................................................................................7
3.2 Yubico open source TFA authentication architecture .............................................................8
3.3 Yubico Open Source Solution.................................................................................................8
3.3.1 YubiKey...............................................................................................................................8
3.3.2 YubiRADIUS........................................................................................................................8
3.3.3 YubiCloud vs. On-board Validation Server .......................................................................10
3.3.4 Supports both single domain as well as multi domain ......................................................11
4 Prerequisites .................................................................................................................................12
4.1 Remote Access Product supporting RADIUS .......................................................................12
4.2 Virtualization platform to host YubiRADIUS..........................................................................12
4.2.1 Image requirements ..........................................................................................................12
4.3 One or more YubiKey(s) .......................................................................................................12
4.4 Active Directory or LDAP Directory server............................................................................12
5 Planning and preparations ............................................................................................................13
5.1 Access GW supporting RADIUS...........................................................................................13
5.2 YubiCloud vs. Built in validation Server ................................................................................13
5.3 Virtual Appliance Platform.....................................................................................................13
5.4 Internet connection for downloading .....................................................................................14
5.4.1 YubiRADIUS image...........................................................................................................14
5.4.2 Personalization (Programming) tool..................................................................................14
5.5 Firewall considerations..........................................................................................................14
5.6 Failover – Multi Master planning ...........................................................................................15

yubico
cococo
5.7 Master Slave Considerations ................................................................................................15
5.8 Getting YubiKeys ..................................................................................................................16
6 YubiRADIUS Setup and Configuration .........................................................................................17
6.1 Process overview ..................................................................................................................17
7 YubiKey Deployment.....................................................................................................................18
7.1 Deployment for YubiCloud vs. On-board Val. Server ...........................................................18
7.2 Auto-deployment ...................................................................................................................18
7.3 Helpdesk Considerations ......................................................................................................18
7.4 Programming considerations ................................................................................................18
8 Summary.......................................................................................................................................19
8.1 Benefits when switching to YubiRADIUS..............................................................................19
8.2 Summary of the steps involved in the switch ........................................................................19
8.3 Auto-Deployment ..................................................................................................................19

yubico
cococo
1 Document Information
1.1 Purpose
The purpose of this document is to guide readers through the steps of replacing an existing
legacy two factor authentication infrastructure (such as RSA Authentication Manager/ACE
Server infrastructure) with the open source based YubiRADIUS infrastructure from Yubico.
1.2 Audience
This document is intended for technical staff of Yubico customers that want to replace existing
two-factor authentication such as RSA SecurID with YubiKey based authentication for
securing access to corporate resources via such techniques as Remote Access service or
VPN.
1.3 References
Part of the Yubico YubiRADIUS solution is based on the Open Source FreeRADIUS and
WebMin software.
1.4 Version
This version is released to the Yubico community as a “how to” guide.
1.5 Definition
Term Definition
YRVA Yubico’s YubiRADIUS Virtual Appliance
VPN Virtual Private Network
SSL Secure Sockets Layer
RADIUS Remote Authentication Dial In User Service. The
RADIUS protocol is used to communicate
between access equipment such as an VPN GW
and the RADIUS server)
PIN Personal Identification Number
OTP One Time Password
OVF Open Virtualization Format – standard format
supported by the major virtualization platform
vendors
YubiKey ID The 12 character (48 bit) public identifier of a
YubiKey
AD Active Directory
LDAP Lightweight Directory Access Protocol – refers
both the communication protocol as well as to a
lightweight directory service for finding
information about users and other resources in a
network.
TFA Two-Factor Authentication

yubico
cococo
2 Introduction
Yubico’s mission is to “make Internet identification secure, easy, and affordable for everyone”.
The Company offers a physical authentication device/token, the YubiKey, which is used to
provide secure authentication to web services and various other applications.
The YubiKey device is a tiny key-sized one-button authentication device, emulating a USB
keyboard and designed to generate a unique user identity and a one-time password (OTP)
without requiring any software installed on end users computers.
2.1 Legacy Two-Factor Authentication (TFA) Systems
Organizations frequently utilize the powerful and flexible authentication mechanism provided
by the RADIUS protocol. A RADIUS server combined with an industry standard VPN or SSL
based VPN solution provides a robust and flexible remote access solution. In any remote
access scenario two-factor authentication is highly recommended and in many cases required
for compliance with industry regulation such as for achieving PCI compliance.
However, many organizations have a legacy Two-Factor Authentication (TFA) solutions which
they for different reasons would like to replace with an open source solution from Yubico.
In the sections below we will look at the considerations in planning and steps involved in
replacing a legacy TFA solution with YubiKey tokens and YubiRADIUS TFA infrastructure.

