Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

Configuring Centrify Platform for Radius MFA Using Symantec Validation and Identity Protection

11 April,19 at 11:51 AM

Configuring Centrify Platform for Radius MFA support for Symantec Validation and Identity Protection (VIP).

 

There are several pre-requisites required to set this up in your environment.

 

  1. Access to a working instance of the Symantec VIP service (VIP Authentication Service.
  2. Access to a Centrify Environment, for this technical tutorial we will be primarily using Centrify Application Services.
  3. Centrify Connector installed.
  4. A Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
  5. Ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.

 

 

 

Part 1 – Install the Centrify Connector.

 

If you haven’t already setup the centrify connector, please see my colleagues article which describes this process:

https://community.centrify.com/t5/TechBlog/How-To-Installing-the-Centrify-Connector/ba-p/27840

 

 

 

 

 

 

Part 2:

Configure Symantec VIP service.

You may already have access to a working instance of the Symantec VIP service. If that is the case, you may want to review the steps here to ensure you have a test user to work with. If you do not have access to a working instance of Symantec VIP, you can register for a trial license of the service online at Symantec’s website.

 

Once you register for the trial you will get an email with the steps below. Follow the instructions below.

 

  • Access VIP Manager (https://manager.vip.symantec.com/vipmgr)
  • On the Sign in page, enter the email address and temporary password you were provided in your email.
  • Change your password upon initial logon.
  • Register your credential. In order to do this step, you need to download the “VIP Access” mobile application to your smartphone and register it with the user that you use to initially access the service.
  • Once you have your username/password and VIP access credential, you will access the VIP Manager by logging in:
  • Optional: Create an additional user with administrative rights to the VIP Manager portal.
  • From the Accounts Tab, Select “Create VIP Administrators”

Screen Shot 2017-12-28 at 08.31.10.png 

Screen Shot 2017-12-28 at 08.31.36.png

 

  • This ensures a second account is available for accessing the VIP Manager.

 

 

 

 

Part 3:

  1. Install VIP Enterprise Gateway:

 

Log into the VIP Manager to download the required files.

 

Screen Shot 2017-12-28 at 08.59.28.png

 

From the accounts Tab, Select “Download Files”

 

Screen Shot 2017-12-28 at 09.00.41.png 

 

Select Enterprise Gateway then the latest version. Example 9.8

 

Screen Shot 2017-12-28 at 09.01.18.png 

 

Download the Enterprise Gateway Install files. Also note the documentation is also contained in this location.

 

Screen Shot 2017-12-28 at 09.02.13.png 

 

Extract the zip file and run the setup program. Accepts defaults, entering a user to administer the gateway.

 

Screen Shot 2017-12-28 at 09.12.01.png

 

 

Screen Shot 2017-12-28 at 09.12.26.png

 

Screen Shot 2017-12-28 at 09.13.32.png

 

You will now be able to log into the Enterprise Gateway

 

localhost:8232/vipegconsole/login.action

 

Screen Shot 2017-12-28 at 09.15.00.png 

 

 

Part 4:

Install a VIP Certificate.

 

The first task required is to add a VIP Certificate.

 

 

Screen Shot 2017-12-28 at 09.15.41.pngScreen Shot 2017-12-28 at 09.18.25.png

 

From VIP Manager, Account Tab, Manage VIP Certificates

 

 

Request a VIP Certificate:

 

Follow the steps and enter a certificate name, eg Centrify.

 

 Screen Shot 2017-12-28 at 09.20.22.png

 

Select PKCS#12 and set a password

 

Screen Shot 2017-12-28 at 09.21.42.png 

 

Download the certificate

 

Go back to the VIP Enterprise Gateway.  Click on “Add VIP Certificate”

 

 Screen Shot 2017-12-28 at 09.23.42.png

 

Browse to the previously download certificate, enter the password and set an alias.

 

 Screen Shot 2017-12-28 at 09.25.07.png

 

The certificate will now be imported.

