Post on 29-Jul-2020
ZyWALL OTPv2
Support Notes
Revision 2.10
December, 2011
Written by CSO
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
2
Table of Contents
1. Introduction 4
2. Server Installation 8
2.1 Pre-requisites ..................................................................................................................................................................... 8
2.2 Installation on Windows Server 2003 Enterprise Service Pack 1 ................................................................. 8
2.3 Installation on Windows Server 2008 R2 ............................................................................................................ 24
2.4 Activate the SafeWord Server and Import the physical tokens…………...…………………………………….37
2.5 Import the software tokens to your server…………………………………………………………………….………..43
3. OTP Authentication to an OTP-protected Network via SSL VPN over
ZyWALL USG 45
3.1.1 ZyWALL USG Configuration for External User………………………………………………………………………46
3.1.2 ZyWALL USG Configuration for External Group User…………………………………………………………….50
3.2.1 SafeWord Server Configuration for External User…………………………………………………………………54
3.2.1 SafeWord Server Configuration for External Group User………………………………………………………59
3.3.1 Verify OTP Ext-user via Login from the Remote……………………………………………………………………66
3.3.2Verify OTP Ext-group-user via Login from the Remote PC………………………….……………………….….67
4. OTP Authentication to an OTP-protected Network via IPSec VPN
Client over the ZyWALL USG 68
4.1.1 ZyWALL USG Configuration for External User………………………………………………………………………69
4.1.2 ZyWALL USG Configuration for External Group User…………………………………………………………….72
4.2.1 SafeWord Server Configurations for External User ...................................................................................... 76
4.2.2 SafeWord Server Configurations for External Group User ......................................................................... 81
4.3 ZyWALL IPSec VPN Client Configuration .............................................................................................................. 88
4.4 Verify OTP via Login from the VPN Client ............................................................................................................ 90
5. Mobile OTP Authentication to an OTP-protected Network 92
5.1 Creat the Safeware Token to your Windows computer…………………………………………………………….92
5.1 Creat the Safeware Token to your iPhone, iPad or MAC OS…...………………………………………………….97
5.1 Creat the Safeware Token to your Android OS…………..…………………………………………………………..103
6.advance scenario 109
6.1 A Lab of the「Guest for OTP」………………………………………………………………………………………………109
6.2.1 transfer license to new server(Safeword license back up)…………………………………………………..116
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
3
6.2.1 transfer license to new server(AD back up)……………………………………………………………………….119
7. OTP Troubleshooting 121
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
4
1. Introduction
This support note is a step by step guide, which covers OTP deployment from installation of the AD
components and SafeWord server to assigning the token to users, including the application with the SSL
VPN and IPsec VPN functions on ZyWALL USG. If you simply wish to enable user login to the SSL VPN via
OTP-code, you can skip to chapter 3 and follow the step by step guide to accomplish this.
One-Time Password (OTP) Authentication
One-Time Password (OTP) is an optimum security technology that enables a server to authenticate users
based on a password that is unique every time they try to access a protected network.
Two-Factor Authentication
Two-factor authentication is an optimum security methodology, because it requires something a user has
(a ZyWALL OTP Token) and something a user knows (a secure password or PIN). A two-factor system is
far more secure than using just a password, since many skilled hackers can quite easily access
password-only protected computers and networks. The illustration shows the concept of Two-Factor
authentication.
User PIN and Token code
User PIN is what a user knows and Token code is what a user has.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
5
ZyWALL OTP Product Components
ZyWALL OTP, which includes the ZyWALL OTP Token and SafeWord 2008, provides secure verification of
identity to remote Virtual Private Network (VPN) and Local Area Network (LAN) users.
SafeWord 2008 installation includes:
- SafeWord Core Server
Database server
Administration server
Authentication engine
- Management console (integrated in Windows Server AD)
- RADIUS Agents (IAS clients)
SafeWord Core Server
The SafeWord Core Server consists of 3 main components:
- Database server (MySQL) – installed by default. The SafeWord database serves as the repository for
token records independent of the management mode. It stores the Token serial numbers and Token
seeds used to generate OTP. The database server listens on port 5010 by default and only the
Administration service and Authentication engines can query it directly.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
6
- Administration server – runs administration services and performs tasks initiated by administrators
or users. Updates the SafeWord database and synchronizes SafeWord database data in configurations
with MMC console and User Center. Also performs replication of changes between peers. It listens on
port 5040 by default.
- Authentication engine (AAA) – runs the authentication engine that verifies that the passcode supplied
with an access request is correct for the token assigned to the specific user. It listens on port 5031 by
default.
Management Console (AD)
The Management console integrated in Microsoft AD is the interface used to directly update the database
via the SafeWord Administration Service.
You can use this to import Tokens (add Token serial numbers to SafeWord database) or backup and
restore Token data.
It also lets you view and manage all imported Tokens.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
7
RADIUS Agent
The OTP RADIUS agent contains a configuration file specifying where the SafeWord server holds the user
repository and the Authentication service. It verifies that the passcode supplied with an access request is
correct for the token assigned to the specific user.
An agent can be installed only if it is supporting (base) software components exist. Otherwise the agent
will not appear for selection in the installation components window. For example, the RADIUS server
agent can only be installed when the IAS has already been set up.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
8
2. Server Installation
2.1 Pre-requisites
Before starting to install the SafeWord server, user needs to verify:
- Hardware requirements of the system
CPU – Pentium IV or AMD @ 1.8 GHz (min), 2 GHz (recommended)
RAM – 1 GB (min), 4 GB (recommended)
Disk space – 3 to 5 GB (min)
- Software requirements of the system
Server OS –32 or 64-bit Windows Server 2003/2008 or Windows Server 2008 R2
Have a working Active Directory environment
Have IAS server installed for RADIUS authentication
2.2 Installation on Windows Server 2003 Enterprise Service Pack 1
Step 1. Prepare the Active Directory
- Click on Start > Manage Your Server to open the installation wizard. Click “Add or remove a role” to
configure it.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
9
- Select to install the Domain Controller (Active Directory).
- Fill in the full DNS name for the new domain.
- Click Next to continue the installation process. When the process is done, Active Directory will be
installed and ready.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
10
Step 2. Prepare the IAS Server
- Click Start > Control Panel > Add or Remove Programs > Windows Components Wizard > Networking
Services > Internet Authentication Service to install the component.
- After the installation, you can execute it through Start > Administrative Tools > IAS.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
11
Step 3. Check pre-requisites before installation
Network prerequisites:
- 32 or 64-bit Windows Server 2003 with Service Pack 1.
Note: Windows 2008 Core is not supported. Windows 2003/2008 Small Business Server is not supported.
- Active Directory populated with users.
Note: A Domain Controller is required for use with Active Directory.
- Internet access (to receive important product updates not included on your installation CD.)
Component prerequisites:
- Active Directory Users and Computers Management Console
.Net Framework 2.0 or greater installed
This component is only available when the installation machine is part of a domain.
