Configuring RADIUS for secure ID authentication in WebSphere DataPower

This article provides Remote Authentication Dial-In User Service (RADIUS) client setup and AAA configuration on WebSphere® DataPower, which authenticates users with RSA SecurID® key fob token codes through the WS-Trust protocol. The article describes how to configure the RADIUS integration in DataPower. Setup for the RSA SecurID and RADIUS servers with credential mapping is not provided in this article. This article assumes that RADIUS and SecurID have already been set up on the backend.

Will K. Liao (wkliao@us.ibm.com), Consultant/IT Specialist, IBM

Photo of Will K. LiaoWill Liao is a Consultant and IT Specialist with IBM Software Services for WebSphere. He works with clients to adopt and implement WebSphere DataPower infrastructure, administration, best practices, and surrounding technologies, which enable enterprises to run effectively and efficiently. Prior to that, he was a Software Engineer Project Coordinator with the IBM Globalization team, facilitating multiple IBM product localization projects worldwide.



10 July 2013

Introduction

If your organization utilizes RADIUS and SecurID authentication for authenticating or authorizing users to consume services externally, outside of your secured enterprise, this article will help you set up a Remote Authentication Dial-In User Service (RADIUS) client and AAA configuration in WebSphere DataPower (hereafter called DataPower). DataPower is positioned as an industry-secured gateway to authenticate users with RSA SecurID key fob token codes through the WS-Trust protocol. This article covers the following:

Note: The setup for the RSA SecurID and RADIUS servers with backend credential mapping is not provided in this article. This article assumes that RADIUS and SecurID have has already been set up on the backend.

Figure 1 shows the high-level architecture of a WS-Trust client user authentication, which authenticates and authorizes users via RADIUS and SecurID through DataPower.

Figure 1. Architecture of WS-Trust authentication
Architecture of WS-Trust authentication

DataPower provides security policy enforcements and transformation for XML and Web services for RADIUS among other security protocols, such as LDAP, Kerberos, Active Directory, and SAML queries.

Organizations may choose to use RADIUS and SecurID due to its two-factor authentication security token, utilizing time-synchronous generated token codes only held by the user who is authorized to access exposed services from within the organization. The RSA SecurID hardware-based authenticator contains authentication for a username and a PIN, plus a 60-second, 6-digit generated code. Users need to provide this code to access authorized services from within an organization.

Requirements

At this current time, this article does not provide a RADIUS and SecurID key fob token generator. Therefore, this article assumes that the RADIUS server and SecurID have already been setup for the backend policy enforcement point.

If there is a RADIUS and SecurID configuration setup for your environment, you will need cURL installed and configured to execute an end-to-end demonstration test.

Additional notes

  • While working with the SecurID and RADIUS team, keep in mind authorization may be performed on both on the RADIUS server or the DataPower appliance. Authorization configuration on the backend is not covered in this article.
  • Firewalls illustrated in Figure 1 presume that one IP address will be opened from the DataPower appliance (which is situated in the DMZ) to the RADIUS server (which is situated within the internal network). This may require approval from the infrastructure security and network team.
  • There are no best practice notices for RADIUS in this document, but RADIUS and SecurID teams may reference the following Tech Note for best practices: RADIUS Protocol Security and Best Practices.

Setting up the RADIUS client

This section provides the RADIUS client configuration on DataPower.

RADIUS connection setup on DataPower

The following RADIUS parameters consist of a short description of the fields found on the RADIUS client configuration on DataPower:

  • Nas Identifier: This is usually a fully-qualified domain name, maybe used in place of an IP address to identify a RADIUS client within some RADIUS domains. For our purposes, we do not need one.
  • Number: This is the number of relative positions of the RADIUS server within the list of all RADIUS servers known to the client implementation. The lower the number, the more preferred the server (closer to the top of this list).
  • Server Address: This is the IP address of the RADIUS server.
  • Server Port: This is the remote port monitored by RADIUS.
  • Secret: This is the password used to login to the RADIUS server.
  1. The RADIUS configuration is only configured in the Default domain. Once you log into the web GUI, click Administration > Access > RADIUS Settings, as shown in Figure 2.
    Figure 2. Configuring the RADIUS settings
    Configuring the RADIUS settings page
  2. Click the AAA/RBM Servers tab (Figure 3) to add the RADIUS servers that will be used.
    Figure 3. Adding the RADIUS servers
    Add the RADIUS servers
  3. Click Add to add the first primary server (if you have a primary or secondary RADIUS server set up), as shown in Figure 4.
    Figure 4. Adding the RADIUS server address/port/secret
    Adding the RADIUS server address/port/secret
  4. Locate the correct RADIUS server for the appliance that is being assigned and input the parameters specified, as shown in Figure 5.
    Figure 5. RADIUS Server parameters entry
    RADIUS Server parameters entry

Assigning the static route assignment for the RADIUS connectivity

Figure 6 shows a sample Juniper Steel-Belted RADIUS server user console.

