Skip to main content

NetMotion Mobility XE VPN

This technical integration guide describes how to integrate a NetMotion Mobility Software and an Identity as a Service Authentication Service account. Although this document specifically covers the NetMotion Mobility Software, the information provided applies to all NetMotion appliances using the Device Manager software. The aim of this integration is to provide strong, second-factor authentication for your NetMotion Mobility Software solution using Identity as a Service.

note

This integration was tested using Identity as a Service version 5.12 and Netmotion version 11.31.9670. Some configuration steps may differ from the documentation provided or the steps in this integration guide may not be effective (due to Entrust not having tested and validated with the version you are using). For different versions, this integration guide may still offer a standard base to help fast-track SAML authentication setup for your application, but in the event there are issues, contact support@entrust.com for assistance.

Integration information

  • Partner name: NetMotion
  • Partner product: NetMotion Mobility XE
  • Product version: 11.31.9670
  • Product name: Mobility Client
  • Product version: 11.32.12223

Supported authentication methods

Authentication methodNotesSupported protocols
GridTwo-step authentication onlyEAP-GTC
TokenOne-step or two-step authentication.
Note: Challenge/response tokens unsupported with MSCHAPv2.		EAP-GTC or EAP-MSCHAPv2
Temporary Access CodeEAP-GTC
OTP (One Time Password) by SMS or TokenTwo-step authentication onlyEAP-GTC or EAP-MSCHAPv2
Knowledge-based authenticationThe RADIUS proxy only supports a single question and answer.
For CHAP and MS-CHAP, the answer must be an exact match.
Two-step authentication only		EAP-GTC
External (No Password)First-factorEAP-GTC
PasswordFirst-factorEAP-GTC
Soft Token pushTwo-step authentication onlyEAP-GTC
Mobile Smart Credential pushTwo-step authentication onlyEAP-GTC

Prerequisites

Complete the following steps before integrating your authentication system with Identity as a Service:

  1. Install and configure your first-factor authentication resource using the documentation provided by the vendor. The first-factor authentication resource can be a RADIUS server or an external authentication resource (a Local DB, LDAP-compliant directory or Windows domain controller through Kerberos).
  2. Install and configure the RADIUS appliance using the documentation provided by the vendor. The device must be able to route traffic before integrating with Identity as a Service.
  3. Install and configure Identity as a Service and an Identity as a Service Gateway (containing a RADIUS proxy agent). Take note of the shared secrets, IP addresses, and ports you use. You need this information to configure the RADIUS appliance and first-factor authentication resource.
  4. If you want to configure your RADIUS appliance and first-factor authentication resource to recognize Identity as a Service user groups, you must define the Identity as a Service user groups first.

Integrate Netmotion Mobility XE VPN

Complete the following to integrate NetMotion with IDaaS.

Step 1: Configure NetMotion Mobility XE VPN

The following procedure describes how to configure the NetMotion Mobility XE Authentication settings to use the Identity as a Service Authentication Service. This procedure assumes that you are familiar with the Mobility Console interface.

  1. Log in to the NetMotion Console. The NetMotion Dashboard page appears.
  2. Click Configure > Authentication Settings. The Authentication Settings page appears.
  3. In Global Authentication Settings, select Authentication > Mode and set Authentication Mode to User authentication only.
  4. In Global Authentication Settings, select Authentication > Protocol and set Authentication - Protocol to RADIUS – EAP (PEAP and EAP-TLS) for EAP GTC or MSCHAP-V2.
  5. Click Apply.
  6. Select Authentication > EAP-GTC > Auto-Response Mode and optionally enable Auto-response mode to use an identical prompt window for challenge authentication.
  7. In Global Authentication Settings, select Radius > Servers, click Add, and enter:
    • Host address: Identity as a Service account URL.
    • Port: Port number on which the RADIUS application listens.
    • Shared secret: RADIUS secret (enter twice).
    • Click OK.
  8. In Global Authentication Settings, select Radius > NAS ID and enter netmotion or the IP address of the NetMotion server as the NAS ID. Click Apply.
  9. Select Radius > Retransmit Interval and set Interval to 40000. Click Apply.

Step 2: Configure the NetMotion Mobility XE client settings

  1. Log in to the NetMotion Console. The Dashboard page appears.
  2. From the top menu, click Configure > Client Settings. The Client Settings page appears.
  3. In Global Client Settings, locate Logon, select Always Prompt for User Credentials, and check Always prompt when connecting. Click Apply.
  4. Select Connecting Dialog Delay and set Delay Time (seconds), for example 120. Click Apply.
  5. Select Connecting Dialog Duration and set Wait Time (seconds), for example 120. Click Apply.