MMC 3.0 or greater installed (for Server 2003, user can download it from http://support.microsoft.com/kb/907265)
Note: Port 5040 must be open between the remote ADUC server and the server running the Admin Service. You may customize
this port.
- IAS/NPS Agent
IAS must be functioning and configured for RADIUS authentication (policies, secret keys, firewall ports, and user
permissions must be set correctly, and users must be able to successfully authenticate to IAS) before installing this
Agent.
Port 1812 must be open in any firewalls between the RADIUS clients and the IAS Server.
Step 4. Install SafeWord 2008 server
In this section, we will walk through the system installation process. For the up to date user manuals,
please check SafeNet’s website. The link is: http://www.aladdin.com/safeword/docs/2008.aspx
Below is a flow chart-type snapshot of the installation process and the step-by-step installation. You can
check chapter 2 of “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the
SafeNet website for more detailed information.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
12
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
13
1) Insert the CD and select to Install SafeWord 2008.
2) Enter your product serial number (located on your product package and/or on the Activation
Certificate, it is in the format NSXX-XXXX-XXXX-XXXX), then click OK.
3) If there is a new version available, the software will download it automatically during the installation
process.
4) Review the License Agreement, then click Yes to accept it.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
14
5) When the Choose Destination Location window appears, accept the default installation location (or
browse to select another), then click Next. If you choose to install in a location different than the
default location, you must ensure that the following permissions are set:
■Administrators – full control
■ Authentication users – read and execute
■ CREATOR OWNER – full control (subfolders and files only)
■ Server Operators – modify
■ SYSTEM – full control
6) The Select Components window for the specific version of SafeWord you selected will appear.
In the ZyXEL pack, you need to select the following components:
■SafeWord Server
■Management Snap-in for Active Directory
■IAS-NPS (RADIUS) Agent
Note: Only components that can be installed on your system will be displayed. If any of the above components doesn’t display, please check
the pre-requisites.
7) Make your selections, and then click Next.
8) Make any needed changes in the Select Program Folder window, then click Next.
9) Review the information in the Start Copying Files window, then click Next.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
15
10) Select the preferred user management. Here leave the default setting “I will manage users in Active
Directory”, then click Next.
11) The Server Components window will appear with the default ports through which SafeWord
components will communicate. Accept the default port settings or specify your own port settings. You
will also be personalizing your SafeWord installation by defining a unique Encryption Key and Signing
Key on the Database Security pane. Each key must be16 characters in length, and must remain the
same for the life of the installation. Click Next when all needed changes have been made.
Tip: A small exclamation point displayed next to a Port field indicates that port is already in use by another process, and you must select a
different port.
12) When the Host Address window appears, enter the Fully Qualified Domain Name to which this
machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from
your DNS Server.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
16
13) If your SafeWord Server is not being installed on a Domain Controller, you will be prompted to
provide the administrator’s credentials for the machine on which the SafeWord Server is to be
installed, then click Next.
14) If you selected the IAS Agent for installation on Server 2003, you will be prompted to restart the IAS
service by clicking Yes. If installing on Server 2008, the Restart window will not appear, and you may
skip to “Finishing the installation”.
15) During installation, windows will appear and disappear, and the installation will take several
minutes to complete. The InstallShield Wizard Complete window will appear when the installation is
finished.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
17
16) After the software installation is complete, go to Services to Start the SafeWord User Center service.
17) You can verify the server status to make sure the installation is correct. Click Start > Aladdin >
SafeWord > Configuration > Server Configuration to enable the Utility.
18) Status of all the server components should be “Active” for a successful installation.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
18
Step 5. Activate SafeWord 2008 server
The Activation Certificate that came with your software contains the SafeWord 2008 Serial number and
Token Group ID that allow you to download the activation key and token data records, and are in the
following formats:
■ SafeWord Software Serial Number—The serial number is a 16-digit alphanumeric code in the form of
this example:
NSxx-xxxx-xxxx-xxxx. You will need the serial number to obtain your product activation key.
■ Token Group ID—Your Token Group ID is a 16-digit alphanumeric code in the form of this example:
TKxx-xxxx-xxxx-xxxx.
Registering on the portal:
There are two methods of activating SafeWord 2008: using ADUC, or directly from Aladdin’s Website if
not using ADUC. In either case, you must sign in and register on the Aladdin portal at
https://portal.aladdin.com, before you can complete and submit an activation form. After activating, your
information will be verified, and the activation key and token records will be downloaded automatically
for ADUC, and manually if you are not using ADUC.
Activation using ADUC:
1) In ADUC, click on the SafeWord folder. The first time you right-click on the SafeWord folder, you will
be prompted to enter and re-enter (to verify) an Administrator password. This Administrator
password is not your Windows Administrator password. If you have (or plan to have) multiple
management consoles, you must use the same Administrator password for all installations.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
19
2) Click OK when done.
3) Right-click on the SafeWord folder and select Activate Product.
4) Log into the portal using the credentials received in your mail when you registered.
5) Enter the Software Serial Number and the Token Group ID(s) (if you are importing token records) for
the product you are activating. E.g.: Activation Software Serial Number example:
NSXX-XXXX-XXXX-XXXX, Token Group ID example: TKXX-XXXX-XXXX-XXXX.
6) Complete the activation form, then click Submit.
7) The SafeWord Activation window will appear showing the license activation and token import
progress. Upon completion, the activation file key.html will be downloaded to
<Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your token
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
20
data records. You should back up these files in case you need to reactivate the product or re-import
token records later. The Administration Server and Authentication Engine services will restart.
8) When the activation and authentication process is complete, click OK.
9) The Activations Complete window will display important download and installation information. To
manually save the files from this window, right click on each file name, and then select the Save Target
As option.
10) You should verify that the key.activated.html file is located on the SafeWord server by browsing to
<Install_Dir>\SERVERS\AdminServer\activation.
11) If you are also importing token records, ensure that the token(s) were successfully imported into the
SafeWord database by opening ADUC and then expanding the SafeWord Node. The Tokens sub-folder
will display the imported tokens.
12) If the key.activated.html file exists, the activation is complete. If the file does not exist, please refer to
the manual activation process.
Activating manually via Website:
If you don’t use ADUC to activate SafeWord server, you might need to activate it manually. For off-line
activation, two files are provided to the customer upon purchase of tokens:
■ Server license - a software activation file (key.html) that includes an activation key. This key should be
entered in place of the software serial ID.
■ An import file containing the serial numbers of the tokens bought by the customer (import*.dat).
1) If you are simply obtaining the latest activation package (key.html file + import*.dat), please jump to
11 and continue. If you want to download the activation package for your customers to use, please
create the RCR.txt file first by following the steps described below.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
21
a. On the SafeWord installation server, select Start > Programs > Aladdin > SafeWord > Active
Directory Users and Computers.
b. Right-click the SafeWord folder in the left directory tree and select Support.
c. Click the Save button to automatically save the RCR.txt file to a temporary directory.
