External Authentication with Safenet Igate SSL VPN
SecurEnvoy / www.securenvoy.com / 0845 2600010
1210 Parkview
Arlington Business Park
Theale
Reading
RG7 4TY
Phil Underwood /
External Authentication with SafeNet IGate SSL VPN
Authenticating Users Using SecurAccess Server by SecurEnvoy
This document describes how to integrate igate with SecurEnvoy two-factor Authentication solution called ‘SecurAccess’
iGate provides Clientless - Secure Remote Access to both Web and Client/Server applications.
SecurAccess, on the other hand provides two-factor, strong authentication for remote Access solutions (such as iGate) from any device, without the complication of deploying hardware tokens or smartcards.
Two-Factor authentication is provided by the use of (your PIN and your Phone)
SecurAccess is designed to be easy to use and deploy, interoperable with the existing infrastructure (such as LDAP, Active Directory)
SecurAccess consists of two core elements: Radius Server and Authentication server. The Authentication server is directly integrated with LDAP or Active Directory in real time.
iGate can be configured in such a way that it can pass on the Authentication of the users to an external directory (such as Radius) and for this reason iGate can be setup to pass on the Authentication to SecurAccess server (which is Radius based)
The iGate’s Simple Web Administrator will be used to setup external directories to perform user authentication. Please note that Authorization is still done by the igate itself. This means that authentication is done by the SecurAccess server but Authorization is done by the igate.
External authentication using SecurAccess, involves three steps:
1 Define a password-protected site,
2 Configure external authentication servers
3 Define group access rights for the protected site.
4 Testing the Authentication to the Web Portal Page
1. Defining a Password-Protected Site
External Authentication authenticates group(s) of users using their user name and password residing on an external directory, or in the case of SecurAccess users will use their PIN/passcode sent to their mobile Phones as a SMS text.
Therefore must first define a password protected site.
1 Log on to Simple UI by typing the IP address of the iGate’s admin interface in the browser (https:// admin IP).
2 Click Setup Appliance menu bar on the left frame.
3 Scroll down to Authentication Portal section to define an authentication portal using the following illustration as a guide.
4 Click Next to save your submitted changes in a temporary file and proceed further, in the wizard or click Apply menu bar on the left frame to apply the changes permanently.
5 Click Define Protected Resources menu bar on the left frame to define the internal server settings.
6 Select the Server Type from the Add Resource section.
7 Click Configure to configure the application using the following illustration as a guide.
1 When you are finished, click Submit.
2 Click Next to proceed further in the wizard or click Apply menu bar on the left frame to apply the changes permanently.
2. Configuring External Authentication Servers
Configuring the RADIUS Server (To be used with SecurAccess Server)
When a RADIUS (SecurAccess) server is used for user authentication, the iGate passes the user name and (PIN/Passcode) information to the RADIUS server. The RADIUS server then authenticates the user and returns the result to the iGate.
1 Click Configure User Authentication menu bar on the left frame to configure the External Authentication server.
2 In the Add Authentication Servers section, select RADIUS (and SecureID) from the Authentication Server Type drop-down list.
3 
Click Configure to set the advanced settings. The Enter Radius Server details dialog box appears.
4 In the Server Name field, enter the name of your RADIUS (SecurAccess) server.
5 In the Server FQDN field, enter the fully-qualified domain name of the RADIUS (SecurAccess) server.
6 In the Server IP Address field, enter the IP address of your RADIUS server.
7 In the Server Port field, enter the number of the TCP port the iGate will use to communicate with the RADIUS (SecurAccess) server. SecurAccess can be run both on 1812 or 1645 port.
8 In the Server Password field, enter password the client and the RADIUS server (SecurAccess) use to encrypt/decrypt data passing between the two. This is the same password as it’s set on the SecurAccess server.
9 In the User Group Attribute field, leave the default of ‘iGateGroup’.
10 Click Next to proceed further in the wizard or click Apply menu bar on the left frame to apply the changes permanently.
2.1 Advanced Radius Setup on the iGate
1. Go to Classic version of the iGate Admin interface:
https://iGate_Admin _IP/classic
2. Under Advanced\Client Auth tab
3. Set the connection time-out to 20
- Submit and apply your changes
3. Defining Group Access Rights for the Protected Site
You will now assign permissions to the external group(s) of users to make the protected site accessible to them from their Web Portal page.
1. Click on Define Group Access Rights menu bar on the left frame.
2. Go to Assign Resources and policies for Groups section. Select the Authentication server (the one you created earlier in this document) from the Select Authentication Server drop-down. For example, select RADIUS server ‘SecurEnvoy’.
3. From the Select Group drop-down, select the Group you want to assign resources and policies to.
4. Click Set Resource & Policy.
5. The Set Resources and Policies dialog box appears.
6. Select the check boxes under Resources and Policies to assign the respective resources and policies to the Group.
7. Click Submit.
8. Click Apply to apply your changes to the iGate.
To set up Radius on SecurEnvoy SecurAccess
launch local Security Server Administration
Select Radius
Enter NAS IP address
Enter “Radius Shared Secret”
Click Send
4. Testing the Authentication to the Web Portal Page
1 In your Web browser, enter the protected site’s web address (https://eudemo.safenet-inc.com, in this example).
2 Login using your user name and Pin followed by the passcode sent to your mobile.
Note: The credentials you provide will now be checked with the ones residing on the SecurAccess Server/Active Directory that is accessed using information provided in the Simple UI.
When the user logs in, the system checks in for the user and group information in the sequence the directories are listed. It processes the search in ascending order and carries it on till the information is found. In case, the information is not found in any directory, the authentication fails and thus the user cannot access the server. iGate Always verifies the user credentials with the SecurAccess server.