Stormshield (NetASQ)

 

This is the procedure to integrate inWebo multi factor authentication service with "Stormshield" Radius authentication.

General Principles

InWebo strong authentication service supports many built-in interfaces such as Radius, SAML 2.0, Web Services API, Google Apps and many more. When working with a network device (firewall, reverse proxy,…) the preferred method is RADIUS. This is what we will explain further in this document.

Architecture is described below:

Users can download and manage InWebo tokens by themselves. In order to get the whole system up and running, your company system administrator only has to:

  1. Configure Stormshield authentication portal with Radius (5 min)

  2. Create an InWebo account (2 min)

  3. Download, install and activate one of InWebo tokens (4 min)

  4. Configure Radius connector in his InWebo account (2 min)

  5. Perform a test authentication (1 min)

Basically, the whole system can be up and running in 15 minutes.

Configure authentication portal on Stormshield

In this example, we will take for granted that you already have a Stormshield firewall up and running.

If so, you will need to:

  1. Create Radius Servers objects

  2. Configure VPN SSL

  3. Configure Users and Groups to use Radius Authentication

Connect to your Stormshield Administration interface. Go to “Objects” select "Network Objects" and click "+Add", and create 2 new objects called radius-a.myinwebo.com and radius-b.myinwebo.com:

inWebo Radius server addresses :

(See https://inwebo.atlassian.net/wiki/spaces/DOCS/pages/2216886275/RADIUS+integration+and+redundancy for additional details and configuration)

Then, go to VPN / SSL VPN. In “General”, enable SSL VPN.

In this section, configure Web Servers, Application Servers and User profiles according to your needs.

Then, go to Users / Authentication. In “General”, Enable Captive Portal. In “Available Methods”, Add a RADIUS authentication method:

This authentication method needs to be configured with the 2 Radius server objects you created earlier. At this stage, please choose the Radius secret which will be shared with InWebo servers (this is a string that will be used to cipher the Radius requests).

Click “Apply” when you're done.

Then, go to Users / Users and choose “Add Group”. Give it the name “inwebo-users” and insert the users you want.

Click “Apply”.

Then, go to Users / Access Privileges. In “Detailed Access”, add a policy for the group “inwebo-users” to access SSL VPN with RADIUS authentication:

Click “Apply”.

Configure InWebo Radius connector

Connect to your "myinWebo" administration console.

Once connected, in your Administration console. choose the "Secure Sites" tab and Select “Add a connector of type…”, and choose “Radius Push”:

The popup below will appear. Enter the public IP addresses of your Stormshield servers, along with the Radius secret you have defined earlier:

You InWebo account is now fully configured.

Test Authentication

Launch your Stormshield client (or SSL portail), enter your login and one random character into the password field then you can connect.

Your user will receive a notification on their valid mobile or PC token.