Figure 6. Steel-Belted RADIUS client application
Steel-Belted RADIUS client application

Notice that an IP address is specified on the RADIUS configuration. The RADIUS administrator may choose to input all four Ethernet interfaces. However, if only one Ethernet interface is used, then incoming authentication must be from the enlisted IP address on RADIUS. Due to the specific IP address required by RADIUS, you need to assign static routes on DataPower so that all outbound transactions use the IP address used for RADIUS communication.

DataPower dynamically utilizes any of the four Ethernet interfaces that are enabled on the appliance (least weighted connection), and might use one of the three other Ethernet interfaces that are not specified on the RADIUS server. This will cause connectivity failure. For example, if IP 192.168.1.52 is given to the RADIUS and SecurID team, then "eth4" (which was assigned IP 192.168.1.52) needs the primary and secondary RADIUS server static route input, so only eth4 communicates to the RADIUS servers.

If you do not put a static route in place, then DataPower may choose to use one of the other Ethernet interfaces. This is not allowed to communicate to the RADIUS server, and RADIUS authentication on DataPower will fail. Static route assignments to the Ethernet interface being used to communicate to the RADIUS server are set by the following:

  1. Navigate to the Ethernet Interface section of the appliance as shown in Figure 7. Select Network > Interface > Ethernet Interface, or type in Ethernet Interface in the search field.
    Figure 7. Ethernet interface configuration
    Ethernet interface configuration
  2. Select the interface that will be communicating with the RADIUS server. This is the IP or host name given to the RADIUS and SecurID team, who will assign the aforementioned IP or host name to RADIUS and SecurID. Click on the Static Routes tab as shown in Figure 8.
    Figure 8. DataPower static routes on the Ethernet 4 interface
    DataPower static routes on the Ethernet 4 interface
  3. Click Add. Enter the following parameters (see Figure 9):
    • Destination: IP address of the RADIUS server with its /CIDR notation.
    • Gateway: Cross reference the RADIUS server IP to its gateway IP from the table shown in Figure 8.
    • Metric: 0 as its preference value.
    Figure 9. DataPower static route entry for the RADIUS Server parameters
    DataPower static route entry for the RADIUS Server parameters
  4. Once the parameters have been entered, click Apply, then Apply your static route configuration, and select Save Config.

Testing RADIUS

DataPower provides a testing client to test your RADIUS connection. To test:

  1. Log into the appliance under the Default domain.
  2. Navigate to the RADIUS Settings again (Objects > Access Settings > RADIUS Settings, or type in RADIUS in the search field). Click Test RADIUS on the right side of the RADIUS Settings page, as shown in Figure 10.
    Figure 10. DataPower test RADIUS link
    DataPower test RADIUS link
  3. Once the Test RADIUS prompt opens, enter your user name and SecurID (your PIN and SecurID), as shown in Figure 11.
    Figure 11. DataPower Test Radius page
    DataPower Test Radius page
  4. Click the Test RADIUS button.
  5. Click Confirm as shown in Figure 12.
    Figure 12. DataPower confirm test Radius execution page
    DataPower confirm test Radius execution page
  6. You receive a completed successfully prompt (Figure 13) if the authentication was passed successfully. If not, proceed to the next section on troubleshooting.
    Figure 13. DataPower Test Radius action completed page
    DataPower Test Radius action completed page

Troubleshooting RADIUS

There are a few things to consider when troubleshooting RADIUS integration for DataPower. There are some preliminary factors that may cause your RADIUS connection to not authenticate your username:

  • SecurID: You may have forgotten to enter your PIN with your SecurID code. Do not forget that you will need to enter your PIN and secure ID code from your key fob.
  • TCP Connection Test: Make sure that DataPower can ping (TCP connection) the RADIUS server and port (Control Panel > Troubleshooting Panel Icon > TCP Connection Test).
    Note: You may not be able to do a Remote Host ping because the firewall opened only allows port 1812 to be opened.
  • Static Route:: You may need a static route in place if you have not already specified the correct Ethernet interface to communicate with the specific RADIUS server.
  • Firewall: Check with the SecurID administrator or team on whether they see authentications hitting their servers if you still cannot ping the IP and port. If they cannot see any transaction coming from any of the DataPower Ethernet interfaces, then you might need to open a firewall.

Configuring basic XML firewall with RADIUS AAA

After completing the RADIUS client setup, the service may be developed for applications that will be authenticating SecurID users. To create a basic level XML firewall with AAA authentication for a RADIUS service:

XML firewall configuration with RADIUS AAA

  1. Select the Access Control (AAA) as shown in Figure 14 and click Next.
    Figure 14. DataPower XML Firewall Wizard
    DataPower XML Firewall Wizard
  2. Name the firewall service and click Next as shown in Figure 15.
    Figure 15. DataPower Create AAA Firewall Service page
    DataPower Create AAA Firewall Service page
  3. Select loopback-proxy as shown in Figure 16 and click Next.
    Figure 16. DataPower AAA firewall type
    DataPower AAA firewall type
  4. For the purpose of simplifying network bottlenecks, use the dynamic IP address 0.0.0.0 for the Device Address (which is not advised to be used in production) and choose a port that is opened on the appliance to be used. For the example, we are using port "1234" as shown in Figure 17.
    Figure 17. DataPower AAA firewall front end and port assignment
    DataPower AAA firewall front end and port assignment
  5. In the "Create an AAA Firewall Service" section, click the plus sign (+) Create a new AAA Policy icon as shown in Figure 18.
    Figure 18. DataPower AAA firewall policy
    DataPower AAA firewall policy
  6. Enter a name for the AAA Policy and click Create. The example uses RADIUS-Demo-AAA-Policy as shown in Figure 19.
    Figure 19. DataPower AAA firewall policy name assignment
    DataPower AAA firewall policy name assignment
  7. Select Password-carrying UsernameToken Element from WS-Security Header as shown in Figure 20 and click Next.
    Figure 20. DataPower AAA firewall access control policy identification method selection
    DataPower AAA firewall access control policy identification method selection
  8. Select Use specified RADIUS Server as shown in Figure 21 and click Next.
    Figure 21. DataPower AAA firewall access control policy method selection
    DataPower AAA firewall access control policy method selection
  9. Select Local Name of Request Element as shown in Figure 22 and click Next.
    Figure 22. DataPower AAA firewall access control policy resource identification method selection
    DataPower AAA firewall access control policy resource identification method selection
  10. Select Allow Any Authenticated Client as shown in Figure 23 and click Next.
    Figure 23. DataPower AAA firewall access control policy to allow any authenticated client selection
    DataPower AAA firewall access control policy to allow any authenticated client selection
  11. Ensure that the defaults are used in the last page, click Commit (Figure 24), and click Done on the page that follows.
    Figure 24. DataPower AAA firewall commit page
    DataPower AAA firewall commit page
  12. Click Next in the AAA Information page as shown in Figure 25. Ensure that the AAA policy you just created is selected in the field. Click Commit and Done on the pages that follow.
    Figure 25. DataPower AAA firewall policy information page
    DataPower AAA firewall policy information page

    Note: Ensure you select Save Config after you complete this step.

    Your completed XML firewall with RADIUS AAA authentication should look like Figure 26.

    Figure 26. DataPower XML firewall completed sample page
    DataPower XML firewall completed sample page

    The Processing Policy for the AAA Policy should look like Figure 27.

    Figure 27. DataPower XML firewall completed AAA processing policy page
    DataPower XML firewall completed AAA processing policy page

Testing the SecurID key fob code

After creating the AAA XML firewall, you can conduct an authentication test:

  1. Figure 28 shows an RSA SecurID key fob with the secure token displayed.
    Figure 28. RSA SecurID key fob containing code to be authenticated
    RSA SecurID key fob containing code to be authenticated
  2. Figure 29 shows a sample WS-Trust SOAP file to enter your username and password to authenticate against the service. You see that a username and the PIN and securID token code presented on the key fob were saved in the file.
    Figure 29. Sample WS-Trust XML file
    Sample WS-Trust XML file

    Create the aaa.xml file as shown in Listing 1.

    Listing 1. aaa.xml file to be used as the client side authentication and executed by cURL
    <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/
     oasis-200401-wss-wssecurity-secext-1.0.xsd
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
    <soapenv:Header>
    <wsse:Security>
    <wsse:UsernameToken>
    <wsse:Username></wsse:Username>
    <wsse:Password></wsse:Password>
    </wsse:UsernameToken>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
          <msg>Authentication Passed</msg>
    </soapenv:Body>
    </soapenv:Envelope>
  3. Once you have saved the aaa.xml file, you are ready to run the file against the DataPower service. By executing curl –data-binary @aaa.xml http://<IP_of_appliance>:1234, a successful authentication returns the full SOAP message as shown in Figure 30.
    Figure 30. cURL execution sample
    cURL execution sample
  4. If the authentication is successful, you can see the results of the complete transactions in the system logs from the DataPower WebGUI as shown in Figure 31.
    Figure 31. DataPower log of completed transactions
    DataPower log of completed transactions

Conclusion

In this article, you learned how to configure a RADIUS client on DataPower, test the connectivity for the RADIUS client, and configure a RADIUS AAA firewall gateway. The article also demonstrated a RADIUS authentication attempt using the SecurID key fob through the AAA firewall.

Acknowledgements

The author would like to thank Andrew Das for his guidance and support in ensuring the accuracy of the content in this article.

Resources

Learn

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into WebSphere on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=WebSphere
ArticleID=936918
ArticleTitle=Configuring RADIUS for secure ID authentication in WebSphere DataPower
publish-date=07102013