In the
following example, we will employ the ZyXEL 2 Factor Authentication solution (ZyWALL
OTP pack) to enhance password security by using the IPSec VPN application
provided by ZW35.
In order to
use this application, you are required to configure your ZyWALL and ASAS
according to the following steps:
1. Install the ASAS authentication server
on a computer. (Note: Please refer to the ASAS installation guide in Chapter 2
or the installation documentation in electronic format comes with the ZyXEL OTP
Pack installation CD.)
2. Create a user account on the ASAS
server.
3. Import each token's database file from
the ZyXEL OTP installation CD over into the ASAS authentication server.
4. Assign the users to the OTP tokens over
the administration interface in the ASAS server.
5. Configure the ASAS as a RADIUS server
in the ZyWALL administration GUI Security > Auth Server > RADIUS
6. Give the OTP tokens away to the users
who will remote login into the ZyWALL.
Note: ZyWALL
OTP pack is a stand-alone product, which is not bundled with the ZyWALL series.
Network Topology
In this example, we evaluated by using the
ZyWALL Starter Kit which only comes with two ZyWALL OTP tokens. The ESN numbers
are 73010234 and 73010235. We will create a new user Rex in order to login to ZyWALL with OTP.
ZyWALL 35 Configuration
STEP
1: Configure Network Setting on the ZyWALL 35
Lunch a web browser window and logon into
the ZyWALL35's web configurator. Configure the LAN and WAN interfaces according
to your application scenario and network topology you plan.
STEP 2: Configure the External Authentication Server
1) Click Security > Auth
Server from the left panel and navigate to the RADIUS setting page.
2) Enter the ASAS
Server IP address in the Server IP Address and the Shared Secret in Key.
STEP
3: Configuring the IPSec VPN Gateway (Phase 1) on the ZyWALL
35
1)
Navigate to Security > VPN >
and click Add in order to add a new IPSec VPN Gateway for VPN Client.
2) We will assign 0.0.0.0 for the
Secure Gateway Address since we don't know the IP address of the remote client.
0.0.0.0 represents for any IP address will be
accepted.
3) Check the Enable Extended Authentication checkbox.
STEP
4: Configuring the IPSec VPN Connection (Phase2) on the ZyWALL
1)
Navigate to Security > VPN, and
click Add in order to create a new IPSec VPN Connection for the remote VPN client.
2)
We will assign 0.0.0.0
for the Secure Gateway Address since we don't know the IP address of the remote
client. 0.0.0.0 represents for any IP address will be
accepted.
ASAS Server Configuration
STEP 1: Create a User Account on ASAS
1) Login to
the ASAS server as an administrator and create a new user via Manage Users >
Add User.
2) Fill in the
user name in the Login ID field.
3) Click the Add
button in order to complete the configuration in this step.
STEP 2: Assign an ZyWALL OTP Token to the New User
1) Navigate to
Manage A-Keys > Assign A-Keys in order to assign the specific ZyWALL OTP
Token to the newly created user.
2) Pick up a ZyWALL OTP token that is available from the right panel and
click the Assign button to complete the authentication key assignment.
STEP 3: Verify that the A-Key is Properly Assigned to the User
1) Navigate to
Manage Users > Search Users page; leave the input fields empty and click the
Get Results button in order to retrieve the user & A-Key binding list.
2) Ensure the ZyWALL
OTP token is correctly assigned to the user account you created.
STEP 4: Update the OPT PIN
1) Navigate to
Manage A-Keys > Search A-Keys; leave the ESN field empty and click the
Search button in order to browse the entire ZyWALL OTP token list.
2) In the
search result page, pick up the ZyWALL OTP token you want to update the PIN
code of.
3) Select PIN
Set Mode from the OPT Mode dropdown list.
4) Enter the
password in the OTP PIN text field with 4-24 alphanumeric characters length.
5) Re-enter
the password in the Verify OTP PIN text field.
STEP 5: Configure the NAS Devices
1) Click
Server Configuration > NAS Entries > Add NAS Entry in order to specify
which device will be given access to the authentication server.
2) Give the ZyWALL
a name, specify the IP Address of the ZyWALL and the shared secret.
3) Click the Add
button in order to finish the NAS Device configuration.
STEP 6: Restart the ASAS Service
Select Start
> Programs > Authenex > ASAS Server > Restart Services to reboot
the ASAS Server and apply the configuration.
STEP 7: Assign Resources to User
1) Click
Manage Users > Search Users; leave all fields empty and click the Get
Results button to retrieve the user account list.
2) Click on
the user account you created first and the Update User page will appear.
3) Add the
ZyWALL device to Resource(s) Allowed list.
4) Click the
Update User button to complete the entire ASAS setting.
ZyWALL IPSec VPN Client configuration
STEP 1: Configuring the VPN Gateway (Phase 1) on
Client
1)
Launch the ZyWALL IPSec VPN
Client and right click on Configuration and select New Phase1.
2)
Enter the name and the IP
address of Remote Gateway.
3)
Enter the Pre-shared Key and ensure
the number you just entered is matched with the one you entered on the ZyWALL
in phase1 configuration. In this example, we employ the Pre-shared key
123456789.
4)
Confirming the encryption,
authentication and key group to match the settings on ZyWALL.
5)
Click the Advanced Settings...
button and check the X-Auth checkbox to enable the extended authentication on
VPN client. Ensure the Local and Remote ID are reflecting
to the settings on ZyWALL.
STEP
2: Configuring the VPN Tunnel (Phase 2) on Client
1)
Right click on the Gateway1 and
select Add Phase 2 in
order to create a new tunnel.
2)
Fill in all the required fields
on this page, including Address type and all ESP fields. Ensure the encryption
method, authentication method, and mode are matched with the settings on
ZyWALL.
3)
Click Save & Apply in order
to complete the setting.
Verify OTP via Login from the VPN Client
STEP 1: IPSec VPN Tunnel Establishing
1)
Launch the ZyWALL IPSec VPN
client.
2)
Right click the icon of VPN
client from the system tray and select Connection Panel.
3)
Click the Open button in
advance to establish the VPN tunnel.
STEP 2: User Authentication via OTP
1) Click on the Open button and the Authentication window pops up.
2) Enter the login name and password. The
password here is the combination of OTP pin + OTP for which we already
manipulated the OTP PIN as 1234 on the STEP 4 Update the OPT PIN in the ASAS
Server Configuration session.
Once the OTP works correctly, you will see
the welcome message pop-up as on the following screenshot.
3)
Once the OTP works correctly,
the IPSec VPN tunnel will be opened.
_444x112.jpg)