2) Log into the Portal (http://partner.safenet-inc.com) using the user name and password you received
during registration.
Note: You may be required to create a login at your first visit to the activation site.
3) Click the SafeWord Activation link on the left pane of the window. The SafeWord Activations page will
appear.
4) Enter your SafeWord Software Serial Number in the SafeWord Software Serial Number field.
For example: NSXX-XXXX-XXXX-XXXX.
5) Click the Continue button. The SafeWord Activation page will appear.
6) Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name
will be displayed in the Support Data File field.
7) Enter the product Token Group ID in the Token Group ID field.
8) Scroll down to the bottom of the page and click Submit.
9) You can now download the files that contain the key to activate your software and your token data
records. You should back up these files in case you need to reactivate the product or re-import token
records later.
10) Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server
and unzip them.
11) Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html
to key.html)
12) Save the key.html file to the following directory:
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
22
<Install_Dir>\SafeWord\SERVERS\AdminServer\activation.
Important: Ensure the file name is key.html. Using any variation (key.htm or key.html.html, for instance)
will cause the activation to fail.
13) Restart the SafeWord Administration Server and Authentication Engine by browsing to Start >
Programs > Administrative Tools > Services, right click on SafeWord Administration Server and select
Restart (repeat for the Authentication Engine).
14) To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully
processed license file will be renamed to key.activated.html.
15) After successful activation, the support expiration date will display a value of the valid expiration
date.
16) Import the token by clicking the Import Tokens button.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
23
17) Select the importAlpine.dat file which was in the downloaded zip file.
18) When the process is done, you will see the corresponding tokens have been added into the Tokens
folder.
The SafeWord activation is complete.
For more information, you can click the “SafeWord Activation” link to perform on-line activation. Please
refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
24
2.3 Installation on Windows Server 2008 R2
Step 1. Prepare the Active Directory
1) Click Start > Administrator Tools > Server Manager to open the installation wizard.
2) Click Roles > Add Roles to configure Server components.
3) Select to install the Active Directory Domain Server.
4) Windows Server 2008 R2 already contains .NET framework version greater than 2.0, thus you don’t
need to install it again.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
25
5) After the installation is ready, click the hyper link to run the Active Directory Domain Service
installation wizard.
6) The wizard page will appear for the installation.
7) Select to create a new domain if installing on a new AD server.
8) Fill in the full DNS name for the new domain.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
26
9) Select “Windows Server 2008 R2” as the functional level.
10) The “DNS server” option is not mandatory for SafeWord server installation.
11) Fill in the password for the Administrator account; strong password is a requirement.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
27
12) Click Next to continue the installation process. After the process is done, the Active Directory will be
installed and ready.
13) You have to restart the computer for Active Directory Domain Services to take effect.
Step 2. Prepare the NPS Server
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
28
1) Click Start > Administrator Tools > Server Manager to open the installation wizard.
2) Click Roles > Add Roles to configure Server components.
3) Select the Network Policy and Access Services and go into detail setting.
4) Select to install the Network Policy Server.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
29
5) After the installation is complete, the results will be displayed on the page.
6) You can execute it on Start > Administrative Tools > Network Policy Server.
Step 3. Check pre-requisites before installing
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
30
1) Network pre-requisites:
■ 32 or 64-bit Windows Server 2008 or Windows Server 2008 R2.
Note: Windows 2008 Core is not supported. Windows 2003/2008 Small Business Server is not supported.
■ Active Directory populated with users.
Note: A Domain Controller is required for use with Active Directory.
■ Internet access (to receive important product updates not on your installation CD.)
2) Component pre-requisites:
Active Directory Users and Computers Management Console
■ .NET Framework 2.0 or greater installed
■ This component is only available when the installation machine is part of a domain.
■ MMC 3.0 or greater installed
Note: Port 5040 must be open between the remote ADUC server and the server running the Admin Service. You may customize
this port.
3) NPS Agent
■ NPS must be functioning and configured for RADIUS authentication (policies, secret keys, firewall ports, and
user permissions must be set correctly, and users must be able to successfully authenticate to NPS) before
installing this Agent.
■ Port 1812 must be open in any firewalls between the RADIUS clients and the NPS Server.
Step 4. Install SafeWord 2008 server
In this section, we will walk through the system installation process. For the up to date user manuals, you
can check SafeNet’s website. The link is: http://www.aladdin.com/safeword/docs/2008.aspx
Below is a flow chart-type snapshot of the installation process and the step-by-step installation. You can
check chapter 2 of “Installing and Activating SafeWord 2008” of SafeWord 2008 Administration Guide on the
SafeNet website for more detailed information.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
31
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
32
1) Insert the CD and select to Install SafeWord 2008.
2) Enter your product serial number (located on your product package and/or on the Activation
Certificate, it is in the format NSXX-XXXX-XXXX-XXXX), then click OK.
3) If there is a new version available, the software will download it automatically during the installation
process.
4) Review the License Agreement, then click Yes to accept it.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
33
5) When the Choose Destination Location window appears, accept the default installation location (or
browse to select another), then click Next. If you choose to install in a location different than the
default location, you must ensure that the following permissions are set:
■ Administrators – full control
■ Authentication users – read and execute
■ CREATOR OWNER – full control (subfolders and files only)
■ Server Operators – modify
■ SYSTEM – full control
6) The Select Components window for the specific version of SafeWord you selected appears.
In the ZyXEL pack, you need to select the components as below:
■ SafeWord Server
■ Management Snap-in for Active Directory
■ IAS-NPS (RADIUS) Agent
Note: Only components that can be installed on your system will be displayed. If any of the above components doesn’t display, please
check the prerequisites.
7) Make your selections, then click Next.
8) Make any needed changes in the Select Program Folder window, then click Next.
9) Review the information in the Start Copying Files window, then click Next.
10) Select preferred user management. Here, leave the default setting “I will manage users in Active
Directory”, then click Next.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
34
11) The Server Components window will appear with the default ports over which SafeWord
components will communicate. Accept the default port settings or specify your own port settings. You
will also be personalizing your SafeWord installation by defining a unique Encryption Key and Signing
Key on the Database Security pane. Each key must be16 characters in length, and must remain the
same for the life of the installation. Click Next when all needed changes have been made.
Tip: A small exclamation point displayed next to a Port field indicates that port is already in use by another process, and you must
select a different port.
12) When the Host Address window appears, enter the Fully Qualified Domain Name to which this
machine belongs, and then click Next. If you do not know the domain, click Query to obtain it from
your DNS Server.
13) If your SafeWord Server is not being installed on a Domain Controller, you will be prompted to
provide the administrator’s credentials for the machine on which the SafeWord Server is to be
installed, then click Next.
14) During installation, windows will appear and disappear, and installation will take several minutes to
complete. The Install Shield Wizard Complete window appears when the installation is finished.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
35
15) After the software installation is complete, go to Service to Start>Administrative Tools>Service to
Start the SafeWord User Center service.