yubico
cococo
3 Overview
When looking at replacing legacy TFA authentication solutions with a solution from Yubico, you
will frequently find that there are many similarities and the task is therefore easier than perhaps
first anticipated.
Depending on the size of the organization the logistics leading up to the actual switchover will
be the biggest planning part. However, Yubico has in YubiRADIUS implemented three
important features in relation to the switchover to ease the logistics and coordination otherwise
required.
The following features help in the switchover from legacy solutions:
1. Users may use their regular Active Directory (or LDAP) Username and Password – no
need for a different or temporary password
2. Import of users based on Active Directory Group belonging or OUs – Making it possible
to gradually switch users to the new solution.
3. Import YubiKeys without initial binding to users (see Auto Deployment)
4. Auto-deployment – YubiKey is assigned at first login (binding at first use)
We will go through the list above in more detail in the sections below.
3.1 Legacy TFA authentication architecture
The diagram below describes at a high level the infrastructure of the legacy solution to be
replaced.
Access/VPN GW
Internet
Legacy
Authentication Server
Legacy
Token
Organization
End user device
The Legacy solution usually has an Access GW (e.g. Cisco ASA) or VPN (e.g. Open VPN) is
connected via RADIUS protocol to a Legacy Authentication Server. The Legacy Token is
either based on Hardware (as in the picture) or a software client (or combination) on the end
users computers or access equipment.

yubico
cococo
3.2 Yubico open source TFA authentication architecture
The diagram below describes the new Yubico open source based infrastructure replacing the
legacy.
Similarly to the Legacy solution usually an Access GW (e.g. Cisco ASA) or VPN (e.g. Open
VPN) is connected via RADIUS protocol to YubiRADIUS. The Legacy Token is either based
on Hardware (as in the picture) or a software client (or combination) on the end users
computers or access equipment.
3.3 Yubico Open Source Solution
The YubiKey is small USB connected OTP device that combined with the organizations
Active Directory (or LDAP) and the Yubico open source based YubiRADIUS server provides
simple and secure TFA access to applications.
3.3.1 YubiKey
The YubiKey USB connected OTP device is recognized as a USB keyboard so it works on all
computer platforms without any client software needed (Windows, Linux, Mac, iPad and
newer Android etc.).
With a simple touch on the YubiKey it automatically generates and enters a unique identity
and One-Time Password (OTP).
Combined with a PIN or password (from your LDAP or Active Directory database), the
YubiKey provides strong two-factor authentication. The YubiKey is manufactured in Sweden
with an auditable process for secrets.
3.3.2 YubiRADIUS
The Yubico YubiRADIUS Virtual Appliance is a FreeRADIUS based solution built on open
source components which provides an organization with Yubikey based two-factor
authentication for remote access where the password part can checked against the
organization’s own (existing) AD (Active Directory) or LDAP so that users only have to
remember their normal network password and the Yubikey part can be validated either using
YubiCloud – the Yubico Online Validation Service or an onsite Yubico Validation and Key
Management Server combination.

yubico
cococo
YK-KSM
Key Server
Management
Webmin
Organization’s
Active Directory
PAM (Pluggable Auth Mod)
Request ProxyServer
Cisco ASA
Or other Radius Equipment
RADIUS
Protocol
Free
Radius
YubiRADIUS - Virtual Appliance
PW via
LDAP
Int. OR Ext.
OpenLDAP
*(Optional Internal)
OTP/PW
Separator
OTP via
YubiCloud
OR Internal
YubiCloud
UID - YubiKey
Mapping &
Database
YK-VAL
Validation Server
Optional - YubiHSM
HSM (Hardware Security Module)
for Additional Key Protection
Deployment of Yubikeys can be as easy as sending out Yubikeys to users without prior
registration and the Yubikey to User binding will be handled automatically upon first use by
YubiRADIUS Virtual Appliance which also supports several other more traditional deployment
methods.
Deployment of Yubico YubiRADIUS Virtual Appliance solution itself requires no changes to
the organizations AD/LDAP schema which is an important factor for most organizations.
Further standard authentication interface with username and password is used also for the
Yubico two-factor authentication so there is no client side software to be installed.
Additionally the YubiRADIUS Virtual Appliance solution supports multiple domains in order to
also support more involved deployments such as used by a large organization or a Security
Service Provider. Each domain configuration works separately and has its own configuration
settings.
Finally in order to make it easy for customers to quickly deploy a solution Yubico provides a
ready to deploy “YubiRADIUS Virtual Appliance” OVF and VMware based image with all
needed components.

