Professional Documents
Culture Documents
Authentication Workshop
Authentication Workshop
Authentication V1.0
Blue Coat ® and the Blue Coat logo are trademarks of Blue Coat Systems, Inc., and may be registered
in certain jurisdictions. All other product or service names are the property of their respective owners.
2
Authentication, Authorization,
Accounting
3
Authentication
4
Authorization
• Device’s administrators
– Two profiles available today :
• Read only
• Read/write
– Reporting
– Exceptions tuning
5
Authentication Modes
6
HTTP RFC
• Two HTTP challenges (challenges mode) are available :
– 401 : www-authenticate : authenticate on a resource
– 407 : Proxy-authenticate : proxy asks for auth.
7
Blue Coat Terminology
8
Blue Coat Terminology
9
Proxy Authentication
10
Server Authentication
• 401 Unauthorized
– The request requires user authentication. The response
MUST include a WWW-Authenticate header field
– Used for Web Server Authentication
– Authentication cached separately per each resource
• Proxy cannot challenge the user agent
– HTTP 407 are ignored
• Cache Authentication Information : Surrogate
– Avoid challenging the user agent multiple times
11
Surrogate
12
Authentication modes best practice
Cookie - origin-
origin- form-cookie origin-cookie-
origin- cookie- form-cookie-redirect
Surrogate cookie redirect
14
How to setup ?
15
Specific modes
16
Downgrade rules
17
The Tricky part : Origin cookie Redirect
18
How to setup ?
Virtual Url
19
Origin Cookie Redirect : phase 1
20
Origin Cookie Redirect : phase 2
on a different domain
21
Origin Cookie Redirect : phase 3
on the same domain
22
Origin Redirect for explicit proxy
• Why ?
– Certificate Realm
– Siteminder
– Secure credential (HTTPS VU)
• Why not ?
– Not working with Connect Method (explicit https requests)
– Not working with applets, bots, apps …
– Not working with POST method (limited)
– Need to exclude the VU from browser configuration
23
Authentication cache
24
Authentication Cache
25
Authentication Cache
• Configuration Screenshot
Cache :
• credential
• surrogate
• authorization
26
Credential cache
27
Surrogate Cache
28
Authorization Cache
29
Form specific information
30
Authentication Realms
IWA
31
IWA
• Stands for Integrated Windows Authenticate
• Leverage on existing Microsoft SSO features
• 3 challenges types available : Basic, NTLM, Negotiate (Kerberos)
• Basic is a fallback method if non windows client
• ProsySG is not part of Windows Architecture !
• We use an agent to relay authentication challenges :
– BCAAA : Blue Coat Authentication and Authorization Agent
– Can be installed on Windows machine or Solaris (4.X)
– Using an Agent is a Microsoft’s advise :
Microsoft SSPI:
“The Microsoft® Security Support Provider Interface (SSPI) is the well-defined common API for obtaining
integrated security services for authentication, message integrity, message privacy, and security quality of
service for any distributed application protocol. Application protocol designers can take advantage of this
interface to obtain different security services without modification to the protocol itself.”
“Microsoft encourages all Win32 application developers to use the integrated security features of SSPI for
secure distributed application development.”
Microsoft White Paper, The Security Support Provider Interface.
32
IWA : NTLM
• No specific needs for user’s right running the agent process
• NTLM is a per session authentication mechanism
• No credential cache available (challenges)
• NTLM is a three way challenge (try to use surrogate)
• General Architecture :
Request – No Auth
Auth Challenge
33
IWA : Kerberos
34
IWA troubleshooting
• Good luck …
• Try browsing via VPM
• User’s rights for BCAA service (check documentation)
• When using transparent auth modes (for NTLM or by default with
kerberos)
– By default web web browser's security only respond to SSO challenges on
intranet urls
– Intranet urls are :
• non FQDN urls (ex : intranet)
• IP addresses
• Urls in the intranet security list of IE options
– This behavior can be changed for ie in options tabs
– Can be changed in Firefox in about:config
• Advanced logs for BCAAA :
– [Debug] DebugLevel=0xffffffff
35
IWA : NTLM & Kerberos caveats
36
Authentication Realms
Windows SSO
37
Windows SSO
38
Windows SSO : version’s specific
39
Windows SSO: How it Works
40
Domain Controller Querying
41
Domain Controller Querying II
42
Client Querying
43
Client Querying II
44
Authorization
45
Gotcha’s
46
Authentication Realms
LDAP
47
LDAP
48
LDAP SGOS 4
49
LDAP SGOS 5
50
How to setup ?
