Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Installation guide for securing authentication to your NCP Secure Enterprise VPN Server with Nordic Edge One Time Password Server, delivering strong authentication via SMS to your mobile phone.
1 Summary This is the complete installation guide for securing the authentication to your NCP Secure Enterprise VPN Server
solution with Nordic Edge One Time Password Server, delivering two-factor authentication via SMS to your mobile
phone. You will be able to test the product with your existing NCP Secure Enterprise VPN Server solution and
your LDAP user database, without making any changes that affect existing users. The guide will also allow you to
make the complete installation efficiently, using a maximum of 1 hour. Nordic Edge provides several methods for
delivering one time passwords, like e-mail, tokens, mobile clients, Pledge, prefetch, Yubikey etc. - however in this
test we are only going to use SMS.
This is a step-by-step guide that covers the entire installation from A to Z. It is based on the scenario that you
are running your SSL-VPN solution against Active Directory, and that you install the One Time Password Server
on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user
databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you
have any questions regarding the slight differences in the installation process, you are most welcome to contact us
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
at [email protected] and we will take you through the entire process.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Table of Contents
1 Summary
1.1 Definitions
2 Prerequisites
2.1 Important information regarding communication
3 Getting started
3.1 Register and download the software
4 Installation
4.1 Start the installation
5 Configuring the One Time Password Server
5.1 Start the OTP Configurator
5.2 Configure the One Time Password Server
5.3 Configure RADIUS
5.4 Configure databases
5.5 Configure LDAP Host Settings
5.6 Configure the LDAP database settings
5.7 Configure search filter
5.8 Test LDAP Authentication
6 Configure the SSL-VPN client settings.
7 Configure Delivery Method
8 Restart the One Time Password Server as Windows Service
9 Add mobile phone number with Microsoft Management Console
10 Configuring NCP Secure Enterprise VPN Server
10.1 Add External Authentication
10.2 Configure Domain groups with RADIUS secret
10.3 NCP Secure Enterprise Client settings
10.4 Restart NCP Secure Enterprise VPN Server
11 Test the authentication
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
11.1 SSL VPN test
11.2 NCP Secure Enterprise Client
12 Purchase
13 Technical questions
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
1.1 DefinitionsIn this Step by Step guide the NCP Secure Enterprise VPN Server is referred as "SSL-VPN Solution / Server"
2 Prerequisites You will need a server, for example a VMware virtual machine, with Windows Server 2003 or higher installed with Ethernet in bridge mode. The server must have a static IP-address configured and must also be able to reach your DNS-servers, your SSL-VPN solution and Active Directory. Since the software is quite small (315 MB) and easy to remove, you can also use any existing server from your network. Should you wish to simply run a demonstration of what is described in this manual, NCP can provide you with a virtual machine image (VMware) configured to demonstrate the management and operational capabilities of the NCP Secure Enterprise VPN solution. Please contact NCP or Nordic Edge for further details of the NCP Secure Enterprise Server – Secure Enterprise Management Demonstration Virtual Machine.
2.1 Important information regarding communication
The One Time Password Server is software that can be installed on any existing server in your network or DMZ.
- The One Time Password Server must be able to communicate (Outbound traffic) with your LDAP or JDBC User
Database. Default port for LDAP and Secure LDAP are TCP port 389 / 636.
- The SSL-VPN solution must be able to communicate (Outbound traffic) with the One Time Password Server via
RADIUS, UDP port 1812 or 1645 (Outbound traffic).
- If you want to use the Nordic Edge SMS Gateway, the One Time Password Server must be able to
communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.
In the following test-scenario you will need to communicate with RADIUS port 1812 or 1645 and use the
Nordic Edge SMS Gateway.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Note:
The NCP SSL-VPN Solution in the previous diagram consists of two components:
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Specific settings in this guide:NCP Secure Enterprise VPN Server: 192.168.233.100
Nordic Edge OTP Server: 192.168.233.103 Getting started
3.1 Register and download the software
Go to www.nordicedge.com and select "PRODUCTS", One Time Password Server and click "Download".
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Enter your name and contact details to receive the software.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
You will receive a link for downloading the software. A 30 days full functional license will be sent via e-mail when you download the software. Download the 32 or 64 bit version depending on your platform.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
4 Installation
4.1 Start the installation
Start the installation on the server where you want to install the One Time Password Server.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using
explorer and click on “Run as Administrator”.