Step 3: Configure the server certificate

If you are using a server certificate for Identity as a Service, and the NetMotion client is set to validate server certificates, install the self-signed or CA certificate used to issue the SSL server certificate on the NetMotion client machine.

To configure the SSL certificate on the client machine:

  1. Export the SSL certificate from the gateway instance on your Identity as a Service account to the client machine. See the procedure to Export SSL certificate in Manage Gateway certificates for more information.
  2. Import the SSL certificate into the local Trusted Root CA store on the NetMotion client machine.

If you do not want to validate the certificate:

  1. On the client machine, open the NetMotion client. The NetMotion Mobility Client page appears.
  2. Click Configuration to open the General options page.
  3. Select the Server Certificates tab.
  4. Deselect Validate server certificate.
  5. Click OK to save the settings.

Step 4: Add NetMotion Mobility XE to Identity as a Service

note

If you enable Push Authentication Fallback, set the Client Network Failover timeout (a NetMotion Client setting under Timeout) to a value greater than the Push Authentication Fallback Timeout.

note

Entrust recommends that when multiple RADIUS applications are configured that each RADIUS application is given a unique shared secret.

Follow these steps to integrate a RADIUS client:

  1. Click > Security > Applications. The Applications page appears.

  2. Click Add. The Select an Application Template page appears.

  3. Do one of the following:

    • Select RADIUS and VPN Integrations from the search drop-down list and scroll to find the application you want to add to IDaaS.
    • In the Search bar, enter a search option to filter for the application you want to add to IDaaS.

  4. Click Netmotion. The Add Netmotion page appears.

  5. Optional: Edit the Application Name.

  6. Optional: Enter a Description for your application.

  7. Optional: Add a custom application logo:

    • Click next to Application Logo. The Upload Logo dialog box appears.
    • Click to select an image file to upload.
    • Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
    • If required, resize your image.
    • Click OK.

  8. Click Next. The Setup page appears.

  9. Click Add next to Hosts to add the host name of the VPN server. Enter the host name in the Host dialog box and click OK. Repeat to add more host names.

  10. In the Port field, enter the port on which the RADIUS agent accepts messages.

    tip

    Do not enter 8443 as the port number for this application. Port 8443 is used by the Entrust Identity Enterprise agent in your Gateway.

    attention

    The RADIUS agent uses the host name that sent a request and the port number that it received the request from to determine which RADIUS application made the request. Because of that:

    • Two RADIUS applications with the same port value cannot share any host names.
    • Two RADIUS applications that have one or more matching host names must have different port values.

  11. In the Shared Secret field, enter the shared secret that is used by your VPN server. This is the RADIUS secret shared between your VPN server and the RADIUS server. The shared secret value must match a shared secret in your RADIUS client.

  12. From the Select RADIUS Agent drop-down list, select the name of the Gateway containing the RADIUS agent to which this application will be assigned.

  13. Optional: From the Select RADIUS Attribute for IP Address drop-down list, select the RADIUS attribute that corresponds to your IP location.

  14. In the Challenge Response Queue Max Time field, set the number of seconds that the RADIUS agent waits for a response to first-factor authentication. The default value is 180 seconds.

  15. In the Challenge Response Queue Max Size field, set the maximum number of second-factor challenge requests allowed in the queue of your RADIUS application. The default value is 1000 requests (maximum 10,000).

  16. In the Request Cache Timeout field, set the number of seconds to cache requests. The default value is 10 seconds.

  17. From the Character Set drop-down list, select the character set used to decode and encode string values (including the user ID and password values) in RADIUS messages. The options are ISO-8859-1.

  18. Optional: Select Log RADIUS messages to enable RADIUS message logging. When enabled, messages for the RADIUS agent are logged to the same log file as the gateway logs.

  19. Optional: Enable Authentication Settings as needed.

  20. Select Enable Push Authentication Fallback if you want authentication to fall back to another authenticator in the event of a failure. If required, set the Push Authentication Fallback Timeout to the number of minutes before the push authentication times out.

  21. Select When authenticating the user will be asked to select their second-factor authenticator to prompt the user, after the first-factor challenge, to select their second-factor authenticator. The list of available second-factor authenticators is set by the resource rule.

    Supported strings matched to authentication types:

    • Grid: grid
    • Knowledge-based Authentication: kba
    • One-time password: email, sms, voice
    • Smart Credential Push: scpush
    • Temporary Access Code: tac
    • Token: token
    • Token push: push

  22. Select Indicate if requests must include the message-authenticator attribute for incoming messages to include the message-authenticator attribute for incoming messages.

  23. Select Indicate if requests must include the message-authenticator attribute for outgoing messages to include the message-authenticator attribute for outgoing messages.