yubico
cococo
3.3.3 YubiCloud vs. On-board Validation Server
YubiRADIUS can be configured to validate YubiKeys either by using the YubiCloud (easiest
deployment) or using the built in internal Validation Server.
YK-KSM
Key Server
OTP via
YubiCloud
OR Internal
YubiCloud
YK-VAL
Validation Server
OTP validation through YubiCloud or On-board Validation Server

yubico
cococo
3.3.4 Supports both single domain as well as multi domain
YubiRADIUS can be used in a ISP setting for multiple organizations or in an organization that
has multiple domains with separate Ads or LDAPs per domain. The only difference between
single and multiple domains/organizations are that in a multiple domain/organization
deployment the user name must be followed with a fully qualified domain name.
Domain1
LDAP/AD
Server
RADIUS
Client
Domain2
LDAP/AD
Server
RADIUS
Client
RADIUS
LDAP
Yubico
YubiRADIUS
Virtual Appliance
YubiRADIUS
Virtual
Appliance
Admin UI based
on Webmin
YubiCloud
Online
Validation
Service
LDAP
RADIUS
Internet
Yubico Local
Validation
Server
OR
Yubico WebService API
YubiRADIUS Virtual
Appliance VM Image
YubiRADIUS supports multi domain deployment with seperate AD/LDAPs per domain
Single domain
 ID: Username
 PW: Password + OTP
Multi domain or Multi organization
 ID: Username@domain.orgainzation.com
 PW: Password + OTP

yubico
cococo
4 Prerequisites
The following are the prerequisites to deeply YubiRADIUS in order to replace a legacy
two-factor authentication solution.
4.1 Remote Access Product supporting RADIUS
The Access Product must support RADIUS protocol
4.2 Virtualization platform to host YubiRADIUS
You need a virtualization platform such as VMware Server/ESX or similar to host the
YubiRADIUS image. The image is available in two formats. Either VMware format or OVF
(Open Virtualization Format) supported by many vendors such as Red Hat, IBM, VMware and
others. Read more about the platforms below.
http://en.wikipedia.org/wiki/Open_Virtualization_Format
4.2.1 Image requirements
The following is the out of the box recommended image requirements
 1 Processor
 256 MB memory
 8 GB Disk
4.3 One or more YubiKey(s)
For more information regarding YubiKey, please visit the following link:
http://www.yubico.com/products/yubikey/
4.4 Active Directory or LDAP Directory server
Yubico YubiRADIUS virtual appliance (YVA) server supports username and password
authentication with external Active Directory/LDAP directory or internal LDAP using the built-
in OpenLDAP server.
In order to deploy and test YVA solution, either external (to the image) Active Directory/LDAP
or the on the image configurable OpenLDAP server must be used.

yubico
cococo
5 Planning and preparations
In order to replace a legacy TFA solution the following prerequisites, planning and preparations
must be taken into consideration.
In brief we will cover the following in this section.
1. Access GW supporting RADIUS
2. YubiCloud or Built in Database
3. Virtual Appliance Platform
4. Internet connection for downloading of
5. YubiRADIUS image
6. YubiKey Personalization (Programming) tool
7. Firewall planning and preparation
8. YubiRADIUS Failover – Multi Master YubiRADIUS
9. Master Slave considerations
10. Getting YubiKeys
5.1 Access GW supporting RADIUS
The first requirement is that the Access Gateway of any other Access equipment such as a
Firewall with VPN functionality or VPN Gateway has support for RADIUS and related
requirements listed below.
Please verify the following:
1. RADIUS protocol must be supported
2. RADIUS Authentication port must be set to UDP port 1812
3. Authentication method PAP (not CHAP nor CHAP2)
4. RADIUS Server IP or DNS name can be configured
5. RADIUS Shared Secret can be configured
5.2 YubiCloud vs. Built in validation Server
The YubiRADIUS virtual appliance can use either the built in Validation Server or the
YubiCloud.
In order to use the built in Validation server you will need an import file for the YubiKeys.
There are two ways to get this.
1. If you order at least 500 YubiKeys you can ask that Yubico program the YubiKeys in
such way that you will get an encrypted CD copy of the information (AES keys etc.)
needed to import on the Validation server.
2. You can alternatively reprogram any number of YubiKeys you get from Yubico store
using the Personalization (programming) tool. See below.
5.3 Virtual Appliance Platform
The YubiRADIUS virtual appliance is available as a VMware Player/Server format or as an
Open Virtualization Format (OVF) for infrastructure such as VMware ESX.

