11 April,19 at 11:51 AM
Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).
There are several pre-requisites required to set this up in your environment.
Part 1 – Install the Centrify Connector.
If you haven’t already setup the centrify connector, please see my colleagues article which describes this process:
https://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840
Part 2:
Configure Symantec VIP service.
You may already have access to a working instance of the Symantec VIP service. If that is the case, you may want to review the steps here to ensure you have a test user to work with. If you do not have access to a working instance of Symantec VIP, you can register for a trial license of the service online at Symantec’s website.
Once you register for the trial you will get an email with the steps below. Follow the instructions below.
Part 3:
Log into the VIP Manager to download the required files.
From the accounts Tab, Select “Download Files”
Select Enterprise Gateway then the latest version. Example 9.8
Download the Enterprise Gateway Install files. Also note the documentation is also contained in this location.
Extract the zip file and run the setup program. Accepts defaults, entering a user to administer the gateway.
You will now be able to log into the Enterprise Gateway
localhost:8232/vipegconsole/login.action
Part 4:
Install a VIP Certificate.
The first task required is to add a VIP Certificate.
From VIP Manager, Account Tab, Manage VIP Certificates
Request a VIP Certificate:
Follow the steps and enter a certificate name, eg Centrify.
Select PKCS#12 and set a password
Download the certificate
Go back to the VIP Enterprise Gateway. Click on “Add VIP Certificate”
Browse to the previously download certificate, enter the password and set an alias.
The certificate will now be imported.
Part 5:
Add a Trusted CA Certificate. (Configuration steps for an enterprise CA are excluded from this tutorial. ) For this lab guide, the trusted root CA has been exported from the local CA and imported into the EGW. The steps below are provided as a background.
Certificate Export Wizard:
On the enterprise gateway server, import the trusted root certificate as per Symantec Documentation.
With the Trusted CA Certificate imported, in the Enterprise Gateway Console, Add the Trusted CA Certificate
Select the certificate previously exported
Save the changes
Restart the Symantec VIP Enterprise Gateway for the changes to take effect
Part 6:
Configure the User Store:
From the VIP Enterprise Gateway, Select User Store, Add User Store.
Notes:
The information below is self explanatory. Consult the Symantec documentation for further information. A user “vipuser” was created for the bind in CN=Users
Part 7. Add a SSL Certificate.
(As previously mentioned, Certificate advice and discussion are excluded from this tutorial. For this lab guide, we have created a self signed SSL certificate from IIS Manager and are importing this certificate into the VIP Enterprise Gateway. )
Example:
From within the VIP Enterprise Gateway, select SSL Certificate, add SSL Certificate:
Submit
Part 8. Configure the Self Service Portal
Select to configure the Self Service Portal.
Select to use SSL and select the CentrifySelfSigned Certificate
Start the Service
Note the URL for the Self Service Portal.
Login to the Self Service Portal. The expected behaviour, a user within your active directory will be redirected to the Symantec Self Service Portal for registering a token.
User Kev.smith logs into the local Self Service Portal.
Kev.Smith is then asked to select and register the Symantec Credential.
Part 9:
Configure the Symantec Enterprise Gateway as a RADIUS validation server.
Access the Symantec Enterprise Gateway, Validation, RADIUS Validation Server “Add Server”
Select Custom Configuration
Add Server Name eg “Centrify”
Add RADIUS Shared Secret eg “Centrify”
Enter Remote Access Service Name eg “Centrify VIP”
Click Submit.
Under Status, select to turn on the Radius Validation Server
The Status should now show on:
Part 10:
Configure Centrify for Radius Support.
From the Centrify Portal, Settings, Authentication, Radius Connections.
Provide a Name eg “Radius VIP”
Set the Server hostname or IP address to the address of the Symantec Enterprise Gateway Server.
Enter the shared secret eg “Centrify”
User Identifier Attribute, change to “custom” and “sAMAccountName” (This is to match the attributes set on the Symantec Enterprise Gateway.
Save
Part 11. Enable Connections to external RADIUS servers
Part 11. Create an Authentication Profile
Centrify Portal, Settings, Authentication, Authentication Profiles, “Add Profile”
Profile Name “MFA with Radius”
For initial Testing select “Password” and “3rd Party Radius Authentication”
Create a Role.
Core Services, Roles “Add Role”
Name = “Radius Test Users”
Member = Select a group from AD or individual users for testing purposes. In this lab I am adding my test user Kev.Smith
Create a New Policy:
Core Services, Policies, “Add Policy Set” Name = “Radius Test Policy”
Policy Assignment, Specified roles = “Radius Test Users”
Under User Security Policies, Radius, set “Allow 3rd Party RADIUS Authentication “ to “Yes”
Under Login Policies, Centrify Portal, “Enable Authentication Policy Controls”
Set the Default profile to “MFA with Radius”
Part 12: Test the Radius Authentication.
From the Centrify Portal.
Enter your user details “kev.smith”
From the drop down authentication options, select “MFA with Radius”
Open the Symantec VIP Access Client
Enter the OTP code
You will now be authenticated via Radius.
Optionally, check the dashboard for review of user logins.
End of Main Labs:
Notes. In this lab example the authentication policy was enabled to allow users to log into the portal using Radius. This authentication policy or new authentication policies can be created across your Centrify estate. Authentication policies using Radius can be enacted across your Centrify environment to supplement as required.
A few further examples:
Windows Desktop Authentication with Radius
User Chris.Morgan enters password
The users credentials are checked and the policy requires this user to use a second factor for authentication.
MFA with Radius is selected and allows Chris to log into his workstation.
Example 2:
Protecting Server Authentication with Radius:
User Chris policy requires MFA with Radius to authenticate to the 2016 windows server
Example 3:
Privilege Elevation requiring MFA with Radius
Chris is a standard user with no rights. In order to Create users, privilege elevation is required. Chris selects to run this application with privilege
The options available to Chris are then presented, for example purposes, in addition to MFA with Radius, options also include
Security Questions
OATH OTP Client, eg Google Authenticator
SMS
Voice
(Other options are also available, eg Yubikey)
End Of examples.