 

 Screen Shot 2017-12-28 at 09.25.47.png

 

 

Part 5:

Add a Trusted CA Certificate. (Configuration steps for an enterprise CA are excluded from this tutorial. ) For this lab guide, the trusted root CA has been exported from the local CA and imported into the EGW. The steps below are provided as a background.

 

 

 

 

Certificate Export Wizard:

 

 

 Screen Shot 2017-12-28 at 17.41.45.pngScreen Shot 2017-12-28 at 17.41.58.pngScreen Shot 2017-12-28 at 17.42.28.png

 

On the enterprise gateway server, import the trusted root certificate as per Symantec Documentation.

 

 

 

 

 Screen Shot 2017-12-28 at 17.45.33.pngScreen Shot 2017-12-28 at 17.46.05.png

 

 

With the Trusted CA Certificate imported, in the Enterprise Gateway Console, Add the Trusted CA Certificate

 

 Screen Shot 2017-12-28 at 17.47.41.png

 

 

Select the certificate previously exported

 

 Screen Shot 2017-12-28 at 17.48.13.png

 

 

Save the changes

 

 Screen Shot 2017-12-28 at 17.48.23.png

Restart the Symantec VIP Enterprise Gateway for the changes to take effect

 

 Screen Shot 2017-12-28 at 17.48.58.png

 

Part 6:

 

Configure the User Store:

 

From the VIP Enterprise Gateway, Select User Store, Add User Store.

 

Notes:

The information below is self explanatory. Consult the Symantec documentation for further information. A user “vipuser” was created for the bind in CN=Users

 

 Screen Shot 2017-12-28 at 18.13.14.png

 

Part 7. Add a SSL Certificate.

(As previously mentioned, Certificate advice and discussion are excluded from this tutorial. For this lab guide, we have created a self signed SSL certificate from IIS Manager and are importing this certificate into the VIP Enterprise Gateway. )

 

Example:

 

Screen Shot 2017-12-28 at 18.42.55.png

 

From within the VIP Enterprise Gateway, select SSL Certificate, add SSL Certificate:

 

 

 Screen Shot 2017-12-28 at 18.44.46.png

 Submit

 

Screen Shot 2017-12-28 at 18.45.18.png

 

Part 8. Configure the Self Service Portal

 

 Screen Shot 2017-12-28 at 18.46.42.png

 

 

Select to configure the Self Service Portal.

 

Screen Shot 2017-12-28 at 18.47.36.png

 

Select to use SSL and select the CentrifySelfSigned Certificate

 

Screen Shot 2017-12-28 at 18.49.01.png

 

Start the Service

 

Screen Shot 2017-12-28 at 18.50.03.png

 

Note the URL for the Self Service Portal.

 

Login to the Self Service Portal. The expected behaviour, a user within your active directory will be redirected to the Symantec Self Service Portal for registering a token.

 

 

 Screen Shot 2017-12-28 at 19.01.45.png

 

 

 

User Kev.smith logs into the local Self Service Portal.

 

 Screen Shot 2017-12-28 at 19.02.03.png

Kev.Smith is then asked to select and register the Symantec Credential.

 

 

 

 

Part 9:

 

Configure the Symantec Enterprise Gateway as a RADIUS validation server.

 

Access the Symantec Enterprise Gateway, Validation, RADIUS Validation Server “Add Server”

 

 

 Screen Shot 2017-12-29 at 10.28.06.png

 

Select Custom Configuration

 

Add Server Name eg “Centrify”

Add RADIUS Shared Secret eg “Centrify”

Enter Remote Access Service Name eg “Centrify VIP”

Click Submit.

 

 

 Screen Shot 2017-12-29 at 10.34.10.png

 

 

Under Status, select to turn on the Radius Validation Server

 

 Screen Shot 2017-12-29 at 10.35.38.pngScreen Shot 2017-12-29 at 10.36.49.png

 

The Status should now show on:

 

 

 

 

 

 

 

 

 

 

 

Part 10:

 

Configure Centrify for Radius Support.

