Escolar Documentos
Profissional Documentos
Cultura Documentos
Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Apple Computer, Inc. www.apple.com Apple VPN Service Mac OS X Server 10.5 Mac OS X Server provides a Virtual Private Network (VPN) service allowing users to access their corporate network over the Internet. The VPN service currently supports L2TP/IPSec and PPTP protocols
Product Category
Perimeter Defense
Solution Summary
Virtual private network (VPN) access enables your users to take advantage of network services while theyre offsite and simultaneously prevent access by unauthorized individuals. Mac OS X Server 10.5 supports standards-based L2TP/IPSec and PPTP tunneling protocols to provide encrypted VPN connections for Mac and Windows systems and even Apples iPhone. These VPN services use secure authentication methods, including RSA SecurID authentication.
Product Requirements
Partner Product Requirements: Apple VPN Service
Version 10.5.0 or greater
Operating System
Platform Mac OS X Required Patches 10.5.0 or greater
To facilitate communication between the Apple VPN Service and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Apple VPN Service within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.
Hostname IP Addresses for all network interfaces
When adding the Agent Host Record, you should configure the Apple VPN Service as UNIX. This setting is used by the RSA Authentication Manager to determine how communication with the Apple VPN Server will occur.
Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.
Note: Go to the appendix of this document to get detailed information regarding these files.
Now configure the VPN service on Mac OS X Server to enable RSA EAP-SecurID authentication for the desired protocols.
Note: By default the Apple VPN Service is configured to allow all services access from all users and groups. In order for a user to be authorized to connect to the VPN after authentication they must be granted access. If the RSA user does not already exist on the Mac OS X Server a user account must be created. 4. Select the VPN service.
# sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA" # sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP" 2. 3. Return to Server Admin, Click on Settings > L2TP. Check the box for Enable L2TP over IPsec.
4. 5. 6.
Enter an IP Address range for the VPN Service to assign to clients. Configure a Shared Secret for IPsec Authentication. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).
# sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA" # sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP" 2. 3. Return to Server Admin, Click on Settings > PPTP. Check the box for Enable PPTP.
4. 5.
Enter an IP Address range for the VPN Service to assign to clients. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).
2.
Under User Authentication select the radio button for RSA SecurID.
3. 4.
Enter the Shared Secret configured at the server. Click the button labeled OK.
2.
Under User Authentication select the radio button for RSA SecurID.
3.
Click OK.
3.
4. 5.
Click the button labeled OK. Establish a PIN for the user (when in New PIN mode).
6.
10
Operating System
Microsoft Windows 2003 Server Mac OS X Server 10.5.0
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit Passcode 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Credential Functionality Determine Cached Credential State Set Credential Retrieve Credential
BSD
N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Determine Cached Credential State Set Credential Retrieve Credential
= Pass
11
Operating System
Microsoft Windows 2003 Server Mac OS X Server 10.5.4
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Failover No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A
Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
BSD
System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
= Pass
12