Overview
CyLock MFA enables strong Multi-Factor Authentication for any firewall based SSL VPN user login. CyLock MFA integrates with the firewall through CyLock MFA RADIUS proxy component installed in a server within the organization’s local network.
The CyLock MFA RADIUS proxy component enables any firewall with RADIUS protocol support to carry out a strong Multi-Factor Authentication (MFA) during remote login to remote network through SSL VPN.
Supported Devices:
Firewall Devices: Checkpoint 1500 Series, 3000 Series, 5000 Series, 6000 Series, 7000 Series, 8000 Series, 23000 Series supports RADIUS authentication.
Architecture Overview
CyLock MFA RADIUS proxy component needs to be installed within your network to enable MFA during SSL VPN login process. First factors (user login credentials) can be authenticated with an on-premise AD / LDAP / LDAP or against CyLock MFA local store. A typical deployment architecture and process is shown below.
Figure 1 – Deployment Architecture Block diagram of integrating Fortinet Firewall with CyLock RADIUS Proxy
Note:
- CyLock MFA RADIUS Proxy communicates with CyLock MFA Auth Server on TCP port 443
- Any firewall configuration to restrict access to CyLock MFA Auth Server through destination IP address or IP address ranges is not recommended as the IP addresses may change to provide service high availability
Prerequisites
- Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA” to start using CyLock MFA to protect your applications).
- Login to “CyLock MFA Portal”
- Navigate to Application menu in the left menu panel
- Click “Add Application” button to secure an application. Locate and select “SSL VPN” from the list of application names. Click “+Secure” button to configure CyLock MFA for SSL VPN. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA RADIUS Proxy component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
- Node.JS to be installed in the server where the CyLock MFA RADIUS Proxy component will be deployed.
- Download the CyLock MFA RADIUS Proxy component from the URL
https://downloads.cybernexa.com/downloads/CyLock_radius_proxy.zip
.
- Follow the instructions in “CyLock MFA RADIUS Proxy Installation” section to enable Multi-Factor Authentication (MFA) for SSL VPN user login
- Verify Microsoft AD / LDAP / LDAP is installed and configured for authenticating first factors of users.
- Download CyLock MFA Mobile App from Play Store or iOS store
- Register SSL VPN user using CyLock MFA Mobile app.
CyLock MFA RADIUS Proxy Installation
CyLock MFA RADIUS Proxy component will receive incoming RADIUS requests from your firewall during SSL VPN login. The proxy component will then perform the primary authentication (first factor authentication) either with your internal AD / LDAP / LDAP server or CyLock MFA local store, and then contact CyLock MFA Auth server for second factor authentication.
CyLock MFA RADIUS Proxy can be installed on a physical or virtual host within your network. We recommend a system with at least 4 vCPU, 200 MB disk space, and 4 GB RAM. Proxy supports the following operating systems:
- Windows Server 2008 or later (Server 2016+ recommended)
- CentOS 7 or later (CentOS 8+ recommended)
- Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
- Ubuntu 18.04 or later (Ubuntu 20.04+ recommended)
- Debian 7 or later (Debian 9+ recommended)
Install Node.JS in the server where the CyLock MFA RADIUS Proxy component will be installed.
Download the CyLock MFA RADIUS Proxy component. Refer Prerequisites section above. After downloading, copy/move the Proxy Component to the respective server.
Configuring CyLock MFA RADIUS Proxy component
Go to the folder where the Proxy component has been copied. Extract the CyLock_radius_proxy.zip. After extracting, follow the below steps to configure the component.
On Windows or Linux machine go to the respective folder where the proxy component was copied & extracted.
MFA Configuration:
Open the cyconfig.js file in CyRadius Folder with administrative privileges and change the following properties:
| # |
Property Name (key) |
Description (value) |
| 1 |
url |
Enter Auth URL (Ex - https://demoauth.cybernexa.com/api/v2/srv/)
Contact the CyLock Support Team to get the Auth Server URL.
|
| 2 |
id_sp |
Customer ID value. Refer point #4 in Prerequisites section. |
| 3 |
Authorization |
API Key value. Refer point #4 in Prerequisites section. |
| 4 |
radius_secret |
Enter the encrypted RADIUS secret key. To obtain encrypted secret key please refer ‘Key Encryption Process’ section.
|
Note: Do not modify the key in the key-value pair.
AD / LDAP Configuration:
To enable RADIUS Proxy component, communicate with MS AD / LDAP server or LDAP server, configure the adconfig.js file.
Open the adconfig.js file in CyRadius Folder with administrative privileges and change the below properties.
| # |
Property Name (key) |
Description (value) |
| 1 |
Open_ldap_server |
Enter your open ldap server URL (ex: ldaps://ldap.cybernexa.com)
|
| 2 |
domain |
Provide your AD / LDAP domain name. |
| 3 |
url |
For secured LDAP:
ldaps://computername.domain.com or else simply use
For normal LDAP:
ldap://computername.domain.com
|
| 4 |
baseDN |
AD / LDAP Domain name |
| 5 |
Password |
AD / LDAP server Administrator user’s encrypted password. To obtain the encrypted AD/LDAP Password please refer ‘Key encryption Process’ section. |
Note: Do not modify the key in the key-value pair.
Key Encryption Process:
Encrypting RADIUS Secret Key and AD / LDAP Password.
a. After Unzip the radius_proxy.zip file. Go to the secure_cred directory and execute the "secure_cred.js" file using the command below
(i).node secure_cred.js
- Enter Customer ID (ID_SP): Get the ID_SP Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
- Enter Authorization Key: Get the API Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
- Enter Radius Secret: This Secret key is for communication between Firewall and RADIUS Proxy server.
