Document toolboxDocument toolbox

Licenses and Services

Owned by Panna .
Jun 20, 2022
2 min read

The TOE does not have general computing capabilities, other than the services required for the operation, administration, and support of the TOE. In the evaluated configuration, the TOE has only the following licenses installed: DNS, DHCP, Microsoft Management, DNS Cache Acceleration, and Query Redirection. It does not have the Multi-Grid Management license installed. For more information about licenses, see Managing Licenses.
The following services are disabled by default in the Common Criteria evaluated configuration and no claims are made regarding their function:

  • bloxTools
  • MGM (Multi-Grid Management)
  • HSM (Hardware Security Module) Signing
  • Support access
  • Remote console access

Installing additional licenses or enabling any of the listed services may result in a non-compliant system.

RADIUS or TACACS+ Authentication Through IPsec Tunnel

From NIOS 8.5.2, you can configure the RADIUS or TACACS+ authentication traffic to route through the IPsec tunnel. The RADIUS or TACACS+ authentication server must support the IPsec service, firewall, and NAT. This section details the steps to configure RADIUS or TACACS+ authentication using strongSwan software for the IPsec-based VPN solution. To configure the authentication, you must install strongSwan, and then start the service. You can install strongSwan either from source code using a TAR file or an RPM file.

Configuring the Authentication Using a strongSwan TAR File

To configure the RADIUS or TACACS+ authentication, perