|

Multi-Factor Authentication for Sophos Firewall SSL VPN

Contents

Overview

CyLock MFA enables strong Multi-Factor Authentication for any firewall based SSL VPN user login. CyLock MFA integrates with the firewall through CyLock MFA RADIUS proxy component installed in a server within the organization’s local network.

The CyLock MFA RADIUS proxy component enables any firewall with RADIUS protocol support to carry out a strong Multi-Factor Authentication (MFA) during remote login to remote network through SSL VPN.

Supported Devices:

Firewall Devices: Sophos XG-series, SG-series, UTM-series, Cyberoam series support RADIUS authentication.

Architecture Overview

CyLock MFA RADIUS proxy component needs to be installed within your network to enable MFA during SSL VPN login process. First factors (user login credentials) can be authenticated with an on-premise AD / LDAP / LDAP or against CyLock MFA local store. A typical deployment architecture and process is shown below.

Sophos

Figure 1: Deployment Architecture Block diagram of integrating Sophos Firewall with CyLock RADIUS Proxy

Note:

  1. CyLock MFA RADIUS Proxy communicates with CyLock MFA Auth Server on TCP port 443
  2. Any firewall configuration to restrict access to CyLock MFA Auth Server through destination IP address or IP address ranges is not recommended as the IP addresses may change to provide service high availability

Prerequisites

  1. Securing an application requires an active CyLock MFA account. (Refer “Getting Started: Guide to CyLock MFA”to start using CyLock MFA to protect your applications).
  2. Login to “CyLock MFA Portal”
  3. Navigate to Application menu in the left menu panel
  4. Click “Add Application” button to secure an application. Locate and select “SSL VPN” from the list of application names. Click “+Secure” button to configure CyLock MFA for SSL VPN. Enter the details as requested and click “Save” button. Before leaving the page copy Application Key and Application ID, which are required during CyLock MFA RADIUS Proxy component installation. See “Securing an Application” for more information about protecting applications in CyLock MFA.
  5. Node.JS to be installed in the server where the CyLock MFA RADIUS Proxy component will be deployed.
  6. Download the CyLock MFA RADIUS Proxy component from the URL https://downloads.cybernexa.com/downloads/CyLock_radius_proxy.zip .
  7. Follow the instructions in “CyLock MFA RADIUS Proxy Installation” section to enable Multi-Factor Authentication (MFA) for SSL VPN user login
  8. Verify Microsoft AD / LDAP is installed and configured for authenticating first factors of users
  9. Download CyLock MFA Mobile App from Play Store or iOS store
  10. Register SSL VPN user using CyLock MFA Mobile app.

CyLock MFA RADIUS Proxy Installation

CyLock MFA RADIUS Proxy component will receive incoming RADIUS requests from your firewall during SSL VPN login. The proxy component will then perform the primary authentication (first factor authentication) either with your internal AD / LDAP Server / LDAP Server or CyLock MFA local store, and then contact CyLock MFA Auth Server for second factor authentication.

CyLock MFA RADIUS Proxy can be installed on a physical or virtual host within your network. We recommend a system with at least 4 vCPU, 200 MB disk space, and 4 GB RAM. CyLock MFA RADIUS Proxy supports the following operating systems:

  •   Windows Server 2008 or later (Server 2016+ recommended)
  •   CentOS 7 or later (CentOS 8+ recommended)
  •   Red Hat Enterprise Linux 7 or later (RHEL 8+ recommended)
  •   Ubuntu 16.04 or later (Ubuntu 18.04+ recommended)
  •   Debian 7 or later (Debian 9+ recommended)

Install Node.JS in the server where the CyLock MFA RADIUS Proxy component will be installed.

Download the CyLock MFA RADIUS Proxy component. Refer Prerequisites section above. After downloading, copy/move the Proxy Component to the respective server.

Configuring CyLock MFA RADIUS Proxy component

Go to the folder where the Proxy component has been copied. Extract the CyLock_radius_proxy.zip. After extracting, follow the below steps to configure the component.

On Windows or Linux machine go to the respective folder where the proxy component was copied & extracted.

MFA Configuration:

Open the cyconfig.js file in CyRadius Folder with administrative privileges and edit the following properties:

# Property Name (key) Description (value)
1 url Enter Auth URL (Ex - https://demoauth.cybernexa.com/api/v2/srv/)
Contact CyLock Supprt team to get Auth Server URL.
2 id_sp Customer ID value. Refer point #4 in Prerequisites section.
3 Authorization API Key value. Refer point #4 in Prerequisites section.
4 radius_secret Enter the encrypted RADIUS secret key. To obtain encrypted secret key please refer ‘Key Encryption Process’ section.

Note: Do not modify the key in the key-value pair.

AD / LDAP Configuration:

To enable RADIUS Proxy component, communicate with MS AD / LDAP server or LDAP server, configure the adconfig.js file.


