Apple Computer, Inc.

Apple VPN Service

RSA SecurID Ready Implementation Guide

Last Modified: September 10, 2008

Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Apple Computer, Inc. www.apple.com Apple VPN Service Mac OS X Server 10.5 Mac OS X Server provides a Virtual Private Network (VPN) service allowing users to access their corporate network over the Internet. The VPN service currently supports L2TP/IPSec and PPTP protocols

Product Category

Perimeter Defense

Solution Summary
Virtual private network (VPN) access enables your users to take advantage of network services while theyre offsite and simultaneously prevent access by unauthorized individuals. Mac OS X Server 10.5 supports standards-based L2TP/IPSec and PPTP tunneling protocols to provide encrypted VPN connections for Mac and Windows systems and even Apples iPhone. These VPN services use secure authentication methods, including RSA SecurID authentication.

Partner Integration Overview

Authentication Methods Supported List Library Version Used RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA Authentication Agent Host Type for 6.1 RSA Authentication Agent Host Type for 7.1 RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token and RSA SecurID 800 Automation Native RSA SecurID Authentication 5.0.3.2 Full Replica Support N/A UNIX Standard Agent All Users No No

Product Requirements
Partner Product Requirements: Apple VPN Service
Version 10.5.0 or greater

Operating System
Platform Mac OS X Required Patches 10.5.0 or greater

Additional Software Requirements

Application Apple VPN Client Additional Patches 10.5.0 or greater

Agent Host Configuration

Important: Agent Host and Authentication Agent are synonymous. Agent Host is a term used with the RSA Authentication Manager 6.x servers and below. RSA Authentication Manager 7.1 uses the term Authentication Agent. Important: All Authentication Agent types for 7.1 should be set to Standard Agent.

To facilitate communication between the Apple VPN Service and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Apple VPN Service within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.
Hostname IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Apple VPN Service as UNIX. This setting is used by the RSA Authentication Manager to determine how communication with the Apple VPN Server will occur.
Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

RSA SecurID files

RSA SecurID Authentication Files
Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location /var/ace/ /var/ace/ /var/ace/ /var/ace/

Note: Go to the appendix of this document to get detailed information regarding these files.

Partner Product Configuration

Before You Begin
This section provides instructions for integrating the partners product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Documenting the Solution

Apple VPN Service is part of a Mac OS X Server 10.5 installation. Server Admin may be used to configure standard VPN services, but Server Admin does not have an interface for choosing the RSA SecurID authentication method. To designate the RSA SecurID authentication, the VPN configuration must be done via the command line interface manually.

Enabling RSA SecurID in the Apple VPN Service

The Apple VPN Service is ready to use RSA SecurID authentication out of the box. In order to enable RSA SecurID support some files must first be copied to the Mac OS X Server. After the files have been copied, the Apple VPN Service must be configured to use RSA SecurID. Here is a brief overview of the configuration steps required to activate RSA SecurID authentication:
Prepare for RSA SecurID authentication by coping files from the RSA Authentication Manager Server. Select a VPN protocol, either L2TP or PPTP or both and configure the Apple VPN Service accordingly. Start the Apple VPN Service (or restart if the service had already been running).

Preparing for RSA SecurID Authentication

In order to configure RSA SecurID authentication for the Apple VPN Service, first copy the sdconf.rec file from your RSA Authentication Manager Server to a new directory on your Mac OS X Server named /var/ace. There are several ways you could do this. These steps illustrate one method:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. At your server, open the Terminal (/Applications/Utilities/). Type: sudo mkdir /var/ace Press Return. Enter your administrator password, and press Return. Click the Finder icon in the Dock. From the Go menu, choose Go to Folder. Type: /var/ace Click Go. Copy the sdconf.rec file from your RSA Authentication Manager server into the "ace" folder. You will see a dialog indicating that the "ace" folder cannot be modified. Click the Authenticate button to allow the copy.

Now configure the VPN service on Mac OS X Server to enable RSA EAP-SecurID authentication for the desired protocols.

