ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1 Support Notes
  1. Manuals
  2. Brands
  3. ZyXEL Communications Manuals
  4. Network Hardware
  5. ZYWALL OTPV2 - SUPPORT NOTE V1
  6. Support notes
ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1 Support Notes

ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1 Support Notes

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ZyWALL OTPv2
Support Notes
Revision 1.00
September, 2010
Written by CSO

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ZYWALL OTPV2 - SUPPORT NOTE V1 and is the answer not in the manual?

Questions and answers

Related Manuals for ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1

Summary of Contents for ZyXEL Communications ZYWALL OTPV2 - SUPPORT NOTE V1

  • Page 1 ZyWALL OTPv2 Support Notes Revision 1.00 September, 2010 Written by CSO...

  • Page 2: Table Of Contents

    4. OTP Authentication to an OTP-protected Network via IPSec VPN Client over the ZyWALL USG .... 20 4.1 ZyWALL USG Configurations ........................ 21 4.2 SafeWord Server Configurations ......................24 4.3 ZyWALL IPSec VPN Client Configurations ..................28 4.4 Verify OTP via Login from the VPN Client ................... 30 All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 3: Introduction

    The illustration shows the concept of Two-Factor authentication. User PIN and Token code User PIN is what you know and Token code is what you have. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 4 Authentication server (AAA) – runs the authentication engine that verifies that the passcode supplied with an access request is correct for the token assigned to a specific user. It is listening on port 5031 by default. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 5 SafeWord Administration Service. You can use this to import Tokens (add tokens serial numbers to SafeWord database) or backup and restore Token data. It also lets you view and manage all imported Tokens. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 6 An agent can be installed only if it’s supporting (base) software components exist. Otherwise the agent will not appear for selection in the installation components window. For example, RADIUS server agent can be installed only when there is IAS installed. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 7: Server Installation

    Below is a flow chart-type snapshot of the installation process, with no Agents selected for installation. Users can check more detail information in chapter 2 “Installing and Activating SafeWord 2008” of on the SafeNet website. SafeWord 2008 Administration Guide All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 8 ZyXEL – ZyWALL OTPv2 Support Notes All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 9 ADUC, and manually if you are not using ADUC. After logging into the SafeNet portal, users can click the “SafeWord Activation” link to perform on-line activation. Please refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 10 Active Directory users. You may use the Token Assignment Wizard, or you can manually enter the token serial number in the serial number field. Users can check more detailed information on chapter 3 “Active Directory Management” of SafeWord on the SafeNet website. 2008 Administration Guide All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 11: Otp Authentication To An Otp-Protected Network Via Ssl Vpn Over Zywall Usg

    3. OTP Authentication to an OTP-protected Network via SSL VPN over ZyWALL USG In the following example, we will employ Two Factor Authentication (ZyXEL OTP pack) to enhance password security by using SSL VPN application provided by ZyWALL USG. In order to use this application, you are required to configure your ZyWALL USG and SafeWord according to the following steps: 1.

  • Page 12: Zywall Usg Configurations

    Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.  Enter the Shared secret to RADIUS server in Key field.  Select the Group Membership Attribute; the default value is 11. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 13 1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN application object. 2) For example, you create a web application to let you can remote access the FTP server via SSL VPN. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 14 Select the User/Group object to apply this policy.  Select the application object to apply this policy.  Select the address object to apply if needed.  Click the “OK” button to finish the configuration. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 15: Safeword Server Configurations

    Step2. Create a RADIUS client 1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s WAN IP address. 3) Click the “Next” button for the next step. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 16 – ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 17 4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (this one is used as the Password when login the ZyWALL USG) 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 18 # Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 19: Verify Otp Via Login From The Remote Pc

    Password which generated from the token. 2) Click the “SSL VPN” button to submit login information. 3) Once the OTP works correctly, you will see the SSL application that configured to the user to use. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 20: Otp Authentication To An Otp-Protected Network Via Ipsec Vpn Client Over The Zywall Usg

    4. OTP Authentication to an OTP-protected Network via IPSec VPN Client over the ZyWALL USG In the following example, we will employ 2 Factor Authentication (ZyXEL OTP pack) to enhance password security by using SSL VPN application provided by ZyWALL USG.

  • Page 21: Zywall Usg Configurations

    Enter the authentication port of the RADIUS server, like Microsoft IAS; the default value is 1812.  Enter the Shared secret to RADIUS server in Key field.  Select the Group Membership Attribute; the default value is 11. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 22 Step4. Configure the IPSec VPN Gateway policy 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Gateway page. 2) Enter the values for VPN phase-1 configuration. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 23 Step5. Configure the IPSec VPN Connection policy 1) Go to CONFIGURATION > VPN > IPSec VPN and then navigate to the VPN Connection page. 2) Enter the values for VPN phase-2 configuration. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 24: Safeword Server Configurations

    Step2. Create a RADIUS client 1) Enter the name for the rule. 2) The Client address is the ZyWALL USG’s WAN IP address. 3) Click the “Next” button for the next step. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 25 – ZyWALL OTPv2 Support Notes 4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting. 5) Click the “Finish” button to finish the configuration. 6) The new OTP client has been created. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 26 4) Enter the serial number of the assigned token. If needed, enter the PIN code for it (this one is used as the Password when login the ZyWALL USG). 5) After the configuration, you can click the “Tokens” link and check the token status. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 27 # Set this to 'on' to force SoftPin to precede the password 2) Search for the string: “ ” Pin_Before_Password=off 3) At the command “ ”, change the value to ‘on’. 4) Reload the SafeWord server. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 28: Zywall Ipsec Vpn Client Configurations

    4.3 ZyWALL IPSec VPN Client Configurations Step1. Configure the IPSec VPN Phase1 policy 1) Enter the values for VPN phase-1 configuration. 2) Click the “Advanced Setting” button and click the X-Auth Popup feature. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 29 1) Enter the values for VPN phase-2 configuration. 2) Click the “Save & Apply” button to finish the configuration and save it. 3) You can trigger the IPSec VPN tunnel by clicking the “Open Tunnel” button. All contents copyright (c) 2010 ZyXEL Communications Corporation.

  • Page 30: Verify Otp Via Login From The Vpn Client

    1) There are only 10 seconds to enter the authentication information into X-Auth window. If you use more time to finish it, the tunnel will fail to establish. You can see the message on VPN Console as in the picture below. All contents copyright (c) 2010 ZyXEL Communications Corporation.
  • Page 31 You can see the VPN connection status is Connected on CONFIGURATION > VPN > IPSec VPN > VPN Connection page. Also can check the IPSec VPN SA on MONITOR > VPN Monitor > IPSec page. All contents copyright (c) 2010 ZyXEL Communications Corporation.

This manual is also suitable for:

Zywall otpv2

Table of Contents