Open the adconfig.js file in CyRadius Folder with administrative privileges and edit the following properties.

# Property Name (key) Description (value)
1 Open_ldap_server Enter your open ldap server URL (ex: ldaps://ldap.cybernexa.com)
2 domain Provide your AD / LDAP domain name.
3 url For secured LDAP:
ldaps://computername.domain.com or else simply use
For normal LDAP:
ldap://computername.domain.com
4 baseDN AD / LDAP Domain name
5 Password AD / LDAP server Administrator user’s encrypted password. To obtain the encrypted AD/LDAP Password please refer ‘Key encryption Process’ section.

Note: Do not modify the key in the key-value pair.

Key Encryption Process:

Encrypting Radius Secret Key and AD / LDAP Password.


a. After Unzip the radius_proxy.zip file. Go to the secure_cred directory and execute the "secure_cred.js" file using the command below


 (i).node secure_cred.js

  •  Enter Customer ID (ID_SP): Get the ID_SP Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
  •  Enter Authorization Key: Get the API Key from the CyLock Portal. Refer Point #4 in Prerequisites Section.
  •  Enter Radius Secret: This Secret key is for communication between Firewall and RADIUS Proxy server.
  •  Enter AD / LDAP Admin Secret: Enter Your AD / LDAP Admin Password Refer Figure 2.
RADIUS and LDAP

Figure 2 – RADIUS and LDAP Admin Secret key encryption

 You can copy and paste the Encrypted RADIUS Secret in cyconfig.js on radius_secret parameter.

 You can copy and paste the Encrypted AD / LDAP Admin Secret in adconfig.js on password parameter.

Note:The RADIUS secret and AD / LDAP Passwords should always be encrypted.

Starting CyLock MFA RADIUS Proxy

Manual Start (Windows and Linux):

  1. Open terminal window
  2. Go to the folder where CyLock MFA RADIUS proxy component was copied
  3. Execute the command “node radius.js”

Auto Start (Linux):

To start the component automatically create and run as service

For creating service file follow the below steps:

  1. Open terminal window
  2. Execute vi/etc/systemd/system/cylockradiusservice.service
  3. Copy and paste the below contents from start of the file to end of the file in cylock radius service file.

//*****Start of the file*****

[Unit]
Description=cylockradiusservice
After=syslog.target
After=network.target[Service]
User=cylock_iam
//Replace with your system user name
Type=simple

[Service]
Restart=always
StandardOutput=syslog
StandardError=syslog

//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
WorkingDirectory=/home/cylock_iam/package/

//Provide the path of the CyLock MFA RADIUS proxy component (server.js)
ExecStart=/usr/bin/node /home/cylock_iam/package/server.js
SyslogIdentifier=cylockradiusservice

[Install]

1.WantedBy=multi-user.target



//******End of the file******

  1. 4.Save and exit vi editor by entering the following command

    2. a.:wq!

  2. 5.Enable the service by entering the following command

    3. a.systemctl enable cylockradiusservice.service

  3. 6.Start the service by entering the following command.

    4. a.systemctl start cylockradiusservice.service

Note:For Windows OS, create a service for the batch file (.bat) using nssm.exe utility and start the service.

Configuring Firewall Settings

CyLock MFA integrates with your firewall device based VPN via RADIUS to add Multi-Factor Authentication (MFA) to SSL VPN login. In this context your firewall device will act as RADIUS client and the CyLock MFA RADIUS Proxy component as the RADIUS server.

Configuring Sophos Firewall for RADIUS Authentication

  1. Login to the Sophos admin portal ( https://your sophos lan address:4444) with an Administrative user.
  2. Navigate to Authentication (under CONFIGURE). Refer Figure 3. Sophos Authentication settings console

    Figure 3: Sophos Authentication settings console

  3. On the Servers tab click ADD
  4. Change Server type to RADIUS server and then enter your CyLock RADIUS Agent Information i.e.RADIUS server ip address, port number, time-out, shared secret and then click Save. Refer Figure 4. Adding RADIUS Server to the firewall

    Figure 4 – Adding RADIUS Server to the firewall

  5. After filling all information, click on Test connection to test your configuration. Testing the connection_Sophos

    Figure 5 – Testing the connection

    Here you will get pop up specifying RADIUS server connectivity test was successful as shown in the Figure 6.

    RADIUS server connectivity test success message

    Figure 6 – RADIUS server connectivity test success message

  6. Go to Services   tab and navigate to VPN [IPsec/L2TP/PPTP] Authentication Methods Select the RADIUS-Agent items that have been added before. Adding Authentication method

    Figure 7 – Adding Authentication method

    Selecting RADIUS Agent as Authentication method

    Figure 8: Selecting RADIUS Agent as Authentication method

  7. Click on Apply. For enabling Radius authentication on SSL VPN, go to the Services tab and Navigate to SSL VPN authentication methods. Select the RADIUS-Agent items that have been added before and click Apply. Enabling Radius authentication on SSL VPN

    Figure 9: Enabling Radius authentication on SSL VPN

  8. Click on Apply The authentication type for SSL VPN will change to RADIUS. If you Added and configured SSL VPN (remote access) in the VPN section, users can Connect via Sophos connect or Sophos SSL VPN client with MFA.

