Page 1
hidglobal.com
4TRESS™ AAA and
®
Wallix
Document Version 1.2 | Released | May 2013
AdminBastion
Integration Handbook
Page 2
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
2
Table of Contents
1.0
Introduction ..................................................................................................................................................... 3
1.1 Scope of Document .................................................................................................................................... 3
1.2 Prerequisites .............................................................................................................................................. 3
2.0 AdminBastion Configuration ......................................................................................................................... 4
2.1 Procedure 1: Create New RADIUS Server Instance .................................................................................. 4
2.2 Procedure 2: Create Users......................................................................................................................... 5
2.2.1 Task 1: Import Users from an LDAP/LDAPS/AD Directory ............................................................... 5
2.2.2 Task 2: Create Manual Users............................................................................................................ 6
3.0 AAA Configuration .......................................................................................................................................... 7
3.1 Procedure 1: Configure the WALLIX Gate ................................................................................................. 7
3.2 Procedure 2: Assign Group(s) to the WALLIX Gate .................................................................................. 8
4.0 Sample Authentication ................................................................................................................................. 10
Copyright ................................................................................................................................................................. 11
Trademarks ............................................................................................................................................................. 11
Revision History ..................................................................................................................................................... 11
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 3
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
3
1.0 Introduction
WALLIX® AdminBastion (or WAB) is a solution that you can install in your Information System that provides
information—in real or delayed time—on who did what, where, and how. With WAB, you can control the access of
internal or external IT service providers. You can record service provider work sessions and review them as and
when needed (audit sessions, incidents, etc.).
The HID Global solutions that work with WAB provide versatile, flexible, strong aut hent icati on that is scalable and
simple to manage.
There are two main HID Global solutions:
• AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce
remotely accessing systems and data.
• Authentication Server (AS)—Offers support for multiple authentication methods that are useful for
diverse audiences across a variety of service channels (SAML, RADIUS, etc.), including user name
and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Do cument
This document explains how to set up 4TRESS AAA authentication with the WALLIX AdminBastion solution.
1.2 Prerequisites
• 4TRESS AAA Server is up-to-date (version 6.7) with LDAP users and groups already configured.
• WALLIX AdminBastion is installed and configured (vers ion wab2-3.0.2.16 or more recent).
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 4
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
4
2.0 AdminBastion Configurat ion
This chapter describes how to manage WALLIX AdminBastion. When a user signs into a WALLIX AdminBastion
appliance, the WALLIX appliance forwards the user’s credentials to an authentication server to verify the user’s
identity. You will create a new RADIUS server instance for the 4TRESS AAA server to validate the user’s one
time password generated by a token.
2.1 Procedure 1: Create New RADIUS Server Instance
When an external RADIUS s er ver is used to authenticate WALLIX users, you must configure the RADIUS server
to recognize the WALLIX as a client, and you must specify a shared secret for the RADIUS server to use to
authenticate client requests. To configure a connection to the RADIUS server on the WALLIX AdminBastion
appliance, perform the following steps.
1. On the main tab of the navigation pane, expand WAB Configuration, and then click External
Authentication.
2. Specify the following:
3. Click Apply.
• Name/label of the authentication
• IP address or server FQDN
• RADIUS port
• Pre-shared-key
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 5
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
5
2.2 Procedure 2: Create U sers
2.2.1 Task 1: Impo rt Users f rom an LDAP/L DAPS/ AD Directo ry
You can populate the WAB internal LDAP database by importing user data stored in a remote directory. For each
directory, you must know:
• The type of server, its address, and the connection port.
• The organization unit.
• The connection attribute, that is, the user data that will be used to create the WAB username.
• The username and password if read access to the directory is restricted (mandatory for an Active
Directory).
Note: The identifier used must have read permissions for the path where user data is stored.
If you are unfamiliar with the procedure required to import users, then please refer to WAB technical
documentation for details. When you have finished importing user data stored in a remote directory, and the
import has been successful, a new page opens containing a list of users extracted from the directory.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 6
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
6
2.2.2 Task 2: Creat e Manua l Users
From the page displayed that lists users, click the icon displayed to access the page to add a user.
1. The Add User form lists the following elements. Enter the appropriate information.
2. Click Apply.
• An identifier (username), the one used by a person to log onto the GUI and onto the proxies.
• A full name (a name that makes it possible to identify to whom the username belongs).
• An e-mail address.
• A preferred language (used to select the language in which messages forwarded to the user
by the proxies are displayed).
• A source IP address (used to limit access to the proxies to this IP or FQDN address). This
limitation does not affect access to the GUI.
• The authentication server (specified previously in Proc edur e 1).
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 7
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
7
3.0 AAA Configuration
This chapter describes how to configure the 4TRESS AAA Authentic ati on Ser ver.
3.1 Procedure 1: Configure the WALLIX Gat e
A gate for the 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify
administration. For configuration details, refer to 4TRESS AAA Server technical documentation.
1. In the tree in the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
3. Enter a Gate name (can be any string).
4. Select the RADIUS option.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 8
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
8
7. The 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between WALLIX and the AAA
authentication server. Click Shared Secret, and then modify the appropriate shared secret for your system.
8. Click OK.
3.2 Procedure 2: Assign Group(s) to the WALLIX Gate
Remember that you must have user groups created already and the corresponding LDAP configured. For details,
refer to the 4TRESS AAA Administration Guide.
1. To assign groups to the WALLIX Gate, in the tree in the left pane, select the group that you want to assign to
the gate.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 9
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
9
2. Use the Group / Gate Assignments section of the page to specify gate(s) for the group’s users to utilize in
order to access a protected resource.
3. Click Add.
4. Select the Gate, the AZ profile. and the AC profile.
5. Click OK.
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 10
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
10
4.0 Sample Authentication
1. To access the WAB web interface, enter the following URL in your web browser:
https://wab_ip_access
2. Then log in using your username and the one-time password generated by your ActivID Token (the
following illus tration shows t he use of a PC Token).
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 11
4TRESS AAA and Wallix AdminBastion | Integration Handbook
External Release | © 2012
11
Document
February 2012
Eco-System Workgroup
Initial release
1.1
Updated copyright statement, rebranding to HID Global TP
1.2
Copyright
© 2012-2013 HID Globa l Cor poration/ASSA ABLOY AB. All rights reserved.
Trademarks
HID, the HID logo, ActivID, 4TRESS and/or other HID Global products or marks referenced herein are registered
trademarks or trademarks of HID Global Corporation in the United States and/or other countries.
The absence of a mark, product, service name or logo from this list does not constitute a waiver of the HID Global
trademark or other intellectual property rights concerning that name or logo. The names of actual companies,
trademarks, trade names, service marks, images and/or products mentioned herein are the trademarks of their
respective owners. An y rights not express l y granted h er ein are reserved.
Revision His tory
Date Author Description
May 2013 Eco-System Workgroup
template
Version
-2013 HID Global Corporation/ASSA ABLOY AB. All rights reserved. Page |
Page 12
hidglobal.com
Americas
US Federal
Europe
Asia Pacific
Web
+1 510.574.0100
+1 571.522.1000
+33 (0) 1.42.04.84.00
+61 (0) 3.9809.2892
http://www.hidglobal.com/identity-assurance
Corporate Headquarters
15370 Barranca Parkway
Irvine, CA 92618
www.hidglobal.com
+1 949.732.2000
Loading...