• In authentication/LDAP Realm
– LDAP version
– LDAP server’s type
(AD, Novell, Sun, other)
– Server ip address
– LDAP DN
– LDAP search user
– LDAP user attribute
51
Known LDAP limitations
52
Authentication Realms
Novell SSO
53
Novell SSO
54
Novell SSO: eDirectory Login
55
Novell SSO: Realm
• Authentication:
– BCAAA is used to make LDAP queries on the eDirectory
server to map IP addresses to user's FQDNs
– When a user makes a request to the SG, the SG queries
BCAAA for the user identity corresponding to the client IP
address
• Authorization:
– The Novell SSO realm uses BCAAA to query the eDirectory
server via LDAP
– An LDAP realm is used by the Novell SSO realm for
eDirectory LDAP config
– Authorization can be performed with the eDirectory server
or with separate authorization server
56
Novell SSO: BCAAA
57
Novell SSO: BCAAA Details
58
Novell SSO: BCAAA Details
59
Novell SSO: Server Relationships
LDAP Realm
(Search and Monitor)
BCAAA eDirectory Server
ProxySG
Users
60
Novell SSO: LDAP Realms Relasionship
61
How to setup ?
62
Authentication Realms
Radius
63
Radius
• Rarely used
• No specific configuration
• Mainly for administrators authentication
• Can support OTP (One Time Password)
– Secure Safeworld, RSA
– Only http is supported
– Use form authentication
• No group support
– Need to use attribute : Blue-Coat-Group
– BC Vendor ID: 14501, attribute vendor type: 1
64
Authentication Realms
Local Authentication
65
Local Authentication
66
Local User List
67
How to setup
• Local-user-list
• Credentials cache
• VU
68
Authentication Realms
Certificate
69
Certificate Realm
70
Revocation List
71
Setup Certificate Realms
• How to setup :
– Origin style challenge
– HTTPS virtual url if redirect used
– HTTPS service with verify-client attribute
– Create/install a server certificate
– Attach the correct server certificate on the service
– Create a Certificate Realm
– Install PKI root CA
– Use a Authorization Realm if needed
72
Authentication Realms
Policy Substitution
73
Policy Substitution
• 4 mechanisms :
– NetBIOS
– RDNS
– Header
– Ident
74
How to setup ?
• In authentication/substitution Realm :
– Specify the policy substitution cpl code
75
Substitution
Authorization
challenge
For username
WAN Internet
Users Lvl1 ProxySG Lvl2 ProxySG
77
Sequence realm
78
Sequence mechanisms
79
How to setup ?
• Specify realms
list :
– Iwa first
– Then ldap
– Then local
• Tolerate errors
80
Authentication Realms
Guest users
81
Guest users
• Useful to handle :
– Guest users
– Non domain users
– Wifi subnets
– Authentication server errors
• User can be assigned as a guest
• Guest user can be assigned to a group
• Guest user name is customizable
– Ex: guest_$(c-ip)
82
How to setup ?
• Creat a VPM
authentication
layer
• Specify :
– Username
– Realm
83
Authentication Realms
Tolerate errors
84
Errors Handling
• SGOS 4 :
– if any authentication or authorization errors : Deny
• SGOS 5 :
– Deny by default
– Can specify tolerated errors :
• Authentication errors
• Authorization errors
85