    9. Notice:To access users on VPN, they must login to the user portal once. The list of users will then appear in the Users tab.

    Notice:For user’s login in Sophos user portal, you must go to Services tab. In Firewall authentication methods, select the RADIUS-Agent that was added in the previous section and drag it up to highest priority.

    Selecting RADIUS – Agent for login users in Sophos user portal

    Figure 10: Selecting RADIUS – Agent for login users in Sophos user portal

Installing Sophos SSL VPN Client in Windows
  1. Login to User Portal, giving the user credentials as shown in the Figure 11. Sophos User Portal

    Figure 11: Sophos User Portal

  2. User Portal Console is opened as shown in the Figure 12. Here click on ‘Download Client and configuration for Windows ‘Option. Downloading VPN Client and Configuration for Windows

    Figure 12: Downloading VPN Client and Configuration for Windows

  3. Now Sophos SSL VPN Client .exe file will get downloaded. Click on .exe file and Run the VPN Client Setup Wizard as shown in the Figure 13. Click on Next. Running Sophos SS VPN Client Setup wizard

    Figure 13: Running Sophos SS VPN Client Setup wizard

    Click on ‘I Agree’ for the License Agreement and continue the set up.

    Accepting the License Agreement

    Figure 14: Accepting the License Agreement

    Now the Sophos SSL VPN Client starts installing as shown in the Figure 15.

    VPN Client getting installed

    Figure 15: VPN Client getting installed

    Click on the ‘Install’ in Windows Security pop up.

    Clicking on Install in windows security pop up

    Figure 16: Clicking on Install in windows security pop up

    Now Sophos SSL VPN Client is successfully installed. Click Next.

    Sophos SSL VPN Client is successfully installed

    Figure 17: Sophos SSL VPN Client is successfully installed

    Click Finish to complete the setup.

    Finishing the VPN Client set up

    Figure 18: Finishing the VPN Client set up

Test Your Setup

Types of Authentication Options:


CyLock MFA allows the following Authentication options to login SSL VPN.

# Mode Process Steps
1 Default Mode In password field enter << Your password >> (for carrying out the default authentication)
2 Online In password field enter << Your password >>,1 (for carrying Online MFA Push authentication)
3 Online In password field enter << Your password >>,2 (for carrying Online MFA Push+PIN authentication)
4 Online In password field enter << Your password >>,3 (for carrying Online MFA Push+Bio authentication)
5 Offline (CR-OTP - Display) In password field enter << Your password >>,4 (for carrying Offline MFA CR-OTP (Display) authentication)
6 Offline (CR-OTP – Email) In password field enter << Your password >>,5 (for carrying out Offline MFA CR-OTP (Email) authentication)
7 Offline (CR-OTP – SMS) In password field enter << Your password >>,6 (for carrying Offline MFA CR-OTP (SMS) authentication)
8 Offline (POTP - Email) In password field enter << Your password >>,7 (for carrying out Offline MFA POTP (Email) authentication)
9 Offline (POTP – SMS) In password field enter << Your password >>,8 (for carrying Offline MFA POTP (SMS) authentication)
10 Offline (TOTP) In password field enter << Your password >>,9 (for carrying Offline MFA TOTP authentication)

Test Connection:

  •  Click Connect on Sophos Connect Client and enter your username and password.

    • As the VPN Configuration has already been associated, after first factor is verified, 2FA will be triggered based on preferred authentication mode.

    Connecting to Sophos SSL VPN

    Figure 19 : Connecting to Sophos SSL VPN

    SSL VPN User- Authentication

    Figure 20 : SSL VPN User- Authentication

    Entering the User credentials (1FA)

    Figure 21 : Entering the User credentials (1FA)

  •  Here Push + PIN authentication mode is chosen for example.
  •  Here Push + PIN authentication mode is chosen for example. You will get a Push notification to your registered mobile as shown in the Figure 22. Click on it, it will take you to CyLock MFA App.
    • Push Request

    Figure 22: Push notification received to the mobile

    PUSH+PIN Authentication triggered (2FA)

    Figure 23: PUSH+PIN Authentication triggered (2FA)

    Entering 6 digit PIN

    Figure 24: Entering 6 digit PIN

    Once 2FA is verified user can connect to Sophos SSL VPN Successfully.

    User connected to Sophos SSL VPN successfully

    Figure 25: User connected to Sophos SSL VPN successfully