Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).

 

There are several pre-requisites required to set this up in your environment.

 

1. Access to a working instance of the Symantec VIP service (VIP Authentication Service.
2. Access to a Centrify Environment, for this technical tutorial we will be primarily using Centrify Application Services.
3. Centrify Connector installed.
4. A Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
5. Ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.

 

 

 

Part 1 – Install the Centrify Connector.

 

If you haven’t already setup the centrify connector, please see my colleagues article which describes this process:

https://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840

 

 

 

 

 

 

Part 2:

Configure Symantec VIP service.

You may already have access to a working instance of the Symantec VIP service. If that is the case, you may want to review the steps here to ensure you have a test user to work with. If you do not have access to a working instance of Symantec VIP, you can register for a trial license of the service online at Symantec’s website.

 

Once you register for the trial you will get an email with the steps below. Follow the instructions below.

 

• Access VIP Manager (https://manager.vip.symantec.com/vipmgr)
• On the Sign in page, enter the email address and temporary password you were provided in your email.
• Change your password upon initial logon.
• Register your credential. In order to do this step, you need to download the “VIP Access” mobile application to your smartphone and register it with the user that you use to initially access the service.

• Once you have your username/password and VIP access credential, you will access the VIP Manager by logging in:
• Optional: Create an additional user with administrative rights to the VIP Manager portal.
• From the Accounts Tab, Select “Create VIP Administrators”

 

 

• This ensures a second account is available for accessing the VIP Manager.

 

 

 

 

Part 3:

1. Install VIP Enterprise Gateway:

 

Log into the VIP Manager to download the required files.

 

 

From the accounts Tab, Select “Download Files”

 

 

 

Select Enterprise Gateway then the latest version. Example 9.8

 

 

 

Download the Enterprise Gateway Install files. Also note the documentation is also contained in this location.

 

 

 

Extract the zip file and run the setup program. Accepts defaults, entering a user to administer the gateway.

 

 

 

 

 

You will now be able to log into the Enterprise Gateway

 

localhost:8232/vipegconsole/login.action

 

 

 

 

Part 4:

Install a VIP Certificate.

 

The first task required is to add a VIP Certificate.

 

 

 

From VIP Manager, Account Tab, Manage VIP Certificates

 

 

Request a VIP Certificate:

 

Follow the steps and enter a certificate name, eg Centrify.

 

 

 

Select PKCS#12 and set a password

 

 

 

Download the certificate

 

Go back to the VIP Enterprise Gateway.  Click on “Add VIP Certificate”

 

 

 

Browse to the previously download certificate, enter the password and set an alias.

 

 

 

The certificate will now be imported.

 

 

 

 

Part 5:

Add a Trusted CA Certificate. (Configuration steps for an enterprise CA are excluded from this tutorial. ) For this lab guide, the trusted root CA has been exported from the local CA and imported into the EGW. The steps below are provided as a background.

 

 

 

 

Certificate Export Wizard:

 

 

 

 

On the enterprise gateway server, import the trusted root certificate as per Symantec Documentation.

 

 

 

 

 

 

 

With the Trusted CA Certificate imported, in the Enterprise Gateway Console, Add the Trusted CA Certificate

 

 

 

 

Select the certificate previously exported

 

 

 

 

Save the changes

 

 

Restart the Symantec VIP Enterprise Gateway for the changes to take effect

 

 

 

Part 6:

 

Configure the User Store:

 

From the VIP Enterprise Gateway, Select User Store, Add User Store.

 

Notes:

The information below is self explanatory. Consult the Symantec documentation for further information. A user “vipuser” was created for the bind in CN=Users

 

 

 

Part 7. Add a SSL Certificate.

(As previously mentioned, Certificate advice and discussion are excluded from this tutorial. For this lab guide, we have created a self signed SSL certificate from IIS Manager and are importing this certificate into the VIP Enterprise Gateway. )

 

Example:

 

 

From within the VIP Enterprise Gateway, select SSL Certificate, add SSL Certificate:

 

 

 

 Submit

 

 

Part 8. Configure the Self Service Portal

 

 

 

 

Select to configure the Self Service Portal.

