RSA SecurID Ready Implementation Guide Last Modified: April 06, 2006 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description Product Category Nortel Networks www.nortelnetworks.com VPN Gateway 3050 5.1.6.3 The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote users.
Solution Summary The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote employees, partners, and customers. By using the native capability of widely deployed Web browsers, the SSL VPN Gateway offers a convenient clientless alternative for securely provisioning resources for remote users, without the need to install and manage client tunneling software on their PCs.
Product Requirements Partner Product Requirements: Nortel VPN Gateway 3050 Firmware Version 5.1.6.3 Hardware Platform Platform VPN 3050, ASA 310, ASA 410, ASA 310 FIPS Required Patches N/A Additional Software Requirements Application Internet Explorer Additional Patches 5.0, 5.5 and 6.
Agent Host Configuration To facilitate communication between the Nortel VPN Gateway and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database and the RADIUS server database if using RADIUS. The Agent Host record identifies the Nortel VPN Gateway within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.
Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section.
Creating and Configuring a SecurID User Group 1. 2. 3. 4. From the admin console, expand VPN Gateways > Group Settings > Groups. Click on the button Add New Group. Fill out the form with the desired group name, user type and description. Click Update and then Apply to add the new group to the configuration. 5. 6. From the Groups menu on the administration console, select Access List.
Configuring the RSA SecurID Authentication Servers 1. 2. 3. 4. From the admin console, expand VPN Gateways > Authentication > Auth Servers. Enter information for the Auth Server such as Name and Display Name. The Authentication Mechanism will be RSA. Then click continue to complete additional RSA SecurID authentication options. For RSA Server Name select the name of the RSA Authentication Manager you configured in the first section of this guide.
Creating and Configuring a RADIUS User Group 1. 2. From the admin console, expand VPN Gateways > Group Settings > Groups. Click on the button Add New Group. Fill out the form with the desired group name, user type and description. 3. Click Update and then Apply to add the new group to the configuration. 4. 5. From the Groups menu on the administration console, select Access List.
Configuring the RADIUS Authentication Servers 1. 2. 3. 4. 5. 6. 7. From the admin console, expand VPN Gateways > Authentication > Auth Servers. Enter information for the Auth Server such as Name and Display Name. The Authentication Mechanism will be RADIUS. Then click continue to complete additional authentication options. Enter 1872 as Vendor Id. Enter 1 as Vendor type. Leave timeout as default of 10 seconds. Session Timeout can be left in default state of disabled.
Testing the configuration 1. Open a web browser and point to the portal address. For user credentials enter a SecurID username and Passcode. From the Login Service list select your RSA SecurID or RSA RADIUS challenge group. Click Login to authenticate and enter the Portal Server. Note: The user name does not need to exist on the VPN Gateway 3050 in order to be authenticated. The VPN Gateway 3050 will pass off authentication to the RSA Authentication Manager as a trusted authentication source.
Certification Checklist Date Tested: January 23, 2006 Certification Environment Version Information Product Name RSA Authentication Manager VPN Gateway 3050 Operating System 6.1 5.1.6.
Known Issues PIN Rejection: When a PIN is rejected by the Authentication Manager Server the user is questioned by the client to try a different PIN but the program flow is not intuitive. 1. The user first authenticates using either Token or Password. The user is next prompted to create a new PIN. 2. The user must re-enter the new PIN to validate input from the previous step. 3. If rejected, the client displays the question to the user with an empty text box for input.
4. The client will accept any input by the user and then prompt for a new PASSCODE to restart the authentication process. 5. The user then inputs a valid PASSCODE.
Appendix Delete Node Secret To remove the Node Secret from the Nortel VPN Gateway 3050, navigate to SSL-VPN > Administration > RSA Servers and click on the button labeled Remove Node Secret.