yubico
cococo
Select a Virtualization Platform, either:
1. Virtualization Platform supporting OVF image format or
2. VMware Server or VMware Player using native format
Once you selected a virtualization platform make sure it is prepared to have an image
uploaded to it.
5.4 Internet connection for downloading
An internet connection is needed to download Yubico open source YubiRADIUS image and
Yubico Personalization Tool. The latter not needed if YubiRADIUS is used with YubiCloud.
If your server environment does not allow direct downloading then download to a USB drive
and use that for transferring the image and applications.
5.4.1 YubiRADIUS image
Both the latest YubiRADIUS image in the selected format and the latest YubiRADIUS
Configuration Guide can be downloaded using the following link.
http://www.yubico.com/yubiradius
Downloading the image will require about 1 GB of disk space.
5.4.2 Personalization (Programming) tool
Personalization tool for programming YubiKeys for use of the internal database can be found
using the following link.
http://www.yubico.com/personalization-tool
Choose between the cross platform tool (Windows, Mac OSX or Linux) or the Multi-
configuration tool for Windows. Both can program multiple YubiKeys quickly. Download and
install the tool.
5.5 Firewall considerations
If your network is segmented please make sure that Your Firewall(s) allows for UDP traffic on
port 1812 (RADIUS Authentication) between any Access GW and YubiRADIUS appliance(s).
Furthermore if YubiCloud is used for validation of the YubiKeys using YubiCloud then
outbound port 443 (SSL) and port 80 needs to be open allowing YubiRADIUS server to
contact YubiCloud via the REST based Web services API.
Please note that YubiCloud supports automatic failover if you want to use the automatic
failover you must configure all five servers i.e. api.yubico.com, api2.yubico.com,
api3.yubico.com, api4.yubico.com, api5.yubico.com. The first api.yubico.com does not have a
number in order to be backwards compatible with older clients using only one server.
Firewall settings
1. Allow RADIUS Authentication protocol i.e. Open port 1812 UDP between any Access
GW and YubiRADIUS server(s)

yubico
cococo
2. Make sure AD or the LDAP server can be reached from YubiRADIUS server. Open
Port 389 for standard communication or Port 636 for (LDAPS protocol) to AD and
LDAP.
3. For use with YubiCloud – also allow port 80 and port 443 from YubiRADIUS to
api.yubico.com including api2, 3, 4 and 5 (for failover).
4. The same ports port 80 and port 443 are used in the Multi Master setting and
YubiRADIUS Master Slave setting as described below. If any of these are used make
sure your Firewall has these posts open between the YubiRADIUS servers.
5. For any trouble shooting SSH access on TCP Port 22 is needed
5.6 Failover – Multi Master planning
YubiRADIUS can be deployed in a Multi Master setting allowing up to Three YubiRADIUS
servers to synchronize data between the servers in order to work in a failover setting.
When used in this setting the different YubiRADIUS servers should preferably be hosted on
different virtual platform hosts.
YubiRADIUS
Instance 2
Optional Sync
YubiRADIUS
Instance 1
Drawing of two YubiRADIUS in Multi Master Configuration.
Please note that the VK-VAL database in synchronized between all YubiRADIUS Servers
(Multi Master). However for other databases i.e. YK-KSM, YK-MAP, YK-ROP and general
configuration only Master-Slave mode is supported. This means that you should plan which
server that should be the real master.
5.7 Master Slave Considerations
Multiple YubiRADIUS instances can be configured in a Master Slave configuration. This can
be useful if you use internal database in a setup with a large number of YubiRADIUS slaves
i.e. small offices/home offices having their own YubiRADIUS but where you would like to
minimize communication or when you don’t want the YubiKey database to be local at remote
locations.

yubico
cococo
Master Salve uses the master’s database for requests for authentication.
Internet
Local Office Sites
YubiRADIUS Network
Main Office YubiRADIUS (slaves)
YubiRADIUS
Instance 1
YubiRADIUS
Instance 2
Optional Sync
Failover
5.8 Getting YubiKeys
To test and deploy YubiRADIUS you will need some YubiKeys. You can purchase YubiKeys
from Yubico Web store https://store.yubico.com/ or from one of Yubico’s partners and
resellers (contact sales@yubico.com for Partners and Resellers).

