Ange Olivier Ambemou

Protect Stormshield VPN with RSA MFA

Blog Post created by Ange Olivier Ambemou Employee on Oct 22, 2020

Stormshield network security is a strong UTM help customer protect infrastructures. This firewall offers ipsec and SSL VPN for end user.

In this blog i show you how integrate Stormshield with IDR to protect user remote access.

 

Let's go 

 

Stormshield supports radius for integration with Authentication manager or Identity Router. 

 

 

Stomshield  configuration

 

At Stormshield level you need to configure the radius server (your IDR or AM) and your share secret.

 

 

Define radius at anthentication policy

 

 

IDR Configuration 

At CAS i define my radius client 

 

And ask to the cloud to validate only the policy. Because of timeout issue at Stormshield level i can used only RSA Securid Authenticate app authenticate Tokencode.

 

For security purpose add a PIN or Device Biometrics to view the Authenticate Tokencode at CAS level.

 

 

After this push your policies and you are ready to authenticate.

 

 

At password unlock your RSA Securid Authenticate app and enter the tokencode to access the VPN 

 

 

 

Caution 

 

1 - In the integration with Authentication Manager, Stormshield not support PIN Creation, we need to used self service console to initate the PIN or used another protected ressource (laptop with RSA agent for window for example).

 

2 - If you want to used VPN client is better to use Openvpn client inside of Stormshield VPN client, Stormshield vpn client sends 2 times the same authentication request is like replay attack at AM/IDR side.

 

3 -  Timeout issue:  at the time i write this blog there are no way to modify Stormshield timeout radius  in UI or CLI.

 

Outcomes