locked
UAG 2010 and Safeword 2008 (SafeNet) Implementation RRS feed

  • Question

  • Hello,

    I have to integrate Safeword 2008 (SafeNet) in an UAG 2010 system. The installation of safeword wasn't very difficult, but the implementation in UAG 2010 is still a problem.

    I got a UAG-Instance and a Domaincontroller in this network. On the Domaincontroller i installed the Safeword-Application. Additional i installed on the domaincontroller the NPS-Service. I don't know the next step to connect the NPS-Service (RADIUS) to the UAG. Is there somebody, who made this config up-and-running?

    Regards,
    freddie

    Wednesday, October 13, 2010 8:44 AM

Answers

  • Hi Amigo. What you mention is feasible. The initial login form will be the same for everybody. Let's say, Active Directory user/password. Then, if an application must be re-authenticated against a differente directory, configure the Authorization tab of the published application as follows:

    AD users are allowed to View (only View)

    Other_Repository users are allowed to View and Execute

    When a user authenticated against Active Directory clicks the application, he will be requested to insert credentials of Other_Repository.

    Hope it helps


    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, October 25, 2010 9:29 PM
    Thursday, October 14, 2010 2:17 PM

All replies

  • Hi Amig@. The way to add a Radius server for authenticaction is the same than the one used to add an ActiveDirectory authentication. Open the UAG management console, go to Admin, Authentication and Authorization Servers, Add and then select RADIUS from the combo box. Specifiy IP address, port and all that stuff and it is done. Then, in the properties of the trunk go to the Authentication tab and select the repository added in the previous step

    Hope it helps


    // Raúl - I love this game
    Wednesday, October 13, 2010 9:27 AM
  • Hi Guys,

    just want to note that the 2 Factor-authentication on the UAG Appliance is now working fine (Freddies uag appliance).

    We had to create the UAG as a RADIUS Client in the NPS-Server MMC with the same secret Keys as in UAG. After that we setup the SafeWord RADIUS Server as a Authentication Server in UAG and configured the Trunk for use the SafeWord Server.

    Now we have the scenario, that a user have to login with AD-Username and Password plus SafeWord OTP Token Passkey before he can access the UAG Portal.

    Is it possible to use 2 different Authentication mechanism in 1 UAG Trunk? Example: To acces the UAG Portal a User have to login just with his AD-Username and password. In the UAG Portal are different kind of Applications published such as Sharepoint Websites, RDP for Terminalserver Access and RDP for Admins to manage some Server remotely. Now i'd like to secure the RDP-Applications for Administrators with a second Authentication like the SafeWord OTP Tokens. All other Applications should work without OTP Keys, just with the SSO Kerberos ticket. Is that possbile?

    I think we have to work here with 2 seperate Trunks, but public IPv4 Adresses are precious ;)

    Thanks in advance

    Regards

    Alex

    Thursday, October 14, 2010 7:16 AM
  • Hi Amigo. What you mention is feasible. The initial login form will be the same for everybody. Let's say, Active Directory user/password. Then, if an application must be re-authenticated against a differente directory, configure the Authorization tab of the published application as follows:

    AD users are allowed to View (only View)

    Other_Repository users are allowed to View and Execute

    When a user authenticated against Active Directory clicks the application, he will be requested to insert credentials of Other_Repository.

    Hope it helps


    // Raúl - I love this game
    • Marked as answer by Erez Benari Monday, October 25, 2010 9:29 PM
    Thursday, October 14, 2010 2:17 PM
  • Hi there,

    we are running UAG and Safeword in the background. Safeword Server has IAS installed and condigured. UAG has Safeword Server configured correctly. When we try to logon to UAG, access is denied and looging says incorrect login. As soon as we turn off 2-factor we can login again.

    Has anyone did this before? Which version of Safeword are you running? Is there a third line to enter the OTP passcode? Did you install any software on the UAG?

    Thanks for any help,

    Marcus

    Sunday, May 27, 2012 12:03 PM
  • Hi there,

    we are running UAG and Safeword in the background. Safeword Server has IAS installed and condigured. UAG has Safeword Server configured correctly. When we try to logon to UAG, access is denied and looging says incorrect login. As soon as we turn off 2-factor we can login again.

    Has anyone did this before? Which version of Safeword are you running? Is there a third line to enter the OTP passcode? Did you install any software on the UAG?

    Thanks for any help,

    Marcus

    Hi Marcus,

    If I remember correctly we end up in customizing the logon page of the UAG portal. Please bear in mind that there are some customazation guidelines for the UAG (see these links: http://technet.microsoft.com/en-us/library/ee861168.aspx and http://blogs.technet.com/b/edgeaccessblog/archive/2009/11/26/customizing-the-portal.aspx).

    We've added a textbox on the logon page for the OTP token and passed the values from this textbox via GET/POST method to the SafeWord Authentication Engine (there's a particular Webservice in SafeWord to whom you can send this authentication credentials). And that was basically it, at least I can't remember anything else right now we had to do to get this running :)

    Cheers

    Alex

    Thursday, June 7, 2012 6:39 AM