16) You can verify the server status to make sure the installation is correct. Click Start > Aladdin >
SafeWord > Configuration > Server Configuration to enable the Utility.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
36
17) Status of all the server components should be “Active” for a successful installation.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
37
2.4 Activate the SafeWord server and Import the physical tokens
The Activation Certificate that came with your software contains the SafeWord 2008 Serial number and
Token Group ID that allow you to download the activation key and token data records, and are in the
following formats:
1) SafeWord Software Serial Number—The serial number is a 16-digit alphanumeric code in the form of
this example:
NSxx-xxxx-xxxx-xxxx. You will need the serial number to obtain your product activation key.
2) Token Group ID—Your Token Group ID is a 16-digit alphanumeric code in the form of this example:
TKxx-xxxx-xxxx-xxxx.
Registering on the portal:
There are two methods of activating SafeWord 2008: using ADUC, or directly from Aladdin’s Website if
not using ADUC. In either case, you must sign in and register on the Aladdin portal at
https://portal.aladdin.com , before you can complete and submit an activation form. After activating,
your information will be verified, and the activation key and token records will be downloaded
automatically for ADUC, and manually if you are not using ADUC.
Activation using ADUC:
1) In ADUC, click on the SafeWord folder. The first time you right-click on the SafeWord folder, you will
be prompted to enter and re-enter (to verify) an Administrator password. This Administrator
password is not your Windows Administrator password. If you have (or plan to have) multiple
management consoles, you must use the same Administrator password for all installations.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
38
2) Click OK when done.
3) Right-click on the SafeWord folder and select Activate Product.
4) Log into the portal using the credentials received in your mail when you registered.
5) Enter the Software Serial Number and the Token Group ID(s) (if you are importing token records) for
the product you are activating. E.g.: Activation Software Serial Number example:
NSXX-XXXX-XXXX-XXXX, Token Group ID example: TKXX-XXXX-XXXX-XXXX.
6) Complete the activation form, then click Submit.
7) The SafeWord Activation window will appear showing the license activation and token import
progress. Upon completion, the activation file key.html will be downloaded to
<Install_Dir>\Aladdin\SafeWord\ImportData. This is the key to activate your software and your
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
39
token data records. You should back up these files in case you need to reactivate the product or
re-import token records later. The Administration Server and Authentication Engine services will
restart.
8) When the activation and authentication process is complete, click OK.
9) The Activations Complete window will display important download and installation information. To
manually save the files from this window, right click on each file name, and then select the Save
Target As option.
10) You should verify that the key.activated.html file is located on the SafeWord server by browsing to
<Install_Dir>\SERVERS\AdminServer\activation.
11) If you are also importing token records, ensure that the token(s) were successfully imported into
the SafeWord database by opening ADUC and then expanding the SafeWord Node. The Tokens
sub-folder will display with the imported tokens.
12) If the key.activated.html file exists, the activation is complete. If the file does not exist, please refer to
the manual activation process.
Activating manually via Website:
If you don’t use ADUC to activate the SafeWord server, you might need to activate it manually. For off-line
activation, two files are provided to the customer upon purchase of tokens:
■ Server license - a software activation file (key.html) that includes an activation key. This key should
be entered in place of the software serial ID.
■ An import file containing the serial numbers of the tokens bought by the customer (Import*.dat).
1) If you are simply obtaining the latest activation package (key.html file + import*.dat), please jump to
11 and continue. If you want to download the activation package for your customers to use, please
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
40
create the RCR.txt file first by following the steps described below.
a. On the SafeWord installation server, select Start > Programs > Aladdin > SafeWord > Active
Directory Users and Computers.
b. Right-click the SafeWord folder in the left directory tree and select Support.
c. Click the Save button to automatically save the RCR.txt file to a temporary directory.
2) Log into the Portal (http://partner.safenet-inc.com) using the user name and password you received
during registration.
Note: You may be required to create a login at your first visit to the activation site.
3) Click the SafeWord Activation link on the left pane of the window. The SafeWord Activations page
appears.
4) Enter your product SafeWord Software Serial Number in the SafeWord SoftWare Serial Number field.
For example: NSXX-XXXX-XXXX-XXXX.
5) Click the Continue button. The SafeWord Activation page appears.
6) Click the Browse button and retrieve the RCR.txt file you saved earlier in this process. The file name
displays in the Support Data File field
7) Enter the product Token Group ID in the Token Group ID field.
8) Scroll down to the bottom of the page and click Submit.
9) You can now download the files that contain the key to activate your software and your token data
records. You should back up these files in case you need to reactivate the product or re-import token
records later.
10) Right click on each link and select the Save Target As option. Save the files on to the SafeWord Server
and unzip them.
11) Rename the license file to key.html. (For example, change the name from NSxx-xxxx-xxxx-xxxx.html
to key.html)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
41
12) Save the key.html file to the following
directory:<Install_Dir>\SafeWord\SERVERS\AdminServer\activation.
Important: Ensure the file name is key.html. Using any variation (key.htm or key.html.html, for instance) will cause the
activation to fail.
13) Restart the SafeWord Administration Server and Authentication Engine by browsing to Start >
Programs > Administrative Tools > Services, right click on SafeWord Administration Server and
select Restart (repeat for the Authentication Engine).
14) To verify the activation, browse to <Install_Dir>\SERVERS\AdminServer\activation. A successfully
processed license file will be renamed to key.activated.html.
15) After a successful activation, the support expiration date will display a value of the valid expiration
date.
16) Import the tokens by clicking the Import Tokens button.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
42
17) Select the importAlpine.dat file which was in the downloaded zip file.
18) When the process is done, you will see the corresponding tokens are already in the Tokens folder.
The SafeWord activation is complete.
For more information, you can click the “SafeWord Activation” link to perform on-line activation. Please
refer to the following manual: http://www.aladdin.com/pdf/safeword/Safeword-Products-Activation.pdf
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
43
2.5 Importing software tokens into your server
If your license is for the mobile soft token, you have to activate the token license by e-mail.
You have to provide the information below to SafeWord’s support.
a) SafeWord 2008 Software Serial number
b) MobilePass serial number(S/N)
c) Units
d) Seed
e) Authorization code(A.C)
And send the E-mail to the support:
support@safenet-inc.com
After you send that information to SafeWord’s support, they will reply with your “Activation code”.
Step 1. Star > All Programs > Aladdin > SafeWord > Active Directory Users and Computers
Click SafeWord at the left folder and the click MobilePASS.
Select the Software Token, and click the Configure Licensing button.
Step 2. Enter the information of the Software Token license
a. Serial Number(S/N)
b. Units
c. Seed
d. Authorization Code(A.C)
e. Activation Code (The support seam will respond with the activation code after you send your
information about the license)
Enter all the above information, then press the Generate and Import button. The system will automatically
import the software token into your server.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
44
After you import the software token, you can check it in the Tokens folder.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
45
3. OTP Authentication to an OTP-protected Network via SSL VPN over
ZyWALL USG
In the following example, we will employ Two Factor Authentication (ZyXEL OTP pack) to enhance
password security of the SSL VPN application provided by ZyWALL USG.