  24. Select Remove domain from user ID for incoming requests to remove the domain value from the user ID during authentication when the user ID provided by the RADIUS client is in the format domain\username and the user ID in IDaaS is in the format username.

  25. Select Indicate if Active Directory password authentication requests are handled by the same Gateway Instance that initiated the request to require that Active Directory password authentication and change requests initiated as part of the RADIUS authentication are handled by any Gateway Instance in the same Gateway cluster that initiated it. If disabled, the request is handled by any Gateway Instance.

  26. Select Enable one-step multi-factor authentication to allow the user to enter their user ID and then their password and token response in the password field. When enabled, second-factor authenticators available in the resource rule are limited to token and temporary access code.

  27. Enter the One-step multi-factor authentication security token length (length of the token or temporary access code response).

  28. Optional: Add Response Attributes to return to the RADIUS application after successful authentication. Use this setting to configure RADIUS attributes to return information such as the user's group information to the VPN server.

    When adding response attributes, you can optionally add group filters. For example, users may belong to CANADA, US, UK, FRANCE. To return FilterID as NA or EUROPE, configure filters such as:

    • Match CANADA, replace NA
    • Match US, replace NA
    • Match UK, replace EUROPE
    • Match FRANCE, replace EUROPE

    Set the Response Attributes as follows:

    • Click Add. The Add a Response Attribute dialog box appears.
    • Select the RADIUS Attribute ID from the drop-down list (depends on your VPN vendor).
    • Select the Value Type from the drop-down list.
    • To return a static value specified in the RADIUS attribute definition, select Static, enter a Value, and click Add.
    • To return the user’s group membership, select Group and optionally:
      1. Click Add to add filters.
      2. Enter the Match and the Replace attribute filters.
      3. Click Add to add more attribute filters.
      4. Drag and drop multiple filters in order of preference.
      5. Select Stop after matching filter to return only one value.
      6. For Multiple Values Per Attribute, enter the Value Separator and click Add.
    note

    If a user belongs to more than one group, you can either add a separate attribute to your RADIUS response for each group or combine all of the groups into a single attribute. For example, if the user belongs to G1,G2,G3 then you would:

    • Return a RADIUS response with three attributes, OR
    • Return a RADIUS response with one attribute and a value like G1,G2,G3 where the comma is defined in the Value Separator setting, or a value like G1 G2 G3 where the Value Separator is defined as a space.

    Attention: The default group separator is a space. If you have group names that are separated by a space, use another separator, such as a comma.

  29. Optional: Configure the EAP Settings to set up the application to use the EAP RADIUS authentication protocol.

    • Select EAP Enabled to allow the RADIUS application to accept EAP messages.
    • When enabled, authentication messages with EAP content are treated as EAP requests. The application can accept only EAP authentication requests.
    • When disabled, incoming authentication requests are processed as standard RADIUS authentication requests (even if the request includes EAP content). The application can accept only standard RADIUS authentication requests.
    • Select the EAP Protocol from the drop-down list. Options: PEAPv1 with GTC.
    • Select Return MPPE Keys to include the MPPE (Microsoft Point-to-Point Encryption) recv and send keys in the Access-Accept message returned during successful EAP authentication (enabled by default).
    • Select Use PEAPv1 label when calculating MPPE Keys to use the PEAPv1 label when calculating the recv and send keys.
    • Leave Minimum TLS Version, Maximum TLS Version, and Allow Weak Ciphers at default settings unless required for older VPN servers.

  30. Configure the Deprecated Settings only if your RADIUS application is connected to a Gateway version older than 3.0. Select No first-factor as the Authentication Type for compatibility with gateways configured before release 3.1.

    note

    MSCHAPv2 authentication is not supported when No first-factor authentication is configured for the RADIUS application.

  31. Click Submit.

Step 5: Add a resource rule

See Create resource rules.

Step 6: Test the integration

note

You can test the NetMotion integration using single-factor authentication with AD password and Token response or using two-factor authentication. Before testing the integration, select the Auto-response option in your NetMotion server settings.

Test single-factor authentication with AD password and Token response

  1. Press Control+Alt+Delete, and log in to the Windows computer using your regular domain credentials.
  2. Enter your domain user name and Identity as a Service token response.
  3. When prompted for the Mobility Login credentials:
    • For User name, enter the Identity as a Service user name with domain name.
    • For Password, enter the token response from one of the tokens registered to the Identity as a Service user.
  4. Click OK.
note

Ensure that you have selected Auto-response as described in Step 1: Configure NetMotion Mobility XE VPN.

Test two-factor authentication

  1. Press Control+Alt+Delete, and log in to the Windows computer using your regular domain credentials.
  2. Enter the Identity as a Service user name and password.
  3. Click OK.
  4. Enter a response to the next challenge that is presented (for example, a grid response).
  5. Click OK.