Zyxel ZYWALL OTPV2 Support Notes

ZyWALL OTPv2

Support Notes

Revision 1.00

September, 2010

Written by CSO

ZyXEL – ZyWALL OTPv2 Support Notes

2

Table of Contents

1. Introduction ....................................................................................................................................................... 3

2. Server Installation ............................................................................................................................................. 7

2.1 Pre-requisites .......................................................................................................................................... 7

2.2 Installations walk through ..................................................................................................................... 7

3. OTP Authentication to an OTP-protected Network via SSL VPN over ZyWALL USG ................................. 11

3.1 ZyWALL USG Configurations ................................................................................................................ 12

3.2 SafeWord Server Configurations ......................................................................................................... 15

3.3 Verify OTP via Login from the Remote PC .......................................................................................... 19

4. OTP Authentication to an OTP-protected Network via IPSec VPN Client over the ZyWALL USG ............ 20

4.1 ZyWALL USG Configurations ................................................................................................................ 21

4.2 SafeWord Server Configurations ......................................................................................................... 24

4.3 ZyWALL IPSec VPN Client Configurations .......................................................................................... 28

4.4 Verify OTP via Login from the VPN Client ........................................................................................... 30

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

3

1. Introduction

One-Time Password (OTP) Authentication

One-Time Password (OTP) is another optimum security technology that enables a server to authenticate

you based on a password that is unique every time you try to access a protected network.

Two-Factor Authentication

Two-factor authentication is an optimum security methodology, because it requires something you have

(your ZyWALL OTP Token) and something you know (your secure password or PIN). A two-factor system

is far more secure than using just a password, since many skilled hackers can quite easily access

password-only protected computers and networks. The illustration shows the concept of Two-Factor

authentication.

User PIN and Token code

User PIN is what you know and Token code is what you have.

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

4

ZyWALL OTP Products Components

ZyWALL OTP, which includes the ZyWALL OTP Token and SafeWord 2008, provides secure verification of

identity to remote Virtual Private Network (VPN) and Local Area Network (LAN) users.

SafeWord product installation always includes:

- SafeWord Core Server

- Management console (AD or SafeWord Management Console)

- Agents or SafeWord RADIUS Server

SafeWord Core Server

The SafeWord Core Server consists of 3 main components:

- Database server (MySQL) – installed by default. The SafeWord database serves as the repository for

token records independent of the management mode. It stores the Token’s serial numbers and Token

(seed) used to generating OTP. The database server listens on port 5010 by default and only the

Administration service and Authentication engines can query it directly.

- Administration server – runs administration services and performs tasks initiated by administrators

or users. Updates the SafeWord database and synchronizes SafeWord database data in configurations

with MMC console and User Center. Also performs replication of changes between peers. It is listening

on port 5040 by default.

- Authentication server (AAA) – runs the authentication engine that verifies that the passcode supplied

with an access request is correct for the token assigned to a specific user. It is listening on port 5031

by default.

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

5

Management Console (AD)

The Management console integrated with Microsoft AD is the interface used to directly update the

database via the SafeWord Administration Service.

You can use this to import Tokens (add tokens serial numbers to SafeWord database) or backup and

restore Token data.

It also lets you view and manage all imported Tokens.

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

6

Agents or SafeWord RADIUS Server

The OTP RADIUS authentication server is a standard Microsoft RADIUS component based on Internet

Authentication Service (IAS). The agent contains a configuration file specifying where the SafeWord

server holds the user repository and the Authentication service.

An agent can be installed only if it’s supporting (base) software components exist. Otherwise the agent

will not appear for selection in the installation components window. For example, RADIUS server agent

can be installed only when there is IAS installed.

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

7

2. Server Installation

2.1 Pre-requisites

Before starting to install the SafeWord server, user needs to verify:

- Hardware requirements of the system

 CPU – Pentium IV or AMD @ 1.8 GHz (min), 2 GHz (recommended)
 RAM – 1 GB (min), 4 GB (recommended)
 Disk space – 3 to 5 GB (min)

- Software requirements of the system

 Server OS – 32 or 64 bit Windows Server 2003 or 2008
 Desktop OS – 32 or 64 bit Windows XP (SP2) or Vista
 Have a working Active Directory environment if you are installing SafeWord 2008 ESP for

managing users.

 Have IAS Agent installed for RADIUS authentication

2.2 Installations walk through

We will briefly walk through the system installation process. For the up to date user manuals, users can

check SafeNet’s website. The link is: http://www.aladdin.com/safeword/docs/2008.aspx

Step1. Install SafeWord 2008 server

Below is a flow chart-type snapshot of the installation process, with no Agents selected for installation.

Users can check more detail information in chapter 2 “Installing and Activating SafeWord 2008” of

SafeWord 2008 Administration Guide on the SafeNet website.

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

8

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

9

Step2. Activate SafeWord 2008 server

By default, SafeWord 2008 comes with a 30-day evaluation license. If you want to continue using it,

activation is required.

There are two methods of activating SafeWord 2008: using ADUC, or directly from Aladdin’s Website if

not using ADUC. In either case, you must sign in and register on the Aladdin portal at

https://portal.aladdin.com, before you can complete and submit an activation form. After activating, your

information will be verified, and the activation key and token records will be ownloaded automatically for

ADUC, and manually if you are not using ADUC.

After logging into the SafeNet portal, users can click the “SafeWord Activation” link to perform on-line

activation. Please refer to the following manual:

http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf

All contents copyright (c) 2010 ZyXEL Communications Corporation.

ZyXEL – ZyWALL OTPv2 Support Notes

10

For off-line activation, two files are provided to the customer upon purchase of tokens:

- Server license - a software activation file (

key.html

) that includes an activation key. This key should be

entered in place of the software serial ID.

- An import file containing the serial numbers of the tokens bought by the customer (

Import*.dat

).

Step1. Software activation - The activation file (key.html) is copied to the specific activation folder

(default is C:\Program Files\Secure Computing\SafeWord\SERVERS\AdminServer\activation) and then

the administration server is restarted.

Step2. Once activated, the activation file name is automatically changed to key.activated.html, and the

support expiration date will display a value of the valid expiration date.

Step3. From AD Users & Computers console, use the import option under the SafeWord tree item for

importing the tokens data.

Step3. Assign authenticators to domain users

Before you can assign and use hardware tokens, the token data records downloaded during activation

must be imported by AUDC. After the process is done, there are two ways to assign SafeWord tokens to

Active Directory users. You may use the Token Assignment Wizard, or you can manually enter the token

serial number in the serial number field.

Users can check more detailed information on chapter 3 “Active Directory Management” of SafeWord

2008 Administration Guide on the SafeNet website.

All contents copyright (c) 2010 ZyXEL Communications Corporation.