In order to use this application, you are required to configure your ZyWALL USG and SafeWord according
to the following steps:
1) Install the SafeWord server software on a computer.
(Note: Please refer to the SafeWord installation guide in Chapter 2. For more details, please check the
SafeNet website for the installation documentation.)
2) Create the user accounts on the ZyWALL USG and in the SafeWord server.
3) Import token’s import file (Import*.dat) into the SafeWord server.
4) Assign the users to the OTP tokens (on the SafeWord server).
5) Configure the SafeWord installation as a RADIUS server in the ZyWALL USG Object > AAA Server
screens.
6) Distribute the OTP tokens to (local or remote) the users who will remotely log into the ZyWALL USG.
Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package.
Network Topology
In this example, we will have one token and we will create user “OTP” who will log into ZyWALL USG with
OTP.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
46
3.1.1 ZyWALL USG Configurations for Ext-user
Step 1. Create a user account on ZyWALL USG.
1) Go to CONFIGURATION > Object > User/Group and click the “Add” button to create a new user
account.
2) Enter the user’s name, description and select the user type “ext-user” on the User configuration
page.
3) Click the OK button to finish the configuration on this page.
Step 2. Configure the AAA Server.
1) Go to CONFIGURATION > Object > AAA Server and then navigate to the RADIUS page.
2) Configure the SafeWord server as:
Enter the IP address of the SafeWord server in the Server Address field.
Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.
Enter the Shared secret to RADIUS server into the Key field.
Select the Group Membership Attribute; the default value is 11.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
47
Step 3. Configure the Authentication Method.
1) Go to CONFIGURATION > Object > Auth. Method and click the “Edit” button to modify the default
authentication method.
2) In the edit page, click “Add” to add “group radius” into method list.
Step 4. Create the SSL Application(s) according to your needs.
1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN
application object.
2) For example, create a web application to remotely access the FTP server via SSL VPN.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
48
Step 5. Create the SSL VPN access policy.
1) Go to CONFIGURATION > VPN > SSL VPN and click the “Add” button to create an SSL VPN access
policy.
2) Configure the access policy as:
Enter the policy name and description.
Select the User/Group object to apply this policy to.
Select the application object this policy applies to.
Select the address object to be used if needed.
Click the “OK” button to finish the configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
49
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
50
3.1.2 ZyWALL USG Configurations for Ext-group-user
Configuring the User on ZyWALL USG
Step 1. Create a user group account on ZyWALL USG.
1) Go to CONFIGURATION > Object > User/Group and click the “Add” button to create a new user
group account.
2) Enter the user group’s name, description and select the user type “ext-group-user” on the User
configuration page, then enter the Group Identifier(the Group Identifier must be the same in the
RADIUS setting of the attribute information).
3) Click the OK button to finish the configuration on this page.
Step 2. Configure the AAA Server.
1) Go to CONFIGURATION > Object > AAA Server and then navigate to the RADIUS page.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
51
2) Configure the SafeWord server as:
Enter the IP address of the SafeWord server in the Server Address field.
Enter the authentication port to RADIUS server, like Microsoft IAS; the default value is 1812.
Enter the Shared secret to RADIUS server in Key field.
Set the Group Membership Attribute to Class(25).
Step 3. Configure the Authentication Method.
1) Go to CONFIGURATION > Object > Auth. Method and click the “Edit” button to modify the default
authentication method.
2) In the edit page, click “Add” to add “group radius” into method list.
Step 4. Create the SSL Application(s) according to your needs.
1) Go to CONFIGURATION > Object > SSL Application and click the “Add” button to create an SSL VPN
application object.
2) For example, create a web application to remotely access the sslotp server via SSL VPN.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
52
Step 5. Create the SSL VPN access policy.
1) Go to CONFIGURATION > VPN > SSL VPN and click the “Add” button to create an SSL VPN access
policy.
2) Configure the access policy as below:
a. Enter the policy name and description.
b. Select the User/Group object to apply this policy to.
c. Select the application object this policy applies to.
d. Select the address object to be used if needed.
e. Click the “OK” button to finish the configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
53
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
54
3.2.1 SafeWord Server Configurations for Ext-user
Step 1. Create a RADIUS client.
1) Take Microsoft IAS as an example.
2) Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.
Step 2. Create a RADIUS client.
1) Enter the name for the rule.
2) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS.
3) Click the “Next” button for the next step.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
55
4) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting.
5) Click the “Finish” button to finish the configuration.
6) The new OTP client has been created.
Step 3. Assign the token to a User.
1) Open the ADUC (Active Directory Users and Computers).
2) Click the “Users” folder to list all users and groups in the RADIUS server.
3) Right click the OTP user, and then click “Properties”. Go to the “SafeWord” tab.
4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is
used as the Password when logging into the ZyWALL USG.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
56
(If there is no setting the PIN code, it just only enter the OTP codes when you login.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
57
5) After the configuration, you can click the “Tokens” link and check the token status.
Step 4. Enable Remote Access.
1) To allow the user to log in via SSL VPN, you have to enable the Remote Access Permission for this
user.
2) Right click the OTP user, and then click the “Properties”. Go to the “Dial-in” tab and choose “Allow
access”.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
58
Step 5. Change the sequence of entering OTP and PIN for authentication.
By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this sequence
to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.
1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file SCCservers.ini
(use Notepad for editing)
2) Search for the string: “# Set this to ‘on’ to force SoftPin to precede the password”
3) At the command “Pin_Before_Password=off ”, change the value to ‘on’.
4) Reboot the SafeWord server and check the SafeWord services had been activated.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
59
3.2.2 SafeWord Server Configuration for Ext-group-user
Step 1.Create a Group
1) Open the ADUC (Active Directory Users and Computers).
2) Click the “Users” folder to list all users and groups in RADIUS server.
3) Right click the Users folder and click New > Group to add a new setting.
4) Right click the otpusers group and click Properties > Members to add new users to this group.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
60
Step 2. Assign the token to a User.
1) Right click the aman user, and then click “Properties”. Go to the “SafeWord” tab.
2) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is used
as the Password when logging into the ZyWALL USG.)
3) After the configuration, you can click the “Tokens” link and check the token status.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
61
Step 3. Enable Remote Access.
1) To allow the user to log in via SSL VPN, you have to enable the Remote Access Permission for this
user.
2) Right click the OTP user, and then click “Properties”. Go to the “Dial-in” tab and choose “Allow
access”.
3) Change the sequence of entering OTP and PIN for authentication.
By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this
sequence to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.
a. Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file
SCCservers.ini (use Notepad for editing).
b. Search for the string: “# Set this to ‘on’ to force SoftPin to precede the password ”
c. At the command “Pin_Before_Password=off ”, change the value to ‘on’.
d. Reload the SafeWord server.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
62
4) Reboot the SafeWord server and check the SafeWord services had been activated.
