Example: using SecurID authentication with the Stonesoft VPN Client
This example shows a general overview of using SecurID authentication for the Stonesoft VPN Client.
For more information about using SecurID authentication, see RSA’s documentation at https://www.rsa.com.
Company C is about to introduce remote Stonesoft VPN Client access to their network. The administrators decide to add one-time passwords with SecurID cards with their existing RSA Authentication Manager server that already shares the user information with the company’s LDAP server.
Figure: Company C's authentication scheme
The administrators:
- Create an Agent Host record for the Firewall in the RSA Authentication Manager server.
- Configure a mobile VPN in the Management Client with the default Hybrid Authentication selected as the authentication method for
connecting clients.
- Hybrid authentication is available for the Stonesoft VPN Client. Hybrid authentication requires the VPN Gateway (the firewall) to authenticate users using a certificate. The users must provide the correct User Name/Password combination (validated by the RSA Authentication Manager server in this case).
- Create a RADIUS Authentication Server element.
- Create a custom Authentication Method element for the server and name it “SecurID.”
- Add the “SecurID” Authentication Method in the correct User and User Group elements (stored on the existing external LDAP server).
- Add IPv4 Access rules with both an authentication and a VPN requirement defined as shown here:
Table 1. Example Access rule for SecurID authentication Source Destination Authentication Action The virtual IP address range used on the virtual adapters of the Stonesoft VPN Client. IP addresses of network services that require authentication. Some User or User Group elements. Require authentication with “SecurID” Authentication Method.
“Use VPN” with the “Enforce” option.