 

From the Centrify Portal, Settings, Authentication, Radius Connections.

 

Provide a Name eg “Radius VIP”

Set the Server hostname or IP address to the address of the Symantec Enterprise Gateway Server.

Enter the shared secret eg “Centrify”

User Identifier Attribute, change to “custom” and “sAMAccountName” (This is to match the attributes set on the Symantec Enterprise Gateway.

Save

 

Screen Shot 2017-12-29 at 10.42.58.png

 

Part 11. Enable Connections to external RADIUS servers

 Screen Shot 2017-12-29 at 11.16.08.png

 

 

Part 11. Create an Authentication Profile

 

Centrify Portal, Settings, Authentication, Authentication Profiles, “Add Profile”

 

Screen Shot 2017-12-29 at 10.52.06.png

 

Profile Name “MFA with Radius”

For initial Testing select “Password” and “3rd Party Radius Authentication”

 Screen Shot 2017-12-29 at 10.54.31.png

 

Create a Role.

Core Services, Roles “Add Role”

Name = “Radius Test Users”

Member = Select a group from AD or individual users for testing purposes. In this lab I am adding my test user Kev.Smith

 

Screen Shot 2017-12-29 at 10.58.22.png

 

 

Create a New Policy:

Core Services, Policies, “Add Policy Set” Name = “Radius Test Policy”

Policy Assignment, Specified roles = “Radius Test Users”

 Screen Shot 2017-12-29 at 10.59.26.png

 

Under User Security Policies, Radius, set “Allow 3rd Party RADIUS Authentication “ to “Yes”

 

 Screen Shot 2017-12-29 at 11.00.56.png

 

Under Login Policies, Centrify Portal, “Enable Authentication Policy Controls”

Set the Default profile to “MFA with Radius”

 

 Screen Shot 2018-03-01 at 15.55.17.png

 

Part 12: Test the Radius Authentication.

 

From the Centrify Portal.

Enter your user details “kev.smith”

 

Screen Shot 2017-12-29 at 16.53.15.png

 

From the drop down authentication options, select “MFA with Radius”

Open the Symantec VIP Access Client

Enter the OTP code

 

Screen Shot 2017-12-29 at 17.02.57.png

 

You will now be authenticated via Radius.

Optionally, check the dashboard for review of user logins.

 Screen Shot 2017-12-29 at 16.54.37.png

 

End of Main Labs:

 

Notes. In this lab example the authentication policy was enabled to allow users to log into the portal using Radius. This authentication policy or new authentication policies can be created across your Centrify estate. Authentication policies using Radius can be enacted across your Centrify environment to supplement as required.

 

A few further examples:

 

Windows Desktop Authentication with Radius

 

 Screen Shot 2017-12-29 at 17.12.14.png

User Chris.Morgan enters password

 

 Screen Shot 2017-12-29 at 17.12.14.pngScreen Shot 2017-12-29 at 17.13.13.png

 

 

The users credentials are checked and the policy requires this user to use a second factor for authentication.

 

 

MFA with Radius is selected and allows Chris to log into his workstation.

 

 

Example 2:

Protecting Server Authentication with Radius:

 

Screen Shot 2017-12-29 at 17.17.56.pngScreen Shot 2017-12-29 at 17.18.21.png

 

User Chris policy requires MFA with Radius to authenticate to the 2016 windows server

 

 

Example 3:

Privilege Elevation requiring MFA with Radius

 

Chris is a standard user with no rights. In order to Create users, privilege elevation is required. Chris selects to run this application with privilege

 

Screen Shot 2017-12-29 at 17.18.39.png

 

 

Screen Shot 2017-12-29 at 17.19.55.png

 

The options available to Chris are then presented, for example purposes, in addition to MFA with Radius,  options also include

Security Questions

OATH OTP Client, eg Google Authenticator

Email

SMS

Voice

(Other options are also available, eg Yubikey)

 

Screen Shot 2017-12-29 at 17.20.09.png

 

 

End Of examples.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.