yubico
cococo
6 YubiRADIUS Setup and Configuration
The Setup and configuration is handled in a separate document using the following link.
http://www.yubico.com/yubiradius
Scroll down to the configuration guide.
6.1 Process overview
If possible, for companies with multiple Access GWs, use a spare or commission one of the
GWs to be the initial GW for the switchover. Then follow the steps below.
At a high level the following needs to be done:
 Identify the Virtual Appliance Platform infrastructure to use
 Load the YubiRADIUS image
 Check Firewall settings to allow Radius port 1812, 389 for AD/LDAP
 communication and Web services port 80/443 if YubiCloud shall be
 used
 Importing YubiKeys for use of internal validation server or point to
 YubiCloud
 Import users from AD or LDAP
 Set up Failover and potential Slaves
 Set up Access GW or other equipment (called RADIUS Clients) to use
 RADIUS protocol port UDP 1812 to communicate with YubiRADIUS
 Create the RADIUS clients for the domain(s) in YubiRADIUS
 Follow the configuration guide for details

yubico
cococo
7 YubiKey Deployment
Once the YubiRADIUS system has been set up there are only a few things left to do. Some
will depend on whether you used YubiCloud or the On-board Validation Server.
7.1 Deployment for YubiCloud vs. On-board Val. Server
YubiCloud is the simplest way to deploy keys but even using the Built-in Validation server
deployment is also quite easy.
When using YubiCloud you can use standard Yubikeys directly from the Store. In some
situations you can even ask your users to buy their YubiKeys online so that you don’t have to
keep any inventory of YubiKeys and the first time the users use their YubiKey it will be tied to
them in the system.
When using the on-board Validation server you will need to import the corresponding
YubiKeys AES keys before the YubiKeys can be used with the system.
7.2 Auto-deployment
YubiRADIUS supports Auto-deployment which is the absolutely easiest way to deploy keys.
Using the Auto-Deployment feature you don’t have to worry about any manual steps in
assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to
his/her user id at first use. No administrator or helpdesk person needed to be involved in the
process (unless you want them to).
YubiRADIUS auto deployment feature will automatically tie a YubiKey to valid user the first
time the key is used and the user name and password portion is successfully authenticated
by AD or LDAP.
7.3 Helpdesk Considerations
Order some extra YubiKeys to have on hand in the help desk for people that call in to the
Helpdesk function and have forgotten their YubiKeys at home.
7.4 Programming considerations
When programming YubiKeys for using the internal you have several options. Most
convenient is to ask Yubico to program the YubiKeys to work with your own Validations
Server.
Second best thing is to order Standard YubiKeys and reprogram them when they arrive. Go to
http://www.yubico.com/personalization-tool
For more information on how to program see info using the link.

yubico
cococo
8 Summary
It is very straightforward to replace your Legacy Two-Factor Authentication (TFA) with the
YubiKey/YubRADIUS solution.
8.1 Benefits when switching to YubiRADIUS
Compared to many other Legacy Solutions you will benefit the following way when using
YubiRADIUS.
The following features help in the switchover from legacy solutions:
1. Users may use their regular Active Directory (or LDAP) Username and Password –
no need for a different or temporary password
2. Import of users based on Active Directory Group belonging or OUs – Making it
possible to gradually switch users to the new solution.
3. Import YubiKeys without initial binding to users (see Auto Deployment)
4. Auto-deployment – YubiKey is assigned at first login (binding at first use)
8.2 Summary of the steps involved in the switch
At a high level the following needs to be done:
 Load the YubiRADIUS on the Virtualization Platform infrastructure
 Firewall to allow Radius, AD/LDAP and Web services (if YubiCloud)
 Import YubiKeys if internal validation server is used (not YubiCloud)
 Import users from AD or LDAP
 Set up Failover and Slaves
 Create the RADIUS clients for the domain(s) in YubiRADIUS
 Test functionality with built in RadTest RADDIUS client
 Configure Access GW for RADIUS and YubiRADIUS
This process only takes a few hours of time to complete after which you will be ready to start
using the Yubico solution.
8.3 Auto-Deployment
Using the Auto-Deployment feature you don’t have to worry about any manual steps in
assigning a YubiKey to a user. Instead the user is automatically assigning the YubiKey to
his/her user id at first use. No administrator or helpdesk needed to be involved in the process
(unless you want them to).

How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3

Recomendados

Recomendados

Más contenido relacionado

Más de Hai Nguyen

Más de Hai Nguyen (20)

Último

Último (20)

How to-replace-legacy-tfa-infrastructure-with-yubi radius-v3