PhenixID

Step by Step – Clavister group membership

Summary

This document will guide you through the steps to secure the authentication of your Clavister Security Gateway VPN using group membership to allow access to resources on the network.
PhenixID Server will deliver two-factor authentication for the authentication and after successful login group membership will be verified and sent to Clavister Security Gateway.

System Requirements

  • PhenixID Server installed and configured as a RADIUS server
  • RADIUS module version 1.5 or later must be used (com.phenixidentity~phenix-radius~1.5.0)
  • The Scenario will make use of RADIUS, so we need to know the port and shared secret configured on the application being secured with PhenixID Server two-factor authentication.

Instruction

Overview

This document will guide you through the configuration steps to use group membership to allow access to different network resources through Clavister Security Gateway.
PhenixID Server will send the group membership using RADIUS, and it is necessary to use the
Clavister-User-Group vendor specific attribute in this communication.
The Clavister Vendor ID is 5089 and the Clavister-User-Group is defined as vendor-type 1.

Login to PhenixID Administration Portal

We will use one of the scenarios included in the administration portal.
Open a browser and go to https://PhenixidServerIP:8443/config/.
Use e.g. the default administrator user called phenixid with the default password password to login.

Configure PhenixID Server as a RADIUS server and 2FA

This is explained in another Step-by-Step document, please read through it and then return to this document to continue the setup of Clavister Security Gateway.

The step-by-step document to configure PhenixID server to act as a RADIUS server:
http://support.phenixid.se/sbs/radiusserverwith2fa/

The Clavister Security Gateway will require RADIUS vendor specific attribute 5089  in the communication to verify the group membership of the  user logging in.
So after following the above step-by-step, we will add configuration for this to the file <PhenixID Server installationdirectory>/config/phenix-store.json.
Please make sure to have a backup copy of this file before porceeding.

We will add the configuration using the PhenixID Configuration Manager.
So please login to https://PhenixidServerIP:8443/config/ and go to the tab Configuration (needs to be enabled in boot.json, see document http://document.phenixid.net/m/52601/l/513298-enable-configuration-tab-in-phenixid-configuration-manager).
Go to Authentication – Radius and press + besides config.
Add vs_attributes as Key and 5089:1:filtered_groups as Value, then press Stage changes.

Configuration_Manager1

Should now look like this:
Configuration_Manager2

We need to retrieve the group membership from the user account.
So add the attribute memberOf to the list of attributes on your pipe for OTP validation (containing OTPValidationValve) by going to Pipes and press edit on the LDAPSearchValve:
Configuration_Manager4
If there is a line 8 like above, please remove it (and the comma on line 7), then add memberOf to attributes.
Should now look like this:
Configuration_Manager5 Configuration_Manager6

Next step is to add the valve that will add the attribute value in the communication to the Clavister Security Gateway.
So in the pipe that has your OTPValidationValve, please press edit (pencil) on valves and add the following valve just after the OTPValidationValve:

{
      "name" : "LDAPGroupFiltering",
      "config" : {
        "connection_ref" : "b1690cae-760e-4e43-92f3-a6b0d3e8d885",
        "separator" : ",",
        "samaccountname_attribute" : "",
        "response_attribute_name" : "filtered_groups",
        "group_attribute" : "memberOf",
        "send_clean_group_dn" : "false",
        "groups_to_add" : "VpnGroup"
      }
    }

Make sure to change “connection_ref” according to your configuration, and add your groups to “groups_to_add” with a comma (,) between them.
Should look like this:
Configuration_Manager9
Configuration_Manager10

When done, press Stage changes and then Commit changes.

Configure Clavister Security Gateway  to use PhenixID Server for two-factor

Please use Clavister Security Gateway documentation for the configuration of VPN and access to resorces.
The RADIUS configuration against PhenixID Server should look like this:
Device_Clavister_cOS_Core_11_00_12
Change port and secret accordingly.

The groups should be added to the respective resource like this:
Device_Clavister_cOS_Core_11_00_14


DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se