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Read the license agreement and select “I accept the term of the License Agreement". Click
Next.
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Choose the license.dat (License-file) that you received via e-mail and click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Install.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Next.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Click Done.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
OTP Server is now installed and running.
5 Configuring the One Time Password Server
5.1 Start the OTP Configurator
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Start the OTP Configurator by clicking on the “Configuration”.
5.2 Configure the One Time Password Server
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
On the Server page you can set the length of the one-time password and for how long it should be valid. Default
is 5 minutes. You can also set a default country prefix, which means you will not need to set it in the mobile
attribute.
For more information regarding the optional setting please see One Time Password Server 3 – Administration
manual.
For now, leave this page as default and go on to the next part – Configure RADIUS.
5.3 Configure RADIUS
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with NCP Secure
Enterprise VPN Server. In this example we are using RADIUS port nb 1812.
● Click Save Config.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
5.4 Configure databases
In this setup we are going to use the Microsoft Active Directory LDAP database.
● Change to the Databases tab and click on the "LDAP Database" button.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
5.5 Configure LDAP Host Settings
For this configuration we will use the Active Directory installed on the same server as the One Time
Password Server. We will use the internal IP-address (127.0.0.1) as host address.
We will use the standard LDAP port No. 389 to communicate with Active Directory.
Admin DN will be the Administrator user to search for user objects in the Active Directory database.
For now this user only need read rights to the user objects attributes but be aware that later you might
want to use options like disable accounts or the Pledge Enrollment concept from the Pledge Mobile
Client. In this event the Admin DN need write rights to modify the disable account attribute and to
store oath-keys into an optional user attribute.
● Configure your LDAP host settings and click test. You should now get a messages saying “LDAP
connection success”.
● Click OK and Save.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Next step is to configure the LDAP database settings.
5.6 Configure the LDAP database settings
The BASE DN is the search base from where OTPServer will start looking for user objects.
● Click on the button with three dots at the right side of the Base DN field to browse your LDAP
Database.
● Select an Organization Unit or Organization in Active Directory and click OK.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
5.7 Configure search filter
Next step is to configure the search filter for One Time Password to search users via selected object classes and
attributes according to the Microsoft Active Directory schema.
● Click on the “Sample Button” and choose the filter template for MS Active Directory and click OK twice.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
5.8 Test LDAP Authentication
● Click on the Test LDAP Authentication button and type in a userid of a user you know exist in the
directory.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Type in the password
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
If configuration is correct you will see the following success message.
● Click on Save.
6 Configure the SSL-VPN client settings.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
Since One Time Password Server is also a RADIUS-server, the NCP Secure Enterprise VPN Server is considered a
client to the One Time Password Server.
Next step is to configure the settings for this client.
● In the left pane click on ”Clients” and then click on "New RADIUS Client"
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Type in a name and a IP address for your NCP Secure Enterprise VPN Server. In this guide 192.168.233.100.
● Type in a RADIUS shared secret. (Note this and use it in the VPN Server later.)
● Choose the Active Directory you configured earlier as User Database.
● Click Save.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
7 Configure Delivery MethodThe Delivery Methods category is meant for enabling and configuring one or more delivery methods
that can be used by the OTP Server to send one-time passwords.
One Time Password Server offers various methods like SMS, OATH Tokens, Instant Messaging, HTTP,
Yubikey.
In this example we will use SMS with the Nordic Edge SMS-service as the SMS-provider.
During the evaluating phase we offer customers to use our Nordic Edge SMS-service free of charge for
30 days from the activation of the Demo Account.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● In the left Pane, click “Delivery Methods” and then "Nordic Edge SMS".
● In the right pane enable Nordic Edge SMS Gateway.
● To Request a demo account click “Request a demo account”.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Click “Yes”
You should now get a success message and the Username and Password for the Nordic Edge SMS-
gateway has automatically been filled in.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Click OK and Save Config.
8 Restart the One Time Password Server
● In the server panel, click “Shutdown”.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● In Windows Control Panel, open Administrative Tools / Services.
