Product Guide Revision A McAfee Enterprise Authentication 1.0.
COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc.
Contents 1 Preface 5 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 6 Introduction 7 About Enterprise Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 How authentication works . . . . . . . . .
Contents Log on to the administration interface . . . . . . . . . . . . . . . . . . . . . . 30 Change the built-in administrator account credentials . . . . . . . . . . . . . . . . 30 Add tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Configuration and use 7 Processing authentication requests with flows 35 Authentication flow configuration options . . . . . . . . . . . . . . . . . . . . . . . . Configure flows using the guided configuration tool . . . . . . . . . . .
Preface This guide provides the information you need to work with your McAfee product. Contents About this guide Find product documentation About this guide This information describes the guide's target audience, the typographical conventions and icons used in this guide, and how the guide is organized. Audience McAfee documentation is carefully researched and written for the target audience.
Preface Find product documentation Find product documentation After a product is released, information about the product is entered into the McAfee online Knowledge Center. Task 6 1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center. 2 Enter a product name, select a version, then click Search to display a list of documents. McAfee Enterprise Authentication 1.0.
1 Introduction Protect your enterprise network data and resources against unauthorized access by integrating McAfee Enterprise Authentication (Enterprise Authentication) directly with your on-premise or cloud-based environment. ® Contents About Enterprise Authentication How authentication works About Enterprise Authentication Enterprise Authentication supports many strong authentication methods to ensure your network is protected.
1 Introduction How authentication works • Remote Authentication Dial-In User Service (RADIUS) • Security Assertion Markup Language (SAML) • Hyper Text Transfer Protocol/Secure Sockets Layer (HTTP/HTTPS) • Representational State Transfer (REST) Depending on your configuration, various authentication methods are used to authenticate user identities. Once authenticated, the validated information is passed to the protected resources and users are permitted access.
Deployment Before you deploy Enterprise Authentication on your network, consider your options and create your deployment plan. Chapter 2 Chapter 3 Chapter 4 Deployment options Deployment scenarios Plan your deployment McAfee Enterprise Authentication 1.0.
Deployment 10 McAfee Enterprise Authentication 1.0.
2 Deployment options Enterprise Authentication offers several options to meet your deployment needs. Contents Types of installations Web-based interface Tenancy and administrator roles Types of installations Enterprise Authentication offers two installation options. Required installation Install Enterprise Authentication on your dedicated standalone server to use as a secure central point for managing the software, storing data, and hosting the web-based interfaces.
2 Deployment options Web-based interface • Failover — If one server fails, the other servers within the cluster automatically absorb the workload. • High Availability — The ability for each server to absorb the workload. Example: An Enterprise Authentication server receives an authentication request but is disconnected from the network for routine maintenance.
Deployment options Tenancy and administrator roles 2 Multi-tenancy Tenants represent businesses within an enterprise or companies that subscribe to cloud-based services through a Service Provider. In a multi-tenant architecture, all tenants share the Enterprise Authentication software, but each tenant manages their own data, which is isolated from all other tenants. Enterprise Authentication securely isolates tenant data using metadata that links each tenant to their own database.
2 14 Deployment options Tenancy and administrator roles • Manage tokens • Manage PINs McAfee Enterprise Authentication 1.0.
3 Deployment scenarios When creating your deployment plan, consider each Enterprise Authentication deployment scenarios. You can implement Enterprise Authentication for various environment infrastructures, and these deployment scenarios vary depending on your network needs.
3 Deployment scenarios Enterprise Authentication as the Identity Provider Considerations • UPD ports configured on the Enterprise Authentication server and RADIUS client are identical. • The shared secrets configured on the Enterprise Authentication server and RADIUS client are identical. • All multi-factor authentication tokens have been uploaded using the administration interface. • If using one-time password authentication, the RADIUS client must support RADIUS challenge-response.
