Scribd
Upload
57 views

Two Factor Authentication in SonicOS

Two factor authentication provides increased security for logging into Dell SonicWALL network appliances. It requires users to authenticate using both a common access card (CAC) and a username/password. The document describes how to configure two factor authentication in SonicOS, including enabling client certificate checking, selecting the certificate authority, and enabling OCSP checking to verify certificate validity. Users must then confirm their CAC and enter their username/password to log in.

Uploaded by

Phạm Đức Hạnh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
57 views

Two Factor Authentication in SonicOS

Two factor authentication provides increased security for logging into Dell SonicWALL network appliances. It requires users to authenticate using both a common access card (CAC) and a username/password. The document describes how to configure two factor authentication in SonicOS, including enabling client certificate checking, selecting the certificate authority, and enabling OCSP checking to verify certificate validity. Users must then confirm their CAC and enter their username/password to log in.

Uploaded by

Phạm Đức Hạnh
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Two Factor Authentication

in SonicOS

| 1
Notes, Cautions, and Warnings

NOTE: A NOTE indicates important information that helps you make better use of your system.

CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions


are not followed.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2014 Dell Inc.


Trademarks: Dell™, the DELL logo, SonicWALL™, and all other SonicWALL product and service names and
slogans are trademarks of Dell Inc.

Other product and company names mentioned herein may be trademarks and/or registered trademarks of
their respective companies and are the sole property of their respective manufacturers.

2014 – 02 P/N 232-002403-00 Rev A

2 | Two Factor Authentication in SonicOS


Two Factor Authentication in SonicOS

Document Scope
This document describes how to configure Two Factor Authentication on a Dell SonicWALL
network security appliance running SonicOS 5.9 or SonicOS 6.2.
This document contains the following sections:
• “Feature Overview” on page 3
• “Configuring Two Factor Authentication in SonicOS” on page 5

Feature Overview
This section provides an introduction to Two Factor Authentication in SonicOS. This section
contains the following subsections:
• “What is Two Factor Authentication?” on page 3
• “How does Two Factor Authentication Work?” on page 4
• “Benefits” on page 4
• “Supported Platforms” on page 4

What is Two Factor Authentication?


Two Factor Authentication is a process involving two stages to verify the identity of an
administrator or user who is attempting to log directly into SonicOS.
In SonicOS, two factor authentication includes:
• Client Certificate Check—which requires the use of a Common Access Card (CAC) and
a card reader to authenticate the user’s identity. A CAC is a United States Department of
Defense smart card used by personnel that require highly secure access over the Internet.
• User Login Authentication—which displays a standard login screen where the user can
enter their username and password.

Two Factor Authentication in SonicOS | 3


How does Two Factor Authentication Work?
Two Factor Authentication requires a user to log in using two steps. First, the user must be
verified by a Client Certificate Check which requires the user to use a Common Access Card
(CAC) in a card reader. Second, the user must log in by typing their username and password
at the login prompt.
The Dell SonicWALL security appliance can be managed using HTTP or HTTPS in a Web
browser. In SonicOS, HTTP management is disabled by default. HTTPS is usually the preferred
method to log into the SonicOS management interface. You must use HTTPS to use the Client
Certificate Check option.

Note CACs work with Microsoft Internet Explorer, but may not work with other browsers.

Note Using a CAC requires an external card reader that is connected on a USB port.

Note You must have administrator privileges to set up Two Factor Authentication on a Dell
SonicWALL network security appliance.

Benefits
Two Factor Authentication provides increased security by requiring two different methods of
authentication before a user can log into the Dell SonicWALL network security appliance.

Supported Platforms
Two Factor Authentication is supported on Dell SonicWALL network security appliances
running SonicOS 5.9 or SonicOS 6.2.

4 | Two Factor Authenication in SonicOS


Configuring Two Factor Authentication in SonicOS
To configure Two Factor Authentication in SonicOS:

Step 1 Go to the System > Administration page.


Step 2 Scroll down to the Web Managment Settings panel.

Step 3 Type the port number that you want into the HTTPS Port box.
The default port for HTTPS management is 443, but you can add another layer of security for
logging into the firewall by changing the default port.
Step 4 Select the Enable Client Certificate Check box. 
The Enable Client Certificate Check box allows you to enable or disable client certificate
checking and CAC support on the firewall.
Step 5 From the Client Certificate Issuer drop-down list, select the appropriate Certification Authority
(CA) to sign your client certificate.
The Client Certificate Issuer drop-down menu contains a list of the Certification Authority (CA)
certificate issuers. If the appropriate CA is not in the list, you can import that CA that you need
into the list.
Step 6 To enable or disable OCSP checking for the client certificate, select the Enable OCSP
Checking box.
The Enable OCSP Checking box allows you to enable or disable the Online Certificate Status
Protocol (OCSP) verification for the client certificate to verify that the certificate is still valid and
has not been revoked.
Step 7 In the OCSP Responder URL field, enter the URL of the server that will verify the status of the
certificate. The URL should point to the Common Gateway Interface (CGI) on the server side,
which processes the OCSP verification. For example: http://10.103.63.251/ocsp

Two Factor Authentication in SonicOS | 5


When you use the Client Certificate Check with a CAC, the client certificate is automatically
installed on the browser. When you begin a management session through HTTPS, the
certificate selection window is displayed asking you to confirm the certificate.

Step 8 Click OK.


Step 9 At the prompt, enter your personal identification number (PIN), which protects the information
stored on the CAC.

Note The wrong PIN will lead to login failure, and if the retry count reaches the upper limit (3 tries),
the CAC will be locked out.

After you confirm the certificate, the firewall checks the Client Certificate Issuer to verify that
the certificate is valid and has been signed by the CA. If it is verified, the user login page is
displayed.

6 | Two Factor Authenication in SonicOS


Step 10 Enter your user name and password in the Username and Password fields respectively.
A window similar to this one is displayed, informing you that access to the firewall and your
privileged services has been granted.

Two Factor Authentication in SonicOS | 7


If the firewall cannot confirm that the certificate is signed by a CA, the browser displays a
standard connection failed message, such as:
.....cannot display web page!
If OCSP is enabled, the browser performs an OCSP verification and displays the following
message while it is checking.
Client Certificate OCSP Checking.....
If the OCSP verification succeeds, the login page is displayed. If the OCSP verification fails,
the following message is displayed:
OCSP Checking fail! Please contact system administrator!
When using the client certificate feature, these situations can lock the user out of the firewall:
• The Enable Client Certificate Check option is selected, but no certificate has been
imported.
• The Enable Client Certificate Check option is selected and a certificate is installed on the
browser, but either no Client Certificate Issuer is selected or the wrong Client Certificate
Issuer is selected.
• The Enable OCSP Checking option is selected, but either the OCSP server is not available
or a network problem is preventing the firewall from accessing the OCSP server.

To restore access to a user that is locked out, the following CLI commands are provided:
• web-management client-cert disable
• web-management ocsp disable

Note You must have administrator privileges to use the Command Line Interface (CLI) for
SonicOS.

For more information on Certificates, refer to the System > Certificates chapter of any of the
following documents:
• SonicOS 5.9 Administrator’s Guide
• SonicOS 6.2 Administrator’s Guide

The System > Certificates chapter includes information about:
• Importing Certificates
• Deleting Certificates
• Generating a Certificate Signing Request

The Generating a Certificate Signing Request section includes information about how the
RSA algorithm is used with certificates in SonicOS.

8 | Two Factor Authenication in SonicOS

You might also like