Mac OS X Server 10.3: Offering SecurID authentication with VPN Server

  • Last Modified: September 09, 2008
  • Article: HT3111
  • Old Article: 107699

Summary

Mac OS X Server VPN service can offer SecurID authentication, but it cannot be set up from within the Server Admin application. Learn how to set it up here.

Products Affected

Mac OS X Server 10.3

Apple VPN service is part of a normal, default Mac OS X Server 10.3 installation. You can use Server Admin to configure standard VPN services, but Server Admin does not have an interface for choosing your authentication method. If you need to designate an authentication scheme other than the default (RSA Security's SecurID, for example), you will need to change the VPN configuration manually.

Setting up for SecurID

To configure RSA Security's SecurID authentication, you must first copy the sdconf.rec file from your SecurID server to a new directory on your Mac OS X Server named /var/ace.

There are several ways you could do this. These steps illustrate one method:


  1. At your server, open the Terminal (/Applications/Utilities/).
  2. Type: sudo mkdir /var/ace
  3. Press Return.
  4. Enter your administrator password, and press Return.
  5. Click the Finder icon in the Dock.
  6. From the Go menu, choose Go to Folder.
  7. Type: /var/ace
  8. Click Go.
  9. Copy the sdconf.rec file from your SecurID server into the "ace" folder.
  10. You will see a dialog indicating that the "ace" folder cannot be modified. Click the Authenticate button to allow the copy.

Second, you configure the VPN service on your Mac OS X Server to enable EAP-SecurID authentication for the protocols you want to use it with. To use it with PPTP, execute these two commands in Terminal:

# sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA"

# sudo serveradmin settings vpn:Servers:com.apple.ppp.pptp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP"


To use it with L2TP, execute these two commands in Terminal:

# sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorEAPPlugins:_array_index: 0 = "EAP-RSA"
# sudo serveradmin settings vpn:Servers:com.apple.ppp.l2tp:PPP:AuthenticatorProtocol:_array_index:0 = "EAP"

This is all that is required to configure SecurID. The remainder of Mac OS X Server VPN service configuration may be done using the Admin application.


Managing VPN service

A. Starting or stopping VPN service

To start or stop VPN service:

  1. Open Server Admin.
  2. In the Computers & Services list, click the disclosure triangle next to the target server.
  3. Select VPN from that server's list of services.
  4. Be sure at least one of the transport protocols is selected and configured.
  5. Click Start Service or Stop Service, as applicable.

B. Enabling and Configuring the L2TP Transport Protocol

Next, use Server Admin to enable the L2TP transport protocol. When enabling this protocol, you must also configure the connection settings. You must designate these items:

  • An IPSec shared secret (if you do not use a certificate authority's security certificate)
  • The IP address allocation range to be assigned to your clients
  • Group to be allowed VPN privileges (if desired)

To enable L2TP, follow these steps:


  1. In Server Admin, choose the VPN Service from the Computers & Services list.
  2. Click Settings.
  3. Click the General tab.
  4. Click the checkbox labeled L2TP.
  5. Enter the shared secret.
  6. Set the beginning IP address of the allocation range.
  7. Set the ending IP address of the allocation range.
  8. Enter the group that has access to VPN login.

Note: You can use the Users & Groups button to browse for a group. If you leave this blank, all workgroups will have access to VPN login.

C. Enabling and Configuring the PPTP Transport Protocol

Next, use Server Admin to enable the PPTP transport protocol. When enabling this protocol, you must also configure the connection settings. You should also designate these items:

  • An encryption key length (40-bit is optional, in addition to 128-bit)
  • The IP address allocation range to be assigned to your clients
  • Groups to be allowed VPN privileges (if desired)

Follow these steps to enable PPTP:


  1. In Server Admin, choose the VPN Service from the Computers & Services list.
  2. Click Settings.
  3. Click the General tab.
  4. Click the checkbox labeled PPTP.
  5. If desired, select "Allow 40-bit encryption keys" to allow such keys to be used in addition to 128-bit keys.
    Warning: Allowing 40-bit encryption is less secure, but it may be necessary for some VPN client applications.
  6. Set the beginning IP address of the allocation range.
  7. Set the ending IP address of the allocation range.
  8. Enter the group that has access to VPN login. You can use the Users & Groups button to browse for a group.
    Note:
  9. If you leave this blank, all workgroups will have access to VPN login.
  10. Click Save.

D. Configuring Additional Network Settings for VPN Clients

When a user connects to your server through VPN, that user is given an IP address from your allocated range. The user will also be automatically given DNS addresses and search domains from the server's configuration. If you wish to provide the client with a different set of DNS addresses or search domains, you will need to configure these settings, including the DNS addresses, network masks, and search domains.

To configure additional network settings:


  1. In Server Admin, choose the VPN Service from the Computers & Services list.
  2. Click Settings.
  3. Click the Client Information tab.
  4. Enter the network mask for your allocated IP address range.
  5. Enter the IP address of the DNS server.
  6. Enter any search domains, as needed.
  7. Click Save.

E. Configuring Network Routing Definitions

Network routing definitions allow you to specify that routes be installed in the client to control what data is sent through the VPN tunnel. For example, you may want traffic that goes to your IP address range be routed through the tunnel to your LAN but all other traffic to be routed through the user's normal, unsecured Internet connection. This helps provide a finer control over what goes through the VPN tunnel. These definitions are unordered, and the network mask is used to determine how specific a route is. Packets will be routed using the most specific route.

To set routing definitions:


  1. In Server Admin, choose the VPN Service from the Computers & Services list.
  2. Click Settings.
  3. Click the Client Information tab.
  4. Click the Add button below the routing definition list.
  5. Enter the routing address.
  6. Enter the network mask for the route.
  7. Select the routing destination from the pop-up menu.

Note: Private means to route it through the VPN tunnel. Public means to use the normal interface with no tunnel

Not helpful Somewhat helpful Helpful Very helpful Solved my problem