● Find the NordicEdge OTPServer Service, right click on that service and click “Start”.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
9 Add mobile phone number with Microsoft Management ConsoleAdd a mobile phone number to your test user mobile phone attribute by starting the Microsoft MMC, select the test
user and enter the mobile phone number into the Mobile attribute.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
10 Configuring NCP Secure Enterprise VPN Server The main steps to configure NCP Secure Enterprise VPN Server (SES) are:- Add External Authentication with RADIUS- Configure Domain groups with RADIUS secret
NOTE: The following instruction steps are illustrated with screen shots from the demonstration NCP Secure Enterprise Management (SEM) configuration; The SES-SEM Demonstration Virtual Machine (SES-SEM VM), a VMware virtual image and associated documentation, is available on request from NCP. These steps should be used as a guide to illustrate how an NCP VPN Server configuration can be modified to include Nordic Edge OTP services and, in particular, how such items as the RADIUS configuration, VPN Server configuration, and NCP Secure Enterprise Client parameters etc., are modified. Integration of the Nordic Edge OTP solution into an existing NCP Enterprise VPN environment would be performed by executing steps along the lines of what is described below.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
10.1 Add External Authentication
In an NCP Secure Enterprise environment, external authentication can be defined at the top level of any organizational group – in the SES-SEM VM there is one organizational group “MyCompany” and the following steps add external authentication to that group.
● Start NCP Secure Management Console.
● Select the root of the hierarchy.
● Select MyCompany.
● Click on RADIUS and select Group Settings.
● Select the External Authentication tab.
● Enable "Do external authentication for VPN user".
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Select "OTP Server" as protocol.
● Enter the IP-address to Nordic Edge OTP Server. In this case 192.168.233.10.
● Enter the RADIUS port used by Nordic Edge OTP Server. Default 1812.
● Select Info tab.
● Enable "Entry inherited to subgroups".
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
10.2 Configure Domain groups with RADIUS secret
● Expand MyCompany and select VPN Server.
● Expand Server Configuration and select Secure Server Templates.
● Expand Domain Groups and select Default Group.
● Select RADIUS under Configuration tab.
● Enter the RADIUS shared secret from Nordic Edge OTP Server in the Password field.
● Save changes when asked.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
10.3 NCP Secure Enterprise Client settings
The SES-SEM VM as distributed incudes eight demonstration users: client[1-4]_psk and client[1-4]_cert. As a part of the “IPsec rollout scenario”, Client software is installed on each demonstration user’s computer and then configured using parameters distributed via the automated “inituser” process.“client1_psk” is used below to illustrate OTP based user authentication in this demonstration and the following assumes that the user “client1_psk”, referred to in SEM and the Client parameters as the “VPN User ID”, has been inserted into the LDAP database for this purpose. Thus the “VPN user ID” must match the userID in the user database used by the Nordic Edge OTP Server.Examples:- inetorgperson match VPN User ID in standard LDAP solutions- samAccountName match VPN User ID in Active Directory solutions
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
The parameters configured at the SEM are automatically transferred via the VPN tunnel to the Client computer; initially during the “inituser” process and later, as and when changes have been input using the SEM console. The Client parameters configured at the SEM can be displayed using the following steps.
● Expand MyCompany and select Clients with PSK.
● Expand Client Configuration and select Clients.
● Expand your client (client1_psk), Profiles and select the “VPN with PSK” profile – note: this is
the link profile that will be used at the Client to establish an IPsec tunnel to the VPN Server.
● Click on VPN Tunneling and note the VPN User ID. In this case client1_psk.
10.4 Restart NCP Secure Enterprise VPN Server
Restart NCP Secure Enterprise VPN Server.
● Expand MyCompany and select VPN Server.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Expand Server Configuration and select Secure Server.
● Select VPNServer1 and right click and select Restart.
11 Test the authenticationIn this guide we are using SSL VPN and NCP Secure Enterprise client.
11.1 SSL VPN test
● Using a web browser, browse to the URL for the NCP VPN Server. e.g.. https://NCP-VPN-IPaddress:4433
● Login with the LDAP username and password
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Enter the one-time password received via SMS
Note: The text "Please enter your One Time Password" can be configured in the OTP Server
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
You are now connected with SSL VPN
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
11.2 NCP Secure Enterprise Client
Verify settings that the VPN tunneling settings are correct in your NCP Secure Enterprise Client – steps 1 to 4
below:
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
● Cancel the Profile display.
● Click Connect.
● Enter the LDAP username and password.
● Enter the one-time password received via SMS.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server
You are now connected with the NCP Secure Enterprise Client.
Step by step guide to implement one-time password authentication with NCP Secure Enterprise VPN Server