 

 

Select to use SSL and select the CentrifySelfSigned Certificate

 

 

Start the Service

 

 

Note the URL for the Self Service Portal.

 

Login to the Self Service Portal. The expected behaviour, a user within your active directory will be redirected to the Symantec Self Service Portal for registering a token.

 

 

 

 

 

 

User Kev.smith logs into the local Self Service Portal.

 

 

Kev.Smith is then asked to select and register the Symantec Credential.

 

 

 

 

Part 9:

 

Configure the Symantec Enterprise Gateway as a RADIUS validation server.

 

Access the Symantec Enterprise Gateway, Validation, RADIUS Validation Server “Add Server”

 

 

 

 

Select Custom Configuration

 

Add Server Name eg “Centrify”

Add RADIUS Shared Secret eg “Centrify”

Enter Remote Access Service Name eg “Centrify VIP”

Click Submit.

 

 

 

 

 

Under Status, select to turn on the Radius Validation Server

 

 

 

The Status should now show on:

 

 

 

 

 

 

 

 

 

 

 

Part 10:

 

Configure Centrify for Radius Support.

 

From the Centrify Portal, Settings, Authentication, Radius Connections.

 

Provide a Name eg “Radius VIP”

Set the Server hostname or IP address to the address of the Symantec Enterprise Gateway Server.

Enter the shared secret eg “Centrify”

User Identifier Attribute, change to “custom” and “sAMAccountName” (This is to match the attributes set on the Symantec Enterprise Gateway.

Save

 

 

Part 11. Enable Connections to external RADIUS servers

 

 

 

Part 11. Create an Authentication Profile

 

Centrify Portal, Settings, Authentication, Authentication Profiles, “Add Profile”

 

 

Profile Name “MFA with Radius”

For initial Testing select “Password” and “3^rd Party Radius Authentication”

 

 

Create a Role.

Core Services, Roles “Add Role”

Name = “Radius Test Users”

Member = Select a group from AD or individual users for testing purposes. In this lab I am adding my test user Kev.Smith

 

 

 

Create a New Policy:

Core Services, Policies, “Add Policy Set” Name = “Radius Test Policy”

Policy Assignment, Specified roles = “Radius Test Users”

 

 

Under User Security Policies, Radius, set “Allow 3^rd Party RADIUS Authentication “ to “Yes”

 

 

 

Under Login Policies, Centrify Portal, “Enable Authentication Policy Controls”

Set the Default profile to “MFA with Radius”

 

 

 

Part 12: Test the Radius Authentication.

 

From the Centrify Portal.

Enter your user details “kev.smith”

 

 

From the drop down authentication options, select “MFA with Radius”

Open the Symantec VIP Access Client

Enter the OTP code

 

 

You will now be authenticated via Radius.

Optionally, check the dashboard for review of user logins.

 

 

End of Main Labs:

 

Notes. In this lab example the authentication policy was enabled to allow users to log into the portal using Radius. This authentication policy or new authentication policies can be created across your Centrify estate. Authentication policies using Radius can be enacted across your Centrify environment to supplement as required.

 

A few further examples:

 

Windows Desktop Authentication with Radius

 

 

User Chris.Morgan enters password

 

 

 

 

The users credentials are checked and the policy requires this user to use a second factor for authentication.

 

 

MFA with Radius is selected and allows Chris to log into his workstation.

 

 

Example 2:

Protecting Server Authentication with Radius:

 

 

User Chris policy requires MFA with Radius to authenticate to the 2016 windows server

 

 

Example 3:

Privilege Elevation requiring MFA with Radius

 

Chris is a standard user with no rights. In order to Create users, privilege elevation is required. Chris selects to run this application with privilege

 

 

 

 

The options available to Chris are then presented, for example purposes, in addition to MFA with Radius,  options also include

Security Questions

OATH OTP Client, eg Google Authenticator

Email

SMS

Voice

(Other options are also available, eg Yubikey)

 

 

 

End Of examples.