Configuring the Apple VPN Service

1. 2. 3. Open Server Admin (/Applications/Server/Server Admin). Expand the server node for the desired host. Click on Settings > Access and configure the VPN access.

Note: By default the Apple VPN Service is configured to allow all services access from all users and groups. In order for a user to be authorized to connect to the VPN after authentication they must be granted access. If the RSA user does not already exist on the Mac OS X Server a user account must be created. 4. Select the VPN service.

Configuring Apple VPN Service for L2TP

1. Open a Terminal (/Applications/Utilities/Terminal) and execute the following commands to configure the VPN service to use RSA SecurID with L2TP:

# sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA" # sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP" 2. 3. Return to Server Admin, Click on Settings > L2TP. Check the box for Enable L2TP over IPsec.

4. 5. 6.

Enter an IP Address range for the VPN Service to assign to clients. Configure a Shared Secret for IPsec Authentication. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).

Configuring Apple VPN Service for PPTP

1. Open a Terminal (/Applications/Utilities/Terminal) and execute the following commands to configure the VPN service to use RSA SecurID with PPTP:

# sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA" # sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP" 2. 3. Return to Server Admin, Click on Settings > PPTP. Check the box for Enable PPTP.

4. 5.

Enter an IP Address range for the VPN Service to assign to clients. Click the button labeled Start VPN (or Stop VPN and Start VPN to restart).

Enabling RSA SecurID in the Apple VPN Client

The Apple VPN Client is installed by default during a normal installation of Mac OS X Client. Follow the instructions below to enable the Apple VPN Client to connect using RSA SecurID authentication. Here is a brief overview of the configuration steps required to activate RSA SecurID authentication:
Add an interface for the RSA SecurID enabled Apple VPN. Select a VPN protocol, either L2TP or PPTP or both and configure the Apple VPN Client accordingly.

Adding an Interface for RSA SecurID Apple VPN

1. 2. 3. 4. 5. Open the Network Preferences (System Preferences > Network). Click on the + symbol to add a new interface. Select VPN from the drop-down menu on Interface. Select the type of VPN created at the server (either L2TP or PPTP) from the drop-down menu on VPN Type. Add a Service Name and click Create.

Configuring the Client for L2TP

1. Select the L2TP interface created above and click Authentication Settings.

2.

Under User Authentication select the radio button for RSA SecurID.

3. 4.

Enter the Shared Secret configured at the server. Click the button labeled OK.

Configuring the Client for PPTP

1. Select the PPTP interface created above and click Authentication Settings.

2.

Under User Authentication select the radio button for RSA SecurID.

3.

Click OK.

Connecting to the Apple VPN Service

1. 2. Click on the picture of the RSA SecurID token. Select Connect next to the VPN Interface name created earlier in the Apple VPN Client section of the guide.

3.

Enter the SecurID User Name and PASSCODE.

4. 5.

Click the button labeled OK. Establish a PIN for the user (when in New PIN mode).

6.

Click the button labeled OK.

10

Certification Checklist For RSA Authentication Manager v6.x

Date Tested: January 11, 2008 Product Name RSA Authentication Manager Apple VPN Server Certification Environment Version Information
6.1.2 10.5.0

Operating System
Microsoft Windows 2003 Server Mac OS X Server 10.5.0

Mandatory Functionality RSA Native Protocol

New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Passcode 16 Digit Passcode 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Name Locking Enabled No RSA Authentication Manager

RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit Passcode 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Credential Functionality Determine Cached Credential State Set Credential Retrieve Credential
BSD

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Determine Cached Credential State Set Credential Retrieve Credential
= Pass

N/A N/A N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

11

Certification Checklist For RSA Authentication Manager 7.x

Date Tested: September 06, 2008 Product Name RSA Authentication Manager Apple VPN Service Certification Environment Version Information
7.1 10.5.4

Operating System
Microsoft Windows 2003 Server Mac OS X Server 10.5.4

Mandatory Functionality RSA Native Protocol

New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager

RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Failover No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

Additional Functionality
RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
BSD

N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode
= Pass

N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

12