Step 4. Create a RADIUS client.
1) Take Microsoft IAS as an example.
2) Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.
3) Enter the name for the rule.
4) The Client address is the ZyWALL USG’s interface IP address used to access the IAS.
5) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting.
6) Click the “OK” button to finish the configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
63
Step 6. Set the connection request policy on RADIUS Server.
1) Select the connection request policy and double click the Use Windows authentication for all users
to edit the attribute’s value.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
64
2) Select the “setting” page and click the Standard option to add the attribute value.
3) Click the Add button, select the Class option and type the attribute value. (The value must match
the Group Identifier when adding the user into the USG.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
65
Step 7. Require Authentication Group Policy
1) Start > Programs > Secure Computing > SafeWord > Configuration > IAS Agent Configuration.
2) Click the “Groups…” button.
3) Enable the otpusers group and Click “OK” to finish the configuration on this page.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
66
3.3.1 Verify OTP Ext-user via Login from the Remote PC Step 1. Log into the device.
1) Enter the user name, password (PIN code), and the One-Time Password generated by the token.
2) Click the “SSL VPN” button to submit login information.
3) Once the OTP works correctly, you will see the SSL application that has been configured for the
user to use.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
67
3.3.2 Verify OTP Ext-group-user via Login from a Remote PC Step 1. Login into the device.
1) Enter the user name, password (PIN codes), and the One-Time Password generated by the token.
2) Click the “SSL VPN” button to submit login information.
3) Once the OTP works correctly, you will see the SSL application that has been configured for the
user to use.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
68
4. OTP Authentication to an OTP-protected Network via IPsec VPN
Client over the ZyWALL USG
In the following example, we will employ Two-factor Authentication (ZyXEL OTP pack) to enhance
password security by using the SSL VPN application provided by ZyWALL USG.
In order to use this application, you are required to configure your ZyWALL USG and SafeWord according
to the following steps:
1. Install the SafeWord server software on a computer.
(Note: Please refer to the SafeWord installation guide in Chapter 2. For more details, please check the
SafeNet website for the installation documentation.)
2. Create the user accounts on the ZyWALL USG and in the SafeWord server.
3. Import token’s import file (Import*.dat) into the SafeWord server.
4. Assign the users to the OTP tokens (on the SafeWord server).
5. Configure SafeWord as a RADIUS server in the ZyWALL USG Object > AAA Server screens.
6. Distribute the OTP tokens to the (local or remote) users who will remotely log into the ZyWALL USG.
Note: ZyWALL OTP is a stand-alone product, which is not included in the ZyWALL USG package.
Network Topology
In this example, we will have one token and we will create user “OTP” who will be the authenticator to
establish the IPsec VPN tunnel to ZyWALL USG.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
69
4.1.1 ZyWALL USG Configurations for Ext-user
Step 1. Create a user account on ZyWALL USG.
1) Go to CONFIGURATION > Object > User/Group and click the “Add” button to create a new user
account.
2) Enter the user’s name, description and select the user type “ext-user” on the User configuration
page.
3) Click the OK button to finish the configuration on this page.
Step 2. Configure the AAA Server.
1) Go to CONFIGURATION > Object > AAA Server and then navigate to the RADIUS page.
2) Configure the SafeWord server as:
Enter the IP address of the SafeWord server in the Server Address field.
Enter the authentication port of the RADIUS server, such as Microsoft IAS; the default value is
1812.
Enter the Shared secret to RADIUS server in the Key field.
Select the Group Membership Attribute; the default value is 11.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
70
Step 3. Configure the Authentication Method.
1) Go to CONFIGURATION > Object > Auth. Method and click the “Edit” button to modify the default
authentication method.
2) In the edit page, click “Add” to add the “group radius” into the method list.
Step 4. Configure the IPsec VPN Gateway policy.
1) Go to CONFIGURATION > VPN > IPsec VPN and then navigate to the VPN Gateway page.
2) Enter the values for VPN phase-1 configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
71
3) Enable the Extended Authentication and choose “Server Mode” method.
Step5. Configure the IPsec VPN Connection policy.
1) Go to CONFIGURATION > VPN > IPsec VPN and then navigate to the VPN Connection page.
2) Enter the values for VPN phase-2 configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
72
4.1.2 ZyWALL USG Configurations for Ext-group-user
Step 1. Create a user group account on ZyWALL USG.
1) Go to CONFIGURATION > Object > User/Group and click the “Add” button to create a new user
group account.
2) Enter the user’s group name, description and select the user type “ext-group-user” on the User
configuration page , and enter the Group Identifier(the Group Identifier must be the same in the
RADIUS setting of the attribute information).
3) Click the OK button to finish the configuration on this page.
Step 2. Configure the AAA Server.
1) Go to CONFIGURATION > Object > AAA Server and then navigate to the RADIUS page.
Configure the SafeWord server as:
Enter the IP address of the SafeWord server in the server address.
Enter the authentication port to RADIUS server, sucha as Microsoft IAS; the default value is
1812.
Enter the Shared secret to RADIUS server in Key field.
Set the Group Membership Attribute to Class(25).
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
73
Step 3. Configure the Authentication Method.
1) Go to CONFIGURATION > Object > Auth. Method and click the “Edit” button to modify the default
authentication method.
2) In the edit page, click “Add” to add the “group radius” into method list.
Step 4. Configure VPN On ZyWALL
1) Go to CONFIGURATION >VPN >VPN Gateway and click the “Add” button to create a new VPN
Gateway.
2) Enter the Pre-Shared Key
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
74
3) Select the type of encryption and authentication in the “Proposal” section.
4) Go to CONFIGURATION >VPN >VPN Connection and click the “Add” button to create a new VPN
Connection Tunnel.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
75
5) Select the type of encryption and authentication in the “Proposal” section.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
76
4.2.1 SafeWord Server Configuration for Ext-user
Step 1. Create a RADIUS client.
1) Take Microsoft IAS as an example.
2) Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.
Step 2. Create a RADIUS client.
1) Enter the name for the rule.
2) The Client address is the ZyWALL USG’s interface IP address which accesses to IAS.
3) Click the “Next” button for the next step.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
77
4) Enter the Shared secret; the “Key” on ZyWALL USG AAA Server setting.
5) Click the “Finish” button to finish the configuration.
6) The new OTP client has been created.
Step 3. Assign the token to a User.
1) Open the ADUC console (Active Directory Users and Computers).
2) Click the “Users” folder to list all users and groups in the RADIUS server.
3) Right click the OTP user, and then click “Properties”. Go to the “SafeWord” tab.
4) Enter the serial number of the assigned token. If needed, enter the PIN code for it (this one is used
as the Password when logging into the ZyWALL USG).
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
78
5) After the configuration, you can click the “Tokens” link and check the token status.
Step 4. Enable Remote Access.
1) To allow the user to log in via SSL VPN, you have to enable the Remote Access Permission for this
user.