3 Deployment scenarios Enterprise Authentication as the Identity Provider How it works Figure 3-2 Enterprise Authentication as the Identity Provider Number Description 1 Users request access protected applications and are redirected to Enterprise Authentication (Identity Provider) for authentication. 2 At the logon screen, users are prompted to provide their identity credentials, such as a user name and password.
3 Deployment scenarios Enterprise Authentication as the Identity Provider 18 McAfee Enterprise Authentication 1.0.
4 Plan your deployment Before you install Enterprise Authentication, plan and prepare your network environment. Contents Requirements Authentication methods Deployment checklist Requirements To ensure that your deployment is successful, your environment must meet the minimum requirements. Table 4-1 Requirements Component Requirement Dedicated server You must have administrator rights to the dedicated network server.
4 Plan your deployment Authentication methods Table 4-1 Requirements (continued) Component Requirement User data stores These user data stores are supported: • Active Directory (AD) • Lightweight Directory Access Protocol (LDAP) • Structured Query Language (SQL) • Oracle • MySQL • Microsoft SQL Server • PostgreSQL Certifications support Enterprise Authentication includes a certified RSA BSAFE CryptoJ 6.1.0.0.2 module and always starts in FIPS mode.
4 Plan your deployment Authentication methods Example: When using MFA to gain access to protected resources, users are authenticated using their password and one-time password. Enterprise Authentication grants access when the user successfully returns the generated one-time password.
4 Plan your deployment Deployment checklist • Identity theft — Since passwords are more prone to theft, certificates ensure that identity information is valid and secure. • Unauthorized access — When certificates become compromised, they also become unusable. • Password maintenance — Avoid requiring users to maintain long lists of complex passwords that are difficult to remember and easy to lose.
4 Plan your deployment Deployment checklist Table 4-3 Environment structure (continued) Determine... Verified That you have administrator rights on all servers you intend to use If these minimum requirements are met: • Server-class operating system • Virtual infrastructure software • Hardware memory • Internet browser • Software The location of your Enterprise Authentication license file Table 4-4 Users Determine...
4 Plan your deployment Deployment checklist Table 4-5 Resources (continued) Determine... Verified If you plan to send one-time passwords using the McAfee Message Gateway. If so, you must have a: • Valid McAfee Message Gateway account • License file that supports sending SMS If you plan to send one-time passwords with an email address. If so, verify that you have an SMTP server that accepts and relays email messages from Enterprise Authentication.
Setup Install Enterprise Authentication on your computer and complete the post-installation tasks. Chapter 5 Chapter 6 Installation Post-installation tasks McAfee Enterprise Authentication 1.0.
Setup 26 McAfee Enterprise Authentication 1.0.
5 Installation To complete the installation, download and install the Enterprise Authentication product files on your supported server-class operating system. Contents Download the product files Install the product files Download the product files Download the Enterprise Authentication product files from the McAfee Downloads page. Task 1 Log on to your operating system as the administrator. 2 Go to the McAfee Downloads page. 3 Enter your grant number, then click Go.
5 Installation Install the product files 28 McAfee Enterprise Authentication 1.0.
6 Post-installation tasks To ensure your network is prepared for authentication, complete the post-installation tasks. Contents Set up clusters Access the administration interface Add tenants Set up clusters Install the Enterprise Authentication software on each additional server and configure the servers to share data. Task 1 Install and start the Enterprise Authentication software on the seed servers. 2 Locate the C:/Program Files/McAfee/EA/config directory.
6 Post-installation tasks Access the administration interface 5 Verify the cluster setup. a On the administration interface, click the Cluster tab. b Move your cursor over the server and verify that the correct information appears. Access the administration interface Log on to the administration interface where you perform all configuration and management tasks.
Post-installation tasks Add tenants 6 Add tenants To add tenants that are hosted on the same Enterprise Authentication server, use the administration interface. Task 1 In the administration interface, click the Tenants tab. 2 Click Add Tenant. 3 On the Create tenant window, enter the tenant user name in the Name field. 4 Click Create. McAfee Enterprise Authentication 1.0.
