Nortel Networks 3050 User Manual 3

RSA SecurID Ready Implementation Guide

Last Modified: April 25, 2005

Partner Information

Product Information

Partner Name Web Site www.nortelnetworks.com

Product Name Version & Platform Product Description

Product Category

Nortel Networks VPN Gateway 3050

5.0.3 The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote users. The gateway performs on-the-fly content transformation to instantly convert most intranet resour ces into externally-viewable, secure HTML pages and employs an advanced network address and port translation (NAPT) utility to build SSL-secured VPN tunnels for client/server communications Perimeter Defense (VPN, Firewalls & Intrusion Detection)

Solution Summary

The Nortel Networks VPN Gateway 3050 is a remote access security solution that extends the reach of enterprise applications and resources to remote employees, partners, and customers. By using the native capability of widely deployed Web browsers, the SSL VPN Gateway offers a convenient clientless alternative for securely provisioning resources for remote users, without the need to install and manage client tunneling software on their PCs.

Due to the clientless nature of this solution, Strong two factor authentication is essential to ensure the identity of users connecting to your Enterprise from the internet. For this reason, Nortel Networks VPN Gateway 3050 provides support for the RSA Authentication Manager as a method of strong authentication for users using RSA SecurID.

For enterprises maintaining IPsec VPN environments, the Nortel VPN Gateway 3050 provides a new level of deployment flexibility and end-user support by incorporating IPsec VPN client termination to remove the network administrator's challenge of managing multiple devices to deliver both types of remote access service.

Partner Integration Overview

Authentication Methods Supported Native RSA SecurID, RADIUS List Library Version Used 5.03 RSA Authentication Manager Name Locking * Yes RSA Authentication Manager Replica Support * Full Replica Support Secondary RADIUS Server Support Yes Location of Node Secret on Agent Within RSA Server configuration RSA Authentication Agent Host Type Communication server RSA SecurID User Specification Designated users RSA SecurID Protection of Administrative Users No RSA Software Token API Integration No Use of Cached Domain Credentials No

* = Mandatory Function when using Native SecurID Protocols

Product Requirements

Partner Product Requirements: Nortel VPN Gateway 3050

Firmware Version

Hardware Platform

Platform Required Patches

VPN 3050, ASA 310, ASA 410, ASA 310 FIPS N/A

Additional Software Requirements

Application Additional Patches

Internet Explorer 5.0, 5.5 and 6.0

5.0.3

Agent Host Configuration

To facilitate communication between the Nortel VPN Gateway and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the information about communication and encryption.

To create the Agent Host record, you will need the following information.

• Hostname

• IP Addresses for all network interfaces

• RADIUS Secret (When using RADIUS Authentication Protocol)

When adding the Agent Host Record, you should configure the Nortel VPN Gateway as Communication

. This setting is used by the RSA Authentication Manager to determine how communication with

Server

Nortel VPN Gateway will occur.

the

Note: Hostnames within the RSA Authentication Manager / RSA SecurID

Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

Additional Steps for RSA Authentication Manager RADIUS Profiles

Configure a RADIUS Profile in the RSA Authentication Manager

Nortel VPN Gateway within its database and contains

The following steps are for administrators configuring the Nortel VPN Gateway 3050 for RSA RADIUS authentication to the RSA Authentication Manager. These steps are not necessary when using with the Native RSA SecurID authentication method.

When configuring RADIUS authentication directly to your RSA Authentication Manage r, follow the steps below to configure a RADIUS Profile and assign it to your users. This configuration is basic and only details the minimum steps to get the VPN Gateway 3050 working with the RSA Authentication Manager RADIUS listener. For additional information on RADIUS Profiles, refer to your RSA Authentication Manager Administrative documentation.

1. Within the Profiles menu, select Add Profile.

2. Name your Profile to make it easily identifiable for future usage. e.g. “Nortel VPN Profile”.

3. From the left menu, select Vendor-Specific.

4. Enter a string value as follows : 1872 1 “RADIUS GROUP NAME”

5. Save and Apply your changes.

Note: The string “RADIUS GROUP NAME” refers to the User Group Name configured within the VPN Gateway IOS. This string must match the group to which the RSA SecurID Challenged users belong. This string must be enclosed in double quotes and is case sensitive.

Assign RADIUS Profile to your RSA SecurID Users

1. From the user administration screen, click the button labeled Assign Profile.

2. Select the RADIUS profile you configured in the last section.

3. You will now see the assigned profile listed in the user information screen.

4. Save changes to this user.

+ 7 hidden pages