2) Right click the OTP user, and then click “Properties”. Go to the “Dial-in” tab and choose “Allow
access”.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
79
Step 5. Change the sequence of entering OTP and PIN for authentication
By SafeNet default setting, the password entry sequence is OTP + PIN. You should change this sequence
to match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.
1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file SCCservers.ini
(use Notepad for editing).
2) Search for the string: “# Set this to 'on' to force SoftPin to precede the password ”
3) At the command “Pin_Before_Password=off ”, change the value to ‘on’.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
80
4) Reload the SafeWord server and check the SafeWord services had been activated.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
81
4.2.2 SafeWord Server Configuration for Ext-group-user
Step 1.Create a Group
1) Open the ADUC console (Active Directory Users and Computers).
2) Right click the Users folder and click New > Group to add a new setting.
3) Right click the otpusers group and click Properties > Members to add new users to this group.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
82
Step 2. Assign the token to a User.
1) Open the ADUC console (Active Directory Users and Computers).
2) Click the “Users” folder to list all users and groups in RADIUS server.
3) Right click the OTP user, and then click “Properties”. Go to the “SafeWord” tab.
4) Enter the serial number of the assigned token. If needed, enter the PIN code for it. (This one is
used as the Password when logging into the ZyWALL USG.)
5) After the configuration, you can click the “Tokens” link and check the token status.
Step 3. Enable Remote Access.
1) To allow the user to log in via SSL VPN, you have to enable the Remote Access Permission for this
user.
2) Right click the OTP user, and then click the “Properties”. Go to the “Dial-in” tab and choose “Allow
access”.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
83
Step 4. Change the sequence of entering OTP and PIN for authentication.
By Safenet default setting the password entry sequence is OTP + PIN. You should change this sequence to
match ZyWALL USG’s behavior (PIN+OTP). Here are the instructions for this step.
1) Go to C:\Program files\Aladdin\SafeWord\Servers\Shared\ folder and open the file
SCCservers.ini (use Notepad for editing).
2) Search for the string: “# Set this to 'on' to force SoftPin to precede the password ”
3) At the command “Pin_Before_Password=off ”, change the value to ‘on’.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
84
4) Reload the SafeWord server and check the SafeWord services had been activated.
Step 5. Create a RADIUS client.
1) Take Microsoft IAS as an example.
2) Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.
3) Enter the name for the rule.
4) The Client address is the ZyWALL USG’s interface IP address used to accesses the IAS.
5) Enter the Shared secret; the “Key” in ZyWALL USG AAA Server setting.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
85
6) Click the “OK” button to finish the configuration.
Step 6. Setting the connection request policy on RADIUS Server
1) Select the connection request policy and double click the Use Windows authentication for all users
to editing the attributes value.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
86
2) Select the “Settings” page and click the Standard option to add the attribute value.
3) Click the Add button and select the Class option and type the attribute value. (The value must
match the Group Identifier when adding the user into the USG.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
87
Step 6. Require Authentication Group Policy.
1) Go to Start > Programs > Secure Computing > SafeWord > Configuration > IAS Agent Configuration.
2) Click the “Groups…” button.
3) Enable the otpusers group and Click “OK”
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
88
4.3 ZyWALL IPsec VPN Client Configuration
Step 1. Configure the IPsec VPN Phase1 policy.
1) Enter the values for VPN phase-1 configuration.
2) Click the “Advanced Settings” button and click the X-Auth Popup feature.
Step 2. Configure the IPsec VPN Phase2 policy
1) Enter the values for VPN phase-2 configuration.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
89
2) Click the “Save & Apply” button to finish the configuration and save it.
3) You can trigger the IPsec VPN tunnel by clicking the “Open Tunnel” button.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
90
4.4 Verify OTP via Login from the VPN Client
Step 1. Trigger the IPsec VPN tunnel.
1) Click the “Open Tunnel” button on IPsec VPN client (The VPN tunnel must be triggered from the
Client side because it is a dynamic tunnel).
2) When performing Phase-1 authentication, the authentication window will pop-up for the X-Auth
login.
3) Enter the user name into the “Login” field and PIN code + OTP in the “Password” field.
Step 2. Establish the IPsec VPN tunnel.
1) There is only a 10 second window to enter the authentication information into X-Auth window. If
you use more time to finish it, the tunnel will fail to establish. You can see the message flow on VPN
Console as in the picture below.
2) If the VPN tunnel is established successfully, you will see the following message exchange on your
VPN Console.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
91
Step 3. Check the VPN tunnel status.
You can see the VPN connection status is Connected on CONFIGURATION > VPN > IPsec VPN > VPN
Connection page. Also can check the IPsec VPN SA on MONITOR > VPN Monitor > IPsec page.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
92
5. Mobile OTP Authentication to an OTP-protected Network
5.1 Create the Software Token to your Windows computer
Step 1. Download the SafeNet MobilePASS from the link below to your computer.
http://www.safenet-inc.com/support-downloads/mobilepass-download-page/
1) After downloading the file, open the application and click the Activate Now button.
2) After clicking the Activate Now button , the soft token activation string will appear.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
93
3) Open the Active Directory Users and Computers and select one user that to use the
OTP Authentication.
4) Right click and select Properties on the user name
5) Select the label of Safe Word
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
94
Step 2. Create the Software token for this user
1) Press the Wizard button to create the software token
2) Enter the Activation Code from the SafeNet MobilePASS
3) After the configuration, you can click the “Tokens” link and check the token status.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
95
4) Enter the PIN Code for this user and configure in the SafeNet MobilePASS.
5) After entering the PIN Code, you will be requested to re-enter the PIN code for verification.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
96
(The PIN code on Server and Mobile are of different type, the PIN code on Mobile makes the mobile token
more secure.)
6) After completing the step below, you can test that the MobilePASS in your SafeWord server is
working.
When you confirm with this step, the mobile token in your mobile device will be ready for use.
If you want to get a one time password , you have to enter the Mobile PIN code that you configured first.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
97
This is a safety precaution in case your mobile device is stolen. 5.2 Create the Software Token to your iPhone, iPad or Mac OS Step 1. Download the SafeNet MobilePASS From iTunes (search for the keyword “safenet”.)
You can find the application when you search for “Safe MobilePass” in iTunes.
1) After downloading the file, open the application and click the Activate Now button.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
98
2) After clicking the Activate Now button , a soft token activation code will appear.
3) Open the Active Directory Users and Computers and select a user that is to use the
OTP Authentication.
4) Right click and select Properties on the user name.
5) Select the SafeWord tab.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
99
Step 2. Create the Software token for this user.
1) Press the Wizard button to create the software token.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
100
2) Enter the Activation Code from the SafeNet MobilePASS .
3) After the configuration, you can click the “Tokens” link and check the token status.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
101
4) Enter the PIN Code for this user , and configure in the Safe Net Mobile PASS.
5) After entering the PIN Code , you will be requested to re-enter the PIN code for verification.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
102
(The PIN code on Server and Mobile are of different type, the PIN code on Mobile makes the mobile token
more secure.)
