SMS2 3 – Installing SMS2

This section of the documentation provides the steps to install SMS2 on to the same servers as the Radius Servers built for this set of articles.

Pre-Requisites

In order to install the SMS2 software the following prereqiusites must be met :-

• .NET Framework 4.0 is installed on the servers
• A Service Account has been created on the Domain
• A blank SQL Database and an SQL User configured to allow access to the blank database

Installing The Software

Once you have registered and downloaded the SMS2 software perform the following steps to install it :-

• Logon to the Server as an Administrative Account on the Domain
• Execute the SMS2 installation MSI package
• At the Welcome Screen click on Next to continue
• When prompted, select a Custom Install and then click on Next to continue
• Expand the components list and if not already selected, select all three options AuthEngine, CloudSMS, and OATHCalc under Services
• Under Clients select IAS Radius Client and then click on Next to continue
• If necessary, change the Installation Directory by clicking on theBrowse button and then click on Next to continue

Configuring The AuthEngine

As part of the software installation there is some minimal configuration required for the AuthEngine, CloudSMS, and OATHCalc components.  To configure the AuthEngine component perform the following steps :-

• When prompted to configure the AuthEngine, CloudSMS, and OATHCalc click on the AuthEngine button
• When prompted, paste in your license key and then click on the Check License button.
• Once the license has been verified click on OK to close the License Expiry dialog box and then click on Next to continue
• Under the Network Bindings section change the AuthEngine Address to the IP Address of your Server
• Under the Active Directory section change the AD/LDAP Server to the IP Address of your Domain Controller
• Set the AD/LDAP Query Account to the Service Account created on the Domain
• Set the AD/LDAP Password to the required password of the Service Account created on the Domain
• Under the Domain Options section change the Default Domain Name to the FQDN of the Domain
• Click on the Test AD/LDAP Config button and then click on OK to close the Test Results dialog box

o    If your AD/LDAP configuration is correct then you should see a message saying Test querying AD/LDAP server successful

o    If you do not see this message re-check your AD/LDAP configuration and try again

• Click on Next to continue and move on to the SQL Configuration
• When prompted, change the SQL Server Address to the IP Address of your SQL Server
• Change the SQL Username to the SQL User created to access the database
• Change the SQL Password to the Password set for the SQL User created to access the database
• Change the Database Name to the name of the Blank Database created
• Click on the Test Connection button and then click on OK to close theTest Results dialog box

o    If your SQL configuration is correct then you should see a message saying Test SQL connection successful

o    If you do not see this message re-check your SQL configuration and try again

• Click on Next to continue and move on to the Email Configuration
• When prompted, click on the Finish button to complete theAuthEngine configuration

Once you’ve completed the AuthEngine configuration you will return theWrightCCS Configuration Screen and the message next to theConfigure AuthEngine button will change to OK.

N.B. Email was not tested as part of this set of articles

Configuring CloudSMS

The next part is to configure CloudSMS by performing the following steps :-

• On the WrightCCS Configuration Screen click on the Configure CloudSMS button
• On the CloudSMS Module Parameters screen click on Finish

Once you’ve completed the CloudSMS configuration you will return the WrightCCS Configuration Screen and the message next to the Configure CloudSMS button will change to OK.

N.B. CloudSMS was not tested as part of this set of articles

Configuring OATHCalc

The next part is to configure OATHCalc by performing the following steps :-

• On the WrightCCS Configuration Screen click on the Configure OATHCalc button
• On the OATHCalc Configuration Screen click on Finish

Once you’ve completed the OATHCalc configuration you will return the WrightCCS Configuration Screen and the message next to the Configure OATHCalc button will change to OK.

Completing The Software

Once you have configured the AuthEngine, CloudSMS, and OATHCalc components and they are all listed as OK on the WrightCCS Configuration screen perform the following steps to complete the installation :-

• Click on Next
• At the Ready to install screen click on the Install button

SMS2 will now be installed

• Once the installation has completed click on the Finish button

SMS2 is now installed and to complete this section perform the steps in this article on the second RADIUS Server.

SMS2 2 – Preparing SQL And Creating The Database

Preparing SQL And Creating The Database

The section of the documentation provides the steps required to prepare SQL and create the SMS2 Database.

At the time of writing this article and the version of SMS2 installed, it was necessary to use an SQL Account rather than a Windows Account.

