0% found this document useful (0 votes)

85 views

RADIUS IntegrationGuide CA SiteMinder RevC

SiteMinder Radius

Uploaded by

deals4kb

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

85 views

RADIUS IntegrationGuide CA SiteMinder RevC

SiteMinder Radius

Uploaded by

deals4kb

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 25

SafeNet Authentication Service PCE/SPE

and SafeNet Trusted Access (STA)

INTEGRATION GUIDE: USING RADIUS PROTOCOL FOR CA
SITE MINDER
Document Information

Product Version 1.0

Document Part Number 007-012792-001

Release Date September 2019

Revision History

Revision Date Reason

C September 2019 Updating Changes

Trademarks, Copyrights, and Third-Party Software

© 2019 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and
service marks, whether registered or not in specific countries, are the property of their respective owners.

Disclaimer
All information herein is either public information or is the property of and owned solely by Gemalto NV.
and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of
intellectual property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise,
under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided
that:
 The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
 This document shall not be posted on any network computer or broadcast in any media and no
modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of
information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically
added to the information herein. Furthermore, Gemalto reserves the right to make any change or
improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-
infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect,
special or consequential damages or any damages whatsoever including but not limited to damages

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 2
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use
or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall
not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves
according to the state of the art in security and notably under the emergence of new attacks. Under no
circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any
successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any
liability with respect to security for direct, indirect, incidental or consequential damages that result from any
use of its products. It is further stressed that independent testing and verification by the person using the
product is particularly encouraged, especially in any application in which defective, incorrect or insecure
functioning could result in damage to persons or property, denial of service or loss of privacy.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 3
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
Contents

CONTENTS

PREFACE ............................................................................................................................. 6
Third-Party Software Acknowledgement............................................................................................................ 6
Description ......................................................................................................................................................... 6
Applicability ........................................................................................................................................................ 6
Environment ....................................................................................................................................................... 7
RADIUS Prerequisites........................................................................................................................................ 7
Audience ............................................................................................................................................................ 7
Support Contacts ............................................................................................................................................... 7
Customer Support Portal ................................................................................................................................ 7
Telephone Support ......................................................................................................................................... 8
Email Support ................................................................................................................................................. 8

CHAPTER 1: Authentication Flow ..................................................................................... 9

CHAPTER 2: SAS/STA Setup ......................................................................................... 10

Creating Users Stores ...................................................................................................................................... 10
Assigning an Authenticator .............................................................................................................................. 11
Adding CA SiteMinder as an Authentication Node .......................................................................................... 11

CHAPTER 3: Configuring CA SiteMinder Setup.............................................................. 13

Create an Authentication Scheme ................................................................................................................... 13
Configure a RADIUS-protected Realm ............................................................................................................ 16
Create a Domain Policy ................................................................................................................................... 20

CHAPTER 4: Running the Solution ................................................................................. 25

Using SAS/STA OTP ....................................................................................................................................... 25

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 5
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
Preface

PREFACE

Third-Party Software Acknowledgement

This document is intended to help users of Gemalto products when working with third-party software, such
as CA SiteMinder.
Material from third-party software is being used solely for the purpose of making instructions clear. Screen
images and content obtained from third-party software will be acknowledged as such.
This document contains the following chapters:
 "Authentication Flow" on page 9
 "SAS/STA Setup" on page 10
 “Configuring CA SiteMinder Setup” on page 13
 “Running the Solution” on page 25

Description
SafeNet Authentication Service (SAS (PCE/SPE)) and SafeNet Trusted Access (STA) delivers a fully
automated, versatile, and strong authentication-as-a-service solution.
With no infrastructure required, SAS (PCE/SPE) and STA provides smooth management processes and
highly flexible security policies, token choice, and integration APIs.
The CA SiteMinder solution is a web access management system that provides secure single sign-on and
flexible access management to applications and web services either on-premises, in the cloud, from a
mobile device, or at a partner’s site.
This document describes how to:
 Deploy multi-factor authentication (MFA) options in CA SiteMinder using SafeNet one-time password
(OTP) authenticators managed by SAS (PCE/SPE) and STA.
 Configure CA SiteMinder to work with SAS (PCE/SPE) and STA in RADIUS mode.
It is assumed that the CA SiteMinder environment is already configured and working with static passwords
prior to implementing the multi-factor authentication using SAS (PCE/SPE) and STA.
CA SiteMinder can be configured to support multi-factor authentication in several modes. The RADIUS
protocol will be used for the purpose of working with SAS (PCE/SPE) and STA.

Applicability
The information in this document applies to:

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 6
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
Preface

 SafeNet Trusted Access (STA)—SafeNet’s cloud-based authentication and access management

service
 SafeNet Authentication Service – Service Provider Edition (SAS-SPE)—A server version that is
used by service providers to deploy instances of SafeNet Authentication Service
 SafeNet Authentication Service – Private Cloud Edition (SAS-PCE)—A server version that is used
to deploy the solution on-premises in the organization

Environment
The integration environment that is used in this document is based on the following software versions:
 SafeNet Authentication Service – Private Cloud Edition (SAS-PCE)—only when using this version.
 CA SiteMinder—Version 12.5.1

RADIUS Prerequisites
To enable SAS (PCE/SPE) and STA to receive RADIUS requests from CA SiteMinder, ensure the
following:
 End users can authenticate from the CA SiteMinder with a static password before configuring the CA
SiteMinder to use RADIUS authentication.
 Ports 1812/1813 are open to and from the CA SiteMinder.
 A shared secret key has been selected. A shared secret key provides an added layer of security by
supplying an indirect reference to a shared secret key. It is used by a mutual agreement between the
RADIUS server and RADIUS client for encryption, decryption, and digital signatures.

Audience
This document is targeted to system administrators who are familiar with CA SiteMinder, and are
interested in adding multi-factor authentication capabilities using SAS (PCE/SPE) and STA.

Support Contacts
If you encounter a problem while installing, registering, or operating this product, refer to the
documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer Support.
Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between Gemalto and your organization. Please consult
this support plan for further information about your entitlements, including the hours when telephone
support is available to you.

Customer Support Portal

The Customer Support Portal, at https://supportportal.gemalto.com, is a where you can find solutions for
most common problems. The Customer Support Portal is a comprehensive, fully searchable database of

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 7
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
Preface

support resources, including software and firmware downloads, release notes listing known problems and
workarounds, a knowledge base, FAQs, product documentation, technical notes, and more. You can also
use the portal to create and manage support cases.

NOTE: You require an account to access the Customer Support Portal. To create a
new account, go to the portal and click on the REGISTER link.

Telephone Support
If you have an urgent problem, or cannot access the Customer Support Portal, you can contact Gemalto
Customer Support by telephone at +1 410-931-7520. Additional local telephone support numbers are listed
on the support portal.

Email Support
You can also contact technical support by email at technical.support@gemalto.com.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 8
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
CHAPTER 1: Authentication Flow

CHAPTER 1: Authentication Flow

SAS (PCE/SPE) and STA communicates with a large number of VPN and access-gateway solutions using
the RADIUS protocol.
The image below describes the data flow of a multi-factor authentication transaction for CA SiteMinder.

Tokens & Users 1 2

RADIUS Protocol
RADIUS Protocol

4 3

1. A user attempts to log on to CA SiteMinder using an OTP authenticator.

2. CA SiteMinder sends a RADIUS request with the user’s credentials to SAS (PCE/SPE) or STA for
validation.
3. The SAS (PCE/SPE) or STA authentication reply is sent back to the CA SiteMinder.
4. The user is granted or denied access to the CA SiteMinder based on the OTP value calculation results
from SAS (PCE/SPE) or STA.
For SafeNet Trusted Access (STA), a RADIUS agent is already configured and can be used without any
additional agent installation or configuration requirements.
For SafeNet Authentication Service (PCE/SPE), a RADIUS agent (SafeNet Agent for Microsoft IAS or
NPS, and FreeRADIUS) needs to be configured in the customer’s environment.
For more information on how to install and configure the SafeNet Agent for Microsoft IAS, Microsoft NPS,
and FreeRADIUS, refer to the Agent Documentation.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 9
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
CHAPTER 2: SAS/STA Setup

CHAPTER 2: SAS/STA Setup

The deployment of multi-factor authentication using SAS (PCE/SPE) and STA with CA SiteMinder using
RADIUS protocol requires the following:
 “Creating Users Stores”, page 10
 “Assigning an Authenticator”, page 11
 “Adding CA SiteMinder as an Authentication Node”, page 11

Creating Users Stores

Before SAS (PCE/SPE) and STA can authenticate any user in your organization, you need to create a user
store in SAS (PCE/SPE) and STA that reflects the users that would need to use multi-factor authentication.
User records are created in the SAS (PCE/SPE) and STA user store using one of the following methods:
 Manually, one user at a time, using the Create User shortcut
 Manually, by importing one or more user records via a flat file
 Automatically, by synchronizing with your Active Directory / LDAP server using the SafeNet
Synchronization Agent
For additional details on importing users to SAS (PCE/SPE) and STA, refer to “Creating Users” in the
“SafeNet Authentication Service Subscriber Account Operator Guide” available here.
All SAS (PCE/SPE) and STA documentation can be found on the SafeNet Knowledge Base site.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 10
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
CHAPTER 2: SAS/STA Setup

Assigning an Authenticator
SAS (PCE/SPE) and STA supports a number of authentication methods that can be used as a second
authentication factor for users who are authenticating through CA SiteMinder.
The following authenticators are supported:
 eToken PASS
 RB-1 Keypad Token
 KT-4 Token
 SMS Token
 MobilePASS

Authenticators can be assigned to users in two ways:

 Manual provisioning—Assign an authenticator to users one at a time.
 Provisioning rules—The administrator can set provisioning rules in SAS (PCE/SPE) and STA so that
the rules will be triggered when group memberships and other user attributes change. An authenticator
will be assigned automatically to the user.
Refer to “Provisioning Rules” in the “SafeNet Authentication Service Subscriber Account Operator Guide”
(available here) to learn how to provision the different authentication methods to the users in the SAS
(PCE/SPE) and STA user store.

Adding CA SiteMinder as an Authentication Node

Add a RADIUS entry in the SAS (PCE/SPE) and STA) Auth Nodes module to prepare it to receive
RADIUS authentication requests from CA SiteMinder. You will need the IP address of CA SiteMinder and
the shared secret to be used by both SAS/STA and CA SiteMinder.
1. Log in to the SAS (PCE/SPE) or STA console with an Operator account, click the COMMS tab and
then select Auth Nodes.
2. In the Auth Nodes module, click the Auth Nodes link.

NOTE: Before adding SAS (PCE/SPE) or STA as a RADIUS server in

CA SiteMinder, check its IP address (Primary RADIUS Server IP). The
IP address will then be added to CA SiteMinder as a RADIUS server at
a later stage.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 11
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
CHAPTER 2: SAS/STA Setup

3. Under Auth Nodes, click Add.

4. Under Add Auth Nodes, complete the following fields, and then click Save:
Auth Node Name Enter a name for the Auth node.
Host Name Enter the name of the host that will authenticate with SAS
(PCE/SPE) or STA.
Low IP Address In Range Enter the IP address of the host or the lowest IP address in a range
of addresses that will authenticate with SAS (PCE/SPE) or STA (in
this case, a range of IP addresses is being used).
High IP Address In Range Enter the highest IP address in a range of IP addresses that will
authenticate with SAS (PCE/SPE) or STA (in this case, a range of IP
addresses is being used).
Configure FreeRADIUS Select this option.
Synchronization
Shared Secret Enter the shared secret key.
Confirm Shared Secret Re-enter the shared secret key.

The authentication node is added to the system.

SafeNet Authentication Service PCE/SPE and SafeNet Trusted Access(STA): Integration Guide 12
Using RADIUS Protocol for CA SiteMinder
007-012792-001, Rev. C, September 2019 Copyright © 2019 Gemalto
CHAPTER 3: Configuring CA SiteMinder Setup

CHAPTER 3: Configuring CA SiteMinder

Setup

To configure RADIUS authentication on a CA SiteMinder Policy Server:

1. Create an Authentication Scheme
2. Create a RADIUS-protected Realm
3. Create a Domain Policy

Create an Authentication Scheme

In this section, the Authentication Scheme creation will be shown, where SAS (PCE/SPE) and STA
RADIUS is configured on the CA SiteMinder Policy Server.
1. Log in to the SiteMinder Administrative UI.