- Enter AD / LDAP Admin Secret: Enter Your AD / LDAP Admin Password Refer Figure 2.
Figure 2 – RADIUS and LDAP Admin Secret key encryption
You can copy and paste the Encrypted RADIUS Secret in cyconfig.js on radius_secret parameter.
You can copy and paste the Encrypted AD / LDAP Admin Secret in adconfig.js on password parameter.
Note:The RADIUS Secret and AD / LDAP Password should always be encrypted.
Starting CyLock MFA RADIUS Proxy
Manual Start (Windows and Linux):
- Open terminal window
- Go to the folder where CyLock MFA RADIUS proxy component was copied
- Execute the command “node radius.js”
Auto Start (Linux):
To start the component automatically create and run as service
For creating service file follow the below steps:
- Open terminal window
- Execute
vi/etc/systemd/system/cylockradiusservice.service
- a.Copy paste the below contents from start of the file to end of the file in radius service file.
//*****Start of the file*****
[Unit]
Description=cylockradiusservice
After=syslog.target
After=network.target[Service]
User=cylock_iam
//Replace with your system user name
Type=simple
[Service]
Restart=always
StandardOutput=syslog
StandardError=syslog
//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
WorkingDirectory=/home/cylock_iam/package/
//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
ExecStart=/usr/bin/node /home/cylock_iam/package/server.js
SyslogIdentifier=cylockradiusservice
[Install]
1.WantedBy=multi-user.target
//******End of the file******
- 3.Save and exit vi editor by entering the following command
a.:wq!
- 4.Enable the service by entering the following command
a.systemctl enable cylockradiusservice.service
- 5.Start the service by entering the following command.
a.systemctl start cylockradiusservice.service
Note:For Windows OS, create a service for the batch file (.bat) using nssm.exe utility and start the service.
Configuring Firewall Settings
CyLock MFA integrates with your firewall device based VPN via RADIUS to add Multi-Factor Authentication (MFA) to SSL VPN logins. In this context your firewall device will act as RADIUS client and the CyLock MFA RADIUS Proxy component as the RADIUS server.
Configuring Checkpoint Firewall for RADIUS Authentication
1.Open the Checkpoint SmartConsole application in your Laptop/Desktop.
Figure 3: Starting the Checkpoint Smart Console Application
Figure 4: Connecting to the server
2.Give your admin username, password and click on Login. Refer Figure 5.
Figure 5: Login to Checkpoint Smart Console
Checkpoint SmartConsole page will open as shown in the Figure 6.
Figure 6: Checkpoint Smart Console page
3. Click on New > More > Server > RADIUS.
Figure 7: Adding RADIUS to the checkpoint firewall
‘New RADIUS’ window will open to enter the RADIUS Server details as shown in the Figure 8.
Figure 8: Window to enter RADIUS Server details
4.Enter the IP address or Host name of the RADIUS Server and the Shared Secret for the RADIUS server. Click OK.
Figure 9: Entering IP address, Secret key of the RADIUS Server
5.Click on ‘Publish’ at the top of the console screen and click on Publish button to make these changes available to all. Refer Figure 10.
Figure 10: Publish to make the changes available to all
Test the Set-Up
Types of Authentication Options:
CyLock MFA allows the following authentication options to login SSL VPN.
| # |
Mode |
Process Steps |
| 1 |
Default Mode |
In password field enter << Your password >> (for carrying out the default authentication) |
| 2 |
Online |
In password field enter << Your password >>,1 (for carrying Online MFA Push authentication) |
| 3 |
Online |
In password field enter << Your password >>,2 (for carrying Online MFA Push+PIN authentication) |
| 4 |
Online |
In password field enter << Your password >>,3 (for carrying Online MFA Push+Bio authentication) |
| 5 |
Offline (CR-OTP - Display) |
In password field enter << Your password >>,4 (for carrying Offline MFA CR-OTP (Display) authentication) |
| 6 |
Offline (CR-OTP – Email) |
In password field enter << Your password >>,5 (for carrying out Offline MFA CR-OTP (Email) authentication) |
| 7 |
Offline (CR-OTP – SMS) |
In password field enter << Your password >>,6 (for carrying Offline MFA CR-OTP (SMS) authentication) |
| 8 |
Offline (POTP - Email) |
In password field enter << Your password >>,7 (for carrying out Offline MFA POTP (Email) authentication) |
| 9 |
Offline (POTP – SMS) |
In password field enter << Your password >>,8 (for carrying Offline MFA POTP (SMS) authentication) |
| 10 |
Offline (TOTP) |
In password field enter << Your password >>,9 (for carrying Offline MFA TOTP authentication) |
Test the connection:
On successful 1FA, using a push notification or any preferred authentication mode (2FA) User can do 2FA using CyLock App for gaining access to VPN.
Here Push + PIN authentication mode is chosen for example.
You will get a Push notification to your registered mobile as shown in the Figure 12. Click on it, it will take you to CyLock MFA App.
Figure 12: Received Push notification in mobile
Authentication screen looks as in Figure 13. Click on Enter PIN.
Enter 6 digit PIN that you have set during device registration
.png)
Figure 13: Push notification triggered (2FA)
Figure 14: Entering 6 digit PIN
Once 2FA is verified, the VPN Connection will be established successfully as shown in Figure 15.
Figure 15: Successfully connected to VPN
Figure 16: Checking VPN Status
