HID BalaBit and ActivID AAA User Manual

Page 1
The Trusted Source for
Secure Identity
Solutions
ActivID® AAA and
BalaBit® Shell Control Box
Integration Handbook
Product Version 6.7 | Document Version 1.2 | Release | April 14, 2014
Page 2
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 2
Table of Contents
Table of Contents ....................................................................................................................................................... 2
1.0 Introduction ....................................................................................................................................................... 3
1.1 Scope of Document .................................................................................................................................... 3
1.2 Prerequisites .............................................................................................................................................. 3
2.0 Shell Control Box Configuration ........................................................................................................................ 4
2.1 Procedure 1: Create New RADIUS Server Instance .................................................................................. 4
2.2 Managing User Rights and User Groups ................................................................................................... 6
3.0 AAA Configuration ............................................................................................................................................ 8
3.1 Procedure 1: Configure the BALABIT Gate ............................................................................................... 8
3.2 Procedure 2: Assign Group(s) to the BALABIT Gate ................................................................................. 9
4.0 Sample Authentication .................................................................................................................................... 11
Page 3
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 3
1.0 Introduction
BalaBit® Shell Control Box (or SCB) is an activity monitoring solution that you can install within your Information System platform that provides activities and trails in real or delayed timeon who did what, where, when and how.
With SCB, you can control the access of internal or external IT service providers and record service provider work sessions and review them as needed (audit sessions, incidents, etc.).
The HID Global solutions that work with SCB provide versatile, flexible, strong authentication that is scalable and simple to manage.
There are two main HID Global solutions: AAA Server for Remote Access an authentication server that addresses the security risks
associated with a mobile workforce remotely accessing systems and data.
ActivID Appliance an authentication server that offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML, RADIUS, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Document
This document describes in steps how to configure the integration of the ActivID AAA authentication server with the BALABIT Shell Control Box solution.
1.2 Prerequisites
ActivID AAA Server is up-to-date (version 6.7) with LDAP users and groups already configured.  BalaBit Shell Control Box is installed and configured (version SCB3.5.0 or more recent).
Page 4
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 4
Note: If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.
2.0 Shell Control Box Configuration
This chapter describes how to configure the BalaBit Shell Control Box (SCB) to work with ActivID AAA. When
a user signs into a BalaBit Shell Control Box appliance, the BalaBit appliance forwards the user’s credentials
to an authentication server to verify the user’s identity. You will need to create a new RADIUS server instance for the ActivID AAA server, in order to validate the user’s one-time password generated by a token.
2.1 Procedure 1: Create New RADIUS Server Instance
When an external RADIUS server is used to authenticate BALABIT users, you must configure the RADIUS server to recognize Balabit as a client, and you must specify a shared secret for the RADIUS server to use to authenticate client requests. To configure a connection to the RADIUS server on the BalaBit Shell Control Box (SCB) appliance, perform the following steps.
1. On the main tab of the navigation pane, expand AAA, and then click Settings.
2. Set the Authentication Method field to RADIUS.
3. In the Address field, enter the IP address or the domain name of the RADIUS server.
4. In the Shared secret field, enter the password that SCB can use to access the server (must be the same one as in the Shared Secret field in ActivID AAA).
5. To add more RADIUS servers, click + and repeat steps 2-4.
Page 5
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 5
Note: If a server is unreachable, SCB will try to connect to the next server in the list in failover fashion.
6. In the Server Address field, enter the IP address or hostname and port of the LDAP server.
7. To add multiple LDAP servers, click + and enter the Server Address of the next server.
8. In the Type field, select the LDAP server type. For example, select Active Directory to connect to Microsoft Active Directory servers.
9. In the Base DN Field, enter the name of the DN to be used as the base of the queries (for example DC=demodomain,DC=exampleinc).
10. In the Bind DN, enter the name of the DN that SCB should bind to before accessing the database field. (For example: CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc).
11. In the Bind Password field, enter the password to use when binding to the LDAP server.
12. Click Commit.
Page 6
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 6
13. Wait for the configuration to apply.
14. Click Test to validate the LDAP connection.
15. If the test succeeds, you will see the following message. Click Ok.
2.2 Managing User Rights and User Groups
In SCB, user rights can be assigned to user groups. SCB has numerous user groups defined by default, but custom user groups can be defined as well. Every group has a set of privileges: which pages of the SCB web interface it can access and whether it can only view (read) or also modify (read & write/perform) those pages or perform certain actions.
To modify the privileges of an existing group, complete the following steps:
1. On the main tab of the navigation pane, expand AAA, and then click Access Control.
Page 7
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 7
2. Click + to add a new LDAP Group.
3. Enter the name of your LDAP Group (as named in the LDAP Directory and would match your ActivID AAA LDAP configuration).
4. Select the privileges to which the group will have access and click Commit.
Page 8
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 8
3.0 AAA Configuration
This chapter describes how to configure the ActivID AAA Authentication Server.
3.1 Procedure 1: Configure the BALABIT Gate
A gate for the ActivID AAA Server is a group of Network Access Servers (NAS) that is used to simplify administration. For configuration details, refer to ActivID AAA Server technical documentation.
1. In the tree in the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
3. Enter a Gate name (can be any string).
4. Select the RADIUS option.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
Page 9
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 9
7. The ActivID AAA Server uses the RADIUS shared secret to encrypt data between BalaBit SCB and the AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your system.
8. Click OK.
3.2 Procedure 2: Assign Group(s) to the BALABIT Gate
Note that you must have user groups created already and the corresponding LDAP configured. For details, refer to the ActivID AAA Administration Guide.
1. To assign groups to the BalaBit Gate, in the tree in the left pane, select the group that you want to assign to the gate.
2. Use the Group / Gate Assignments section of the page to specify the gate(s) for the group’s users to utilize in order to access a protected resource.
Page 10
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 10
3. Click Add.
4. Select the Gate, the AZ profile, and the AC profile and then click OK.
Page 11
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 11
4.0 Sample Authentication
1. To access the SCB web interface, enter the following URL in your web browser:
https://SCB_ip_access
2. Then log on using your username and the One-Time Password generated by your ActivID Token (the following illustration is using PC Token).
Page 12
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
External Use | July 30, 2014 | © 2014 HID Global Corporation/ASSA ABLOY AB. All rights reserved.
P 12
Americas
+1 510.574.0100
US Federal
+1 571.522.1000
Europe
+33 (0) 1.42.04.84.00
Asia Pacific
+61 (0) 2.6208.4888
Web
http://www.hidglobal.com/identity-
assurance
Corporate Headquarters
611 Center Ridge Drive
Austin, TX 78753
www.hidglobal.com
+1 949.732.2000
Copyright
© 2014 HID Global. All rights reserved.
Trademarks
HID, the HID logo, ActivID, and/or other HID Global products or marks referenced herein are either registered trademarks or trademarks of HID Global Corporation in the United States and/or other countries.
The absence of a mark, product, service name or logo from this list does not constitute a waiver of the HID Global trademark or other intellectual property rights concerning that name or logo. The names of actual companies, trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their respective owners. Any rights not expressly granted herein are reserved.
Loading...