6) After finishing the step below, you can test the MobilePASS in your SafeWord server is working.
When you confirm with the last step, the mobile token in your mobile device will be ready for use.
If you want to get a one time password, you have to enter the Mobile PIN code that you configured first.
This is a safety precaution in case your mobile device is stolen.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
103
5.3 Create a Software Token on your Android OS
Step 1. Download the SafeNet MobilePASS From Android Market (search for the key word “safenet”).
1) After downloading the file, open the application and click the Activate Now button.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
104
2) After clicking the Activate Now button, the soft token activation code will appear.
3) Open the Active Directory Users and Computers and select a user that is to use the
OTP Authentication.
4) Right click and select Properties on the user name.
5) Select the Safe Word tab.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
105
Step 2. Create the Software token for this user. 1) Press the Wizard button to create the software token.
2) Enter the Activation Code from the SafeNet MobilePASS.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
106
3) After the configuration, you can click the “Tokens” link and check the token status.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
107
4) Enter the PIN Code for this user, and configure in the SafeNet MobilePASS.
5) After entering the PIN Code, you will be requested to re-enter the PIN code for verification.
(The PIN code on Server and Mobile are of different type, the PIN code on Mobile makes the mobile token
more secure.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
108
6) After finishing the step below, you can test the MobilePASS in your SafeWord server is working.
When you confirm with the last step, the mobile token in your mobile device will be ready for use.
If you want to get a one time password, you have to enter the Mobile PIN code that you configure first.
This is a safety precaution in case your mobile device is stolen.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
109
6 Advanced scenario
6-1 A Lab of the「Guest for OTP」
We always have guests coming to visit our company.
We want to use the OTP for guests to use the internet, while preventing them from using the same
password to access the internet on their next visit.
Step 1. Add the guest accounts to your AD.
1) Add the accounts of guests in ADUC.
Step 2. Assign the token to users.
1) Right click on guest > Properties > SafeWord
2) Enter the serial number of the assigned token and enter the PIN code for it.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
110
3) Enable remote Access
Right click on guest > Properties > Dial-in
Select the Allow access option in Network Access Permission.
4) Add all of the guest accounts into a group.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
111
Step 3. Setting the RADIUS Server
1) Create a Radius client
Right click the RADIUS Client folder and click New > RADIUS Client to add a new setting.
2) Setting the connection request policy on RADIUS Server
Select the connection request policy and double click the Use Windows authentication for all users to
edit the attribute value.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
112
3) Select the “setting” page and click the Standard option to add the attribute value.
4) Click the Add button and select the Class option and type the attribute value. (The value must
match the Group Identifier when adding the user into the USG.)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
113
5) Require authentication group policy.
Go to start > programs > secure computing > configuration > IAS Agent Configuration.
Click the “Group….” and enable the guest group, then click “OK”.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
114
Step 4. Setting the user policy on USG.
1) Add a user/group object for guests (the Group Identifier must match the RADIUS setting of the
attribute information).
2) Configure the AAA Server
Configuration > object > AAA Server > RADIUS
Enter the RADIUS server’s IP address and authentication key.
Set the Group Membership Attribute to Class(25).
3) Configure the Auth. Method.
Configuration > object > Auth. Method
Select group radius as the first authentication.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
115
Step 5. Set up the SSL VPN and assign the OTP users.
1) Add the user object to SSL VPN to allow the guests to access the internet.
2) Guest cannot login again without a new one time password.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
116
6.2.1 Transfer of license to a new server (SafeWord license backup)
Backing up the registration Information is very import. It can simplify transferring the tokens from a
crashed server to a new server.
1) Open the ADUC > right-click on the SafeWord > Activate product
2) Enter your registration Information. (the e-mail address and the password)
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
117
3) Enter the token group ID.
4) After you submit your serial number and the token group ID, the registration information will be
installed into your server.
5) After completion, right-click on the web link and click the “open in new window” to save the file.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
118
6) Save the file.
You can install a new server using these files.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
119
6.2.2 Import the token license into a new server
After you back up your license, you can follow the steps below to finish importing the
token license into your new server.
1) First, you have to install the SafeWord 2008 Server on your new server.
When the installation is complete, you can find the SafeWord options in Active Directory Users and
Computers (ADUC), but there will be no physical token numbers in Tokens folder.
2) You now have to import the tokens into SafeWord.
Start > Programs > Aladdin > SafeWord > Active Directory Users add Computers > SafeWord >
Tokens
Select the “Import tokens” button.
And select the “import*.dat” file.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
120
3) After the process is done, you will see the corresponding tokens in the Tokens folder.
All of the users and tokens will be automatically synchronized.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
121
7. OTP Troubleshooting
This chapter lists the guidelines for troubleshooting during different stages:
(1) Installation: If the installation fails, please check:
Does target system meet all pre-requisites/requirements?
Check the install.log file which can be found in
(32 bit OS) Program Files\Aladdin\SafeWord\Installs
(64 bit OS) Program Files(x86)\Aladdin\SafeWord\Installs
(2) Activation:
If manual activation fails, please confirm that only the file named key.html is being used.
Try to restart the Administrator server, Authentication engine and ADUC.
If the server still doesn’t work, please contact ZyXEL support with the activation key and error
message.
(3) Token import failure: If all/some imported records are rejected:
Check to see if the authenticators had been previously imported (the Event Viewer in ADUC,
check by event type).
(4) Server update: If auto updater fails with error message “Error verifying signature: Class not registered”
Please run existing Auto Updater (which will fail).
Go to Program Files\Aladdin\SafeWord\Patches, launch setup_aua.exe (manually patches AUA
to the newest version).
(5) Authentication:
If authentication fails:
Verify proper entry of token password.
Check that the token has been imported.
Verify match between token serial number and serial number of token assigned in user record.
Verify user properly entered their user name at login.
Confirm the IP address of the SafeWord server is correctly entered in the proper Authentication
Settings field of the Administration window.
If authentication is successful, but access is denied:
Check user access privileges.
Check user status (account expired / locked, etc.).
Is user role correct?
Does user’s role point to the correct ACL?
Does ACL entry restrict access to the requested resource?
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
122
(6) Server status:
How to determine if a port is active?
For Windows, use the “netstat -an” command, then search the output manually for active ports.
Server(s) not responding
Use the configuration utility to check the server status as below:
Restart server(s).
(7) Re-sync the token:
How to re-sync the token?
After assigning the token to a User, you can enter the token-generated password in the Passcode field
and then press the test button. If the result is “Failed”, you must re-synchronize your token.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
123
1) Select the Re-sync button, and enter the passcode in the first passcode field.
2) Re- generate the passcode immediately and enter the passcode in the second passcode field.
3) Then click the re-sync button, the token and the Authentication Server will be synchronized.
ZyXEL – ZyWALL OTPv2 Support Notes
All contents copyright © 2011 ZyXEL Communications Corporation.
124