Table of Contents ....................................................................................................................................................... 2
BalaBit® Shell Control Box (or SCB) is an activity monitoring solution that you can install within your
Information System platform that provides activities and trails —in real or delayed time—on who did what,
where, when and how.
With SCB, you can control the access of internal or external IT service providers and record service provider
work sessions and review them as needed (audit sessions, incidents, etc.).
The HID Global solutions that work with SCB provide versatile, flexible, strong authentication that is scalable
and simple to manage.
There are two main HID Global solutions:
AAA Server for Remote Access— an authentication server that addresses the security risks
associated with a mobile workforce remotely accessing systems and data.
ActivID Appliance— an authentication server that offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML,
RADIUS, etc.), including user name and password, mobile and PC soft tokens, one-time
passwords, and transparent Web soft tokens.
1.1 Scope of Document
This document describes in steps how to configure the integration of the ActivID AAA authentication server
with the BALABIT Shell Control Box solution.
1.2 Prerequisites
ActivID AAA Server is up-to-date (version 6.7) with LDAP users and groups already configured.
BalaBit Shell Control Box is installed and configured (version SCB3.5.0 or more recent).
Page 4
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
Note: If a server is unreachable, SCB will try to connect to the next server in the list in failover
fashion.
2.0 Shell Control Box Configuration
This chapter describes how to configure the BalaBit Shell Control Box (SCB) to work with ActivID AAA. When
a user signs into a BalaBit Shell Control Box appliance, the BalaBit appliance forwards the user’s credentials
to an authentication server to verify the user’s identity. You will need to create a new RADIUS server instance
for the ActivID AAA server, in order to validate the user’s one-time password generated by a token.
2.1 Procedure 1: Create New RADIUS Server Instance
When an external RADIUS server is used to authenticate BALABIT users, you must configure the RADIUS
server to recognize Balabit as a client, and you must specify a shared secret for the RADIUS server to use to
authenticate client requests. To configure a connection to the RADIUS server on the BalaBit Shell Control Box
(SCB) appliance, perform the following steps.
1. On the main tab of the navigation pane, expand AAA, and then click Settings.
2. Set the Authentication Method field to RADIUS.
3. In the Address field, enter the IP address or the domain name of the RADIUS server.
4. In the Shared secret field, enter the password that SCB can use to access the server (must be the same
one as in the Shared Secret field in ActivID AAA).
5. To add more RADIUS servers, click + and repeat steps 2-4.
Page 5
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
Note: If a server is unreachable, SCB will try to connect to the next server in the list in failover
fashion.
6. In the Server Address field, enter the IP address or hostname and port of the LDAP server.
7. To add multiple LDAP servers, click + and enter the Server Address of the next server.
8. In the Type field, select the LDAP server type. For example, select Active Directory to connect to
Microsoft Active Directory servers.
9. In the Base DN Field, enter the name of the DN to be used as the base of the queries (for example
DC=demodomain,DC=exampleinc).
10. In the Bind DN, enter the name of the DN that SCB should bind to before accessing the database field.
(For example: CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc).
11. In the Bind Password field, enter the password to use when binding to the LDAP server.
12. Click Commit.
Page 6
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
15. If the test succeeds, you will see the following message. Click Ok.
2.2 Managing User Rights and User Groups
In SCB, user rights can be assigned to user groups. SCB has numerous user groups defined by default, but
custom user groups can be defined as well. Every group has a set of privileges: which pages of the SCB web
interface it can access and whether it can only view (read) or also modify (read & write/perform) those pages
or perform certain actions.
To modify the privileges of an existing group, complete the following steps:
1. On the main tab of the navigation pane, expand AAA, and then click Access Control.
Page 7
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
This chapter describes how to configure the ActivID AAA Authentication Server.
3.1 Procedure 1: Configure the BALABIT Gate
A gate for the ActivID AAA Server is a group of Network Access Servers (NAS) that is used to simplify
administration. For configuration details, refer to ActivID AAA Server technical documentation.
1. In the tree in the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
3. Enter a Gate name (can be any string).
4. Select the RADIUS option.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
Page 9
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
7. The ActivID AAA Server uses the RADIUS shared secret to encrypt data between BalaBit SCB and the
AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your
system.
8. Click OK.
3.2 Procedure 2: Assign Group(s) to the BALABIT Gate
Note that you must have user groups created already and the corresponding LDAP configured. For details,
refer to the ActivID AAA Administration Guide.
1. To assign groups to the BalaBit Gate, in the tree in the left pane, select the group that you want to assign
to the gate.
2. Use the Group / Gate Assignmentssection of the page to specify the gate(s) for the group’s users to
utilize in order to access a protected resource.
Page 10
ActivID AAA and BalaBit Shell Control Box | Integration Handbook
HID, the HID logo, ActivID, and/or other HID Global products or marks
referenced herein are either registered trademarks or trademarks of HID
Global Corporation in the United States and/or other countries.
The absence of a mark, product, service name or logo from this list does
not constitute a waiver of the HID Global trademark or other intellectual
property rights concerning that name or logo. The names of actual
companies, trademarks, trade names, service marks, images and/or
products mentioned herein are the trademarks of their respective owners.
Any rights not expressly granted herein are reserved.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.