Two factor authentication using RSA Radius and SecurID for SonicWall GVC and NetExtender Clients

This article will explain how to use RSA RADIUS with RSA Authentication Manager to directly authenticate SonicWall SSLVPN NetExtender, GVC users attempting to access network resources through the SonicWall firewall.

The RSA RADIUS Server  receives users  access requests from RADIUS client and forwards them to Authentication Manager for validation.
The RADIUS Client  is the SonicWall device at the network perimeter that enforces access control for users attempting to access network resources.

NOTE: Two factor authentication is accomplished here by combining the PASSCODE and the PIN code.

EXAMPLE: Example of Deployment

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

SonicWall Radius configuration steps

1. Under Device | Users | Settings |User Authentication method select RADIUS + Local Users as one of the authentication method.

      2. Configure the RADIUS Server settings, Add RADIUS server.

       3. Keep all the other settings by default and Click Apply.

Add the SonicWall firewall as a RADIUS Client for RSA

1. You add a RADIUS client in the RSA Security Console.
2. Click RADIUS | RADIUS Clients | Add New and configure the settings.
   
   
   
3. The SonicWall firewall Radius client needs to be associated with an agent.
4. If you have not associated this client with an agent, the client cannot support RSA SecurID authentication.
   
   
5. Assign a SecurID Token to the VPN user.
   
   

Configure the SonicWall clients

1. Configure the SonicWall NetExtender client.
2.  Configure the SSLVPN Services Group under Device | Users | Local Users & Groups | SSLVPN Services.

         3. Add the All RADIUS Users Group as member of this group and click OK.

Configure the NetExtender client 

1. On the SonicWall NetExtender window set the parameters for the server and domain.
2. Enter the Username and the PASSCODE(+PIN) and click Connect.
   

Configure the SonicWall GVC Client

1. When a remote VPN client user tries to access the private protected LAN through an SA requiring RADIUS/XAUTH, the VPN client automatically prompts the user for a User Name and Password.
    
2. Since we are using RSA SecurID, enter the corresponding username and PASSCODE (+PIN) into the VPN client XAUTH username/password prompt.
   
   

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

SonicWall Radius configuration steps

1. Under Manage | Users | Settings |User Authentication Settings select RADIUS as one of the authentication method.
   
   
   
2. Configure the RADIUS Server settings, Add RADIUS server.
   
   
   
   
3. Keep all the other settings by default and Click Apply.
   
   

Add the SonicWall firewall as a RADIUS Client for RSA

1. You add a RADIUS client in the RSA Security Console.
2. Click RADIUS | RADIUS Clients | Add New and configure the settings.
   
   
   
3. The SonicWall firewall Radius client needs to be associated with an agent.
4. If you have not associated this client with an agent, the client cannot support RSA SecurID authentication.
   
   
5. Assign a SecurID Token to the VPN user.
   
   

Configure the SonicWall clients

1. Configure the SonicWall NetExtender client.
2.  Configure the SSLVPN Services Group under Manage | Users | Local Users & Groups | SSLVPN Services.
   
   
   
3.  Add the All RADIUS Users Group as member of this group and click OK.
   
   
   
   
4. On the SonicWall NetExtender window set the parameters for the server and domain.
5. Enter the Username and the PASSCODE(+PIN) and click Connect.
   

Configure the SonicWall GVC Client

1. When a remote VPN client user tries to access the private protected LAN through an SA requiring RADIUS/XAUTH, the VPN client automatically prompts the user for a User Name and Password.
    
2. Since we are using RSA SecurID, enter the corresponding username and PASSCODE (+PIN) into the VPN client XAUTH username/password prompt.
   
   

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

SonicWall Radius configuration steps

1.  Under Users | Settings | User Login Settings select RADIUS as one of the authentication method.
   
   
2. Configure the RADIUS server settings.
   
   
   
3. Keep all the other settings by default and click Apply.
   
   

Add the SonicWall firewall as a RADIUS Client for RSA

1. You add a RADIUS client in the RSA Security Console.
2. Click RADIUS | RADIUS Clients | Add New and configure the settings.
   
   
   
3. The SonicWall firewall Radius client needs to be associated with an agent.
4. If you have not associated this client with an agent, the client cannot support RSA SecurID authentication.
   
   
5.  Assign a SecurID Token to the VPN user.
   
   

Configure the SonicWall clients

1. Configure the SonicWall NetExtender client.
2.  Configure the SSLVPN Services Group under Users | Local Groups | SSLVPN Services.
   
   
   
3.  Add the All RADIUS Users Group as member of this group and click OK.
   
   
   
   
4. On the SonicWall NetExtender window set the parameters for the server and domain.
5. Enter the Username and the PASSCODE(+PIN) and click Connect.
   
   
   

Configure the SonicWall GVC Client

1. When a remote VPN client user tries to access the private protected LAN through an SA requiring RADIUS/XAUTH, the VPN client automatically prompts the user for a User Name and Password.
    
2. Since we are using RSA SecurID, enter the corresponding username and PASSCODE (+PIN) into the VPN client XAUTH username/password prompt.