Configuring SQL For Mixed Mode Authentication

The first step is to configure SQL for Mixed Mode Authentication by performing the following steps :-

• Logon to the SQL Server as an Administrative Account on the Domain
• Open the SQL Server Management Studio and connect to theDatabase Engine as an Administrative Account
• Right Click on the Server Name and select Properties
• Click on the Security branch
• Under the Server authentication section select SQL Server and Windows Authentication mode
• Click on OK to close the Server Properties
• Restart the SQL Server Service to apply the change

Creating The Database

The next step is to create a new blank database for the SMS2 installation by performing the following steps :-

• Right Click on the Databases branch in the Left Hand Pane and select New Database
• When prompted, enter the Database name required

E.G. SMS2_DB

• Set any other options you require and then click on OK to create the database

Creating The SQL Logon For SMS2

The last step is to create a new SQL Logon for the SMS2 implementation by performing the following steps :-

• In the SQL Server Management Console expand the Security branch in the Left Hand Pane
• Right Click on the Logins option and select New Login
• When prompted, enter the Login name required

E.G. sql_sms2user

• Set the Default database to the SMS2 Database
• Click on the User Mapping option in the Left Hand Pane
• Locate the SMS2 Database and grant the new user db_owner Role Membership
• Click on OK to create the new user

SMS2 1 – Building The Radius Servers

This section of the documentation provides the steps required to build and configure the two Radius Servers used for this article.

The Radius Servers used for this environment were built using the Network Policy Server Role available as part of a Windows 2008 R2 Standard Edition Server installation.

The following subsections provide the steps which were performed on both Radius Servers used in this set of articles.

Installing The Network Policy and Access Services Role

The first step is to install the Network Policy and Access Control Role by performing the following steps :-

• Logon to the server as an Administrative Account in the Domain
• Open the Server Manager and then click on Roles in the Left Hand Pane
• Click on the Add Roles button on the Right Hand Side
• When prompted, select the Network Policy and Access Services Role and then click on Next to continue
• When prompted, select the Network Policy Server Role Service only and then click on Next to continue
• When prompted, click on Install to install the new Role
• Once completed, click on Finish and then close the Server Manager console

Configuring The Network Policy Server

The next step is to configure the Network Policy by performing the following steps :-

• Open the Network Policy Server console
• Expand the Policies branch in the Left Hand Pane
• Click on the Network Policies section and then Double Click on theConnections to other access servers policy
• Change the Access Permission to Grant access. Grant access if the connection request matches this policy
• Click on Apply and then OK to enable the policy

Configuring The Radius Clients

The next step is to configure the two Citrix NetScalers in the HA Pair as Radius Clients by performing the following steps :-

• Expand the RADIUS Clients and Servers branch in the Left Hand Pane
• Right Click on the RADIUS Clients section and select New
• When prompted, provide a Friendly Name for the Radius Client

E.G. NSVPX01

• Configure the Address (IP or DNS) option as the NetScaler NSIP IP Address
• Set a Manual Shared Secret and confirm this in the Confirm shared secret option
• Click on OK to add the new Radius Client.

Perform the steps above to add the second Citrix NetScaler as a Radius Client remembering to use it’s NSIP IP Address.

In order to build the second Radius Server in the solution perform the steps above in all three subsections.

SMS2 – Introduction

SMS2 is a free product which uses the Google Authenticator to provide Two Factor Authentication and is predominately aimed at Citrix NetScalers.

The following pages provide the steps required to implement a Fault Tolerant Two Factor Authentication solution for a HA Pair of Citrix NetScalers and can be broken down in to the following sections which are explained further in the subsequent pages of this article :-

1. Building The Radius Servers
2. Preparing SQL And Creating The Database
3. Installing SMS2
4. Configuring Citrix NetScaler Radius Load Balancing
5. Creating A Test User

Test Environment

The test environment for this article consisted of the following :-

• W2K8DOM01 – Domain Controller
• W2K8SQL01 – SQL Server
• W2K8RAD01 – Radius Server
• W2K8RAD02 – Radius Server
• NSVPX01 – Citrix NetScaler (HA Pair Primary)
• NSVPX02 – Citrix NetScaler (HA Pair Secondary)
• W2K8Domain.Local – Windows 2012 Active Directory Domain

The Windows Servers used in this article were all built with the GUI installed and patched to the latest levels at the time of writing this article.

Disabling Radius Challenge / Response

This article provides the steps required to disable Radius Challenge / Response on the WrightCCS SMS2 software.

The latest version of the SMS2 software available at the time of writing this was Version 20130515 which appears to be configured to perform Challenge / Response as defailt.

To disable this and allow users to enter their PIN and Token Codes together perform the following steps :-

• Logon to the SMS2 server as an Administrative account
• Navigate to the SMS2 Settings C:\Program Files\WrightCCS\Settings folder in Windows Explorer
• Edit the settings file Configuration.xml 
• Search the file for the line below:-

<AuthEngineChallengeResponse>True</AuthEngineChallengeResponse>

• Modify the line above and change it from False to True as shown below :-

<AuthEngineChallengeResponse>False</AuthEngineChallengeResponse>

• Save and Exit the file
• Restart the Wright AuthEngine Service

SMS2 – Building A Fault Tolerant Environment

• SMS2 – Introduction
• SMS2 1 – Building The Radius Servers
• SMS2 2 – Preparing SQL And Creating The Database
• SMS2 3 – Installing SMS2
• SMS2 4 – Configuring Citrix NetScaler Radius Load Balancing

SMS2 Technical Documentation

• SMS2 – Building A Fault Tolerant Environment
• SMS2 – Disabling Radius Challenge / Response