Overview

CyLock MFA enables strong Multi-Factor Authentication for any firewall based SSL VPN user login. CyLock MFA integrates with the firewall through CyLock MFA RADIUS proxy component installed in a server within the organization’s local network.

The CyLock MFA RADIUS proxy component enables any firewall with RADIUS protocol support to carry out a strong Multi-Factor Authentication (MFA) during remote login to remote network through SSL VPN.

Supported Devices:

Firewall Devices: Sonicwall NSa series, NSsp series, Nsv series, TZ series, SOHO series supports RADIUS authentication.

Architecture Overview

CyLock MFA RADIUS proxy component needs to be installed within your network to enable MFA during SSL VPN login process. First factors (user login credentials) can be authenticated with an on-premise AD / LDAP / LDAP or against CyLock MFA local store. A typical deployment architecture and process is shown below.

Figure 1 – Deployment Architecture Block diagram of integrating Sonicwall Firewall with CyLock RADIUS Proxy

Note:

CyLock MFA RADIUS Proxy communicates with CyLock MFA Auth Server on TCP port 443
Any firewall configuration to restrict access to CyLock MFA Auth Server through destination IP address or IP address ranges is not recommended as the IP addresses may change to provide service high availability

Prerequisites

Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA”to start using CyLock MFA to protect your applications).
Login to “CyLock MFA Portal”
Navigate to Application menu in the left menu panel
Click “Add Application” button to secure an application. Locate and select “SSL VPN” from the list of application names. Click “+Secure” button to configure CyLock MFA for SSL VPN. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA RADIUS Proxy component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
Node.JS to be installed in the server where the CyLock MFA RADIUS Proxy component will be deployed.
Download the CyLock MFA RADIUS Proxy component from the URL https://downloads.cybernexa.com/downloads/CyLock_radius_proxy.zip .
Follow the instructions in “CyLock MFA RADIUS Proxy Installation” section to enable Multi-Factor Authentication (MFA) for SSL VPN user login
Verify Microsoft AD / LDAP is installed and configured for authenticating first factors of users
Download CyLock MFA Mobile App from Play Store or iOS store
Register SSL VPN user using CyLock MFA Mobile app.

CyLock MFA RADIUS Proxy Installation

CyLock MFA RADIUS Proxy component will receive incoming RADIUS requests from your firewall during SSL VPN login. The proxy component will then perform the primary authentication (first factor authentication) either with your internal AD / LDAP Server / LDAP Server or CyLock MFA local store, and then contact CyLock MFA Auth Server for second factor authentication.

CyLock MFA RADIUS Proxy can be installed on a physical or virtual host within your network. We recommend a system with at least 4 vCPU, 200 MB disk space, and 4 GB RAM. CyLock MFA RADIUS Proxy supports the following operating systems:

Windows Server 2008 or later (Server 2016+ recommended)
CentOS 7 or later (CentOS 8+ recommended)
Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
Ubuntu 16.04 or later (Ubuntu 18.04+ recommended)
Debian 7 or later (Debian 9+ recommended)

Install Node.JS in the server where the CyLock MFA RADIUS Proxy component will be installed.

Download the CyLock MFA RADIUS Proxy component. Refer Prerequisites section above. After downloading, copy/move the Proxy Component to the respective server.

Configuring CyLock MFA RADIUS Proxy component

Go to the folder where the Proxy component has been copied. Extract the CyLock_radius_proxy.zip. After extracting, follow the below steps to configure the component.

On Windows or Linux machine go to the respective folder where the proxy component was copied & extracted.

MFA Configuration:

Open the cyconfig.js file in CyRadius Folder with administrative privileges and edit the following properties:

#	Property Name (key)	Description (value)
1	url	Enter Auth URL (Ex - https://demoauth.cybernexa.com/api/v2/srv/)
2	id_sp	Customer ID value. Refer point #4 in Prerequisites section.
3	Authorization	API Key value. Refer point #4 in Prerequisites section.
4	radius_secret	Enter the encrypted RADIUS secret key. To obtain encrypted secret key please refer ‘Key Encryption Process’ section.

Note: Do not modify the key in the key-value pair.

AD / LDAP Configuration:

To enable RADIUS Proxy component, communicate with MS AD / LDAP server or LDAP server, configure the adconfig.js file.

Open the adconfig.js file in CyRadius Folder with administrative privileges and edit the following properties.

#	Property Name (key)	Description (value)
1	Open_ldap_server	Enter your open ldap server URL (ex: ldaps://ldap.cybernexa.com)
2	domain	Provide your AD / LDAP domain name.
3	url	For secured LDAP: ldaps://computername.domain.com or else simply use For normal LDAP: ldap://computername.domain.com
4	baseDN	AD / LDAP Domain name
5	Password	AD / LDAP server Administrator user’s encrypted password. To obtain the encrypted AD/LDAP Password please refer ‘Key encryption Process’ section.

Note: Do not modify the key in the key-value pair.

Key Encryption Process:

Encrypting Radius Secret Key and AD / LDAP Password.

a. After Unzip the radius_proxy.zip file. Go to the secure_cred directory and execute the "secure_cred.js" file using the command below

(i).node secure_cred.js

Enter Customer ID (ID_SP): Get the ID_SP Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
Enter Authorization Key: Get the API Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
Enter Radius Secret: This Secret key is for communication between Firewall and RADIUS Proxy server.
Enter AD / LDAP Admin Secret: Enter Your AD / LDAP Admin Password Refer Figure 2.

Figure 2 – RADIUS and LDAP Admin Secret key encryption

You can copy and paste the Encrypted RADIUS Secret in cyconfig.js on radius_secret parameter.

You can copy and paste the Encrypted AD / LDAP Admin Secret in adconfig.js on password parameter.

Note:The RADIUS secret and AD / LDAP Passwords should always be encrypted.

Starting CyLock MFA RADIUS Proxy

Manual Start (Windows and Linux):

Open terminal window
Go to the folder where CyLock MFA RADIUS proxy component was copied
Execute the command “node radius.js”

Auto Start (Linux):

To start the component automatically create and run as service

For creating service file follow the below steps:

Open terminal window
Execute vi/etc/systemd/system/cylockradiusservice.service
Copy and paste the below contents from start of the file to end of the file in cylock radius service file.

//*****Start of the file*****

[Unit]
Description=cylockradiusservice
After=syslog.target
After=network.target[Service]
User=cylock_iam
//Replace with your system user name
Type=simple

[Service]
Restart=always
StandardOutput=syslog
StandardError=syslog

//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
WorkingDirectory=/home/cylock_iam/package/

//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
ExecStart=/usr/bin/node /home/cylock_iam/package/server.js
SyslogIdentifier=cylockradiusservice

[Install]

1.WantedBy=multi-user.target

//******End of the file******

4.Save and exit vi editor by entering the following command

a.:wq!

5.Enable the service by entering the following command

a.systemctl enable cylockradiusservice.service

6.Start the service by entering the following command.

a.systemctl start cylockradiusservice.service

Note:For Windows OS, create a service for the batch file (.bat) using nssm.exe utility and start the service.

Configuring Firewall Settings

CyLock MFA integrates with your firewall device based VPN via RADIUS to add Multi-Factor Authentication (MFA) to SSL VPN login. In this context your firewall device will act as RADIUS client and the CyLock MFA RADIUS Proxy component as the RADIUS server.

Configuring SonicWall Firewall for RADIUS Authentication

Login to the SonicWall management GUI by typing the default IP address for a SonicWall appliance in address bar in the browser.
Navigate to Device | Users | Settings.
In User Authentication method select Radius + Local Users
Click on the Configure button against Configure RADIUS. Refer Figure 3.
Figure 3 – SonicWall Management interface - Adding Radius server
Enter the IP address of the RADIUS Server, Port number and the Shared Secret for the RADIUS server and then click on Save. Refer Figure 4.
Note:The Shared Secret has to be identical to the one entered in the RADIUS Client in IAS.

Figure 4 – Entering Radius Server ip, port number and secret key
Go to Radius Users and choose the “Default user group to which all Radius users belong” and then Click Save.
Figure 5 – Choosing default user group to which all RADIUS users belong

In this example, the local users belong to SSLVPN Service user group, and they will be asked to do CyLock MFA in RADIUS when a VPN SSL connection is required.
Click on theTest tab.Type in the user name and enter password and test the authentication.

Test Your Setup

Types of Authentication Options:

CyLock MFA allows the following Authentication options to login SSL VPN.

#	Mode	Process Steps
1	Default Mode	In password field enter << Your password >> (for carrying out the default authentication)
2	Online	In password field enter << Your password >>,1 (for carrying Online MFA Push authentication)
3	Online	In password field enter << Your password >>,2 (for carrying Online MFA Push+PIN authentication)
4	Online	In password field enter << Your password >>,3 (for carrying Online MFA Push+Bio authentication)
5	Offline (CR-OTP - Display)	In password field enter << Your password >>,4 (for carrying Offline MFA CR-OTP (Display) authentication)
6	Offline (CR-OTP – Email)	In password field enter << Your password >>,5 (for carrying out Offline MFA CR-OTP (Email) authentication)
7	Offline (CR-OTP – SMS)	In password field enter << Your password >>,6 (for carrying Offline MFA CR-OTP (SMS) authentication)
8	Offline (POTP - Email)	In password field enter << Your password >>,7 (for carrying out Offline MFA POTP (Email) authentication)
9	Offline (POTP – SMS)	In password field enter << Your password >>,8 (for carrying Offline MFA POTP (SMS) authentication)
10	Offline (TOTP)	In password field enter << Your password >>,9 (for carrying Offline MFA TOTP authentication)

Initiate a connection from SonicWALL Net Extender SSL VPN client.
When prompted for username and password, enter the username and the password set for that user along with server ip and Click Connect. Refer Figure 6.

Figure 6 – Connecting to Sonicwall VPN using NetExtender VPN client

On successful 1FA, using a push notiﬁcation or any preferred authentication mode (2FA) User can do authentication using CyLock MFA App for gaining access to VPN.
Here Push + PIN authentication mode is chosen for example. You will get a Push notification to your registered mobile as shown in the Figure 7. Click on it, it will take you to CyLock MFA App.

Figure 7: Push notification received in mobile

Authentication screen looks as in Figure 8.Click on Enter PIN.
Enter 6 digit PIN that you have set during device registration.

Figure 8: PUSH+PIN Authentication triggered (2FA)

Figure 9: Entering 6 digit PIN

Once 2FA is verified user can connect to SonicWall SSL VPN Successfully.

Figure 10: User connected to VPN Successfully

Multi-Factor Authentication for SonicWall Firewall SSL VPN

Contents