6 Post-installation tasks Add tenants 32 McAfee Enterprise Authentication 1.0.
Configuration and use Use the Enterprise Authentication web-based components to configure your authentication options. Chapter Chapter Chapter Chapter 7 8 9 10 Processing authentication requests with flows Assigning administrator permissions Assisting users with Web Manager Maintenance McAfee Enterprise Authentication 1.0.
Configuration and use 34 McAfee Enterprise Authentication 1.0.
7 Processing authentication requests with flows When users request access to protected resources, Enterprise Authentication uses authentication flows to securely authenticate user identities.
7 Processing authentication requests with flows Configure flows using the guided configuration tool The response of each processed action determines whether the user is granted access to the protected resource. Both configuration options include these basic steps: 1 Designate an authentication method. 2 Configure the listener that handles incoming traffic for specific protocols. 3 Define where user information is stored, and how Enterprise Authentication can access it.
Processing authentication requests with flows Configure flows using the guided configuration tool 7 e Click Add. f Check and resolve any possible condition conflicts. 7 Click Next. Configure SAML Identity Provider flows using the guided configuration tool Use the guided configuration tool to configure Enterprise Authentication as the Identity Provider. Task 1 On the administration interface, click the Main tab, then click Start | Create New Authentication Flow.
7 Processing authentication requests with flows Create custom authentication flows Create custom authentication flows To create custom authentication flows that meet your specific network needs, manually combine Enterprise Authentication actions and conditions. Tasks • Upload certificates on page 38 To enable certificate-based authentication, upload certificate files to Enterprise Authentication. • Import tokens on page 39 To enable user token authentication, import tokens to Enterprise Authentication.
Processing authentication requests with flows Create custom authentication flows 7 Import tokens To enable user token authentication, import tokens to Enterprise Authentication. Task 1 On the administration interface, click the Main tab, then select Import tokens. 2 Next to the File field, click Browse, navigate to the token file, then click Open. 3 Upload optional protected key files. 4 a Next to the Key file field, click Browse. b Navigate to the key file, then click Open. Click Upload.
7 Processing authentication requests with flows Create custom authentication flows Table 7-2 Tenant mapping configuration options Option Task steps Bind listener to tenant 1 From the Tenant drop-down list, select the tenant. 2 Click OK. Bind IP to tenant 1 In the IP field, enter the IP address. 2 From the Tenant drop-down list, select the tenant. 3 Click Add. 4 Click OK.
Processing authentication requests with flows Create custom authentication flows 7 Connect Enterprise Authentication to data sources Connect Enterprise Authentication to the data sources where your user data is stored. Tasks • Add a connection to the SQL Server database on page 41 To add a connection to your SQL Server database, set up the JDBC driver.
7 Processing authentication requests with flows Create custom authentication flows c If the LDAP directory server uses an SSL connection, select the SSL enabled checkbox. d In the Port field, enter the LDAP directory server port. e In the Administrator DN field, enter the administrator distinguished name. f In the Administrator password field, enter the administrator password. 4 Click Verify connection. 5 If verification is successful, click Create.
Processing authentication requests with flows Create custom authentication flows 6 Add conditions. a Click Add. b In the Attribute field, enter the attribute on which you want to build the condition. c Select one of these operators: d 7 7 • must • can not Choose from one of these options: • Select exist. • In the contain field, enter the value. • In the match field, enter the value. e Click Add. f Check and resolve any possible condition conflicts. Click Create.
7 Processing authentication requests with flows Create custom authentication flows Table 7-5 Configurable action options (continued) Task Steps Add listeners to the action. 1 Next to the action, click +. 2 Click Add listener response handler. 3 Configure the available options, then click Add. Remove actions from the flow. 1 Next to the action, click +. 2 Click Remove. 44 McAfee Enterprise Authentication 1.0.
8 Assigning administrator permissions Assign administrator permission sets to network users. Contents Assign system administrator permissions Configure default tenant account settings Assign tenant administrator permissions Assign system administrator permissions Assign additional system administrator role permissions to network users. Task 1 On the administration interface, click the Tenants tab. 2 Next to the default_tenant account, click Edit.
8 Assigning administrator permissions Configure default tenant account settings Configure Pledge Profile Service settings To enable users to use their Pledge software token, configure the Pledge Profile Service settings. Task 1 Click the Tenants tab, then click Edit next to the default tenant account. 2 Select Pledge Profile Service. 3 Configure the available settings, then click Test Pledge Profile Service settings. 4 If the settings are correct, click Save.
Assigning administrator permissions Assign tenant administrator permissions 8 See also Add a connection to the LDAP directory on page 41 Add a connection to the Active Directory on page 42 Configure SMTP settings To enable users to send one-time passwords by email, configure the SMTP settings. Task 1 Click the Tenants tab, then click Edit next to the default tenant account. 2 Select SMTP.
8 Assigning administrator permissions Assign tenant administrator permissions 48 McAfee Enterprise Authentication 1.0.
9 Assisting users with Web Manager To assist users with their authentication settings, user administrators use the Web Manager interface. Contents Log on to the Web Manager Search for users and tokens Update user telephone numbers Reset user lockout Assign and manage tokens Generate user PINs Log on to the Web Manager To access the Enterprise Authentication user settings, log on to the Web Manager.
9 Assisting users with Web Manager Update user telephone numbers Update user telephone numbers To ensure that one-time passwords are delivered to the correct devices, keep the user telephone number current. Task 1 Double-click the user name. 2 Click the General tab. 3 In the Mobile field, delete the old telephone number, then enter the new. 4 Click Save. Reset user lockout If users attempt to log on multiple times using an incorrect password, Web Manager locks out the user.
Assisting users with Web Manager Assign and manage tokens 9 Enable the Pledge Profile Service To enable users to use Pledge, configure the Pledge Profile Service settings. Task 1 Double-click the user account. 2 Click the Manage tokens tab, then select Enroll pledge profile. 3 Configure the available settings. 4 Click Save. Assign temporary one-time passwords Assign users temporary one-time passwords if they forget or lost their hardware token device. Task 1 Double-click the user account.
9 Assisting users with Web Manager Generate user PINs Generate user PINs When enabled, generate PINs that are used for authentication. Task 52 1 Double-click the user account. 2 Click the PIN Code tab. 3 Click Generate. McAfee Enterprise Authentication 1.0.
10 Maintenance Maintain the Enterprise Authentication software. Contents Uninstall the software Uninstall cluster installations Uninstall the software To remove the Enterprise Authentication features, uninstall the software from your computer. Task 1 From the Start menu, select Control Panel | Programs and Features. 2 Select McAfee Enterprise Authentication, then click Uninstall/Change. The Uninstall McAfee Enterprise Authentication window appears.
10 Maintenance Uninstall cluster installations 54 McAfee Enterprise Authentication 1.0.
Index A about this guide 5 actions 35 active directory 22, 42 administration interface 12 administration interface, log on 30 administrator account built-in 30 password 30 user name 30 administrator rights 19 administrator roles system 13 tenant 13 user 13 authentication flows create 42 custom 42 guided configuration 36 import 43 options 35 radius 15 saml identity provider 37 authentication methods certificate-based 21 context-aware 22 integrated windows authentication 22 multi-factor 20 B browser, suppor
Index E P Enterprise Authentication about 7 how it works 7 Pledge Profile Service 51 ports, change the default 30 postgresql 41 private key store, upload 38 product files, download 27 G grant number 27 guided configuration radius authentication flow 36 saml identity provider 37 H hardware memory 19 hardware tokens, assign 50 high availability 11 hotp 20 http 7 http, listeners 40 https 7 R radius 7, 15, 36 radius challenge-response 15 radius, authentication flows 36 remove the software 53 requirements
Index W Web Manager log on 49 logon credentials 46 permissions 13 pin 52 Pledge Profile Service 51 reset user lockout 50 McAfee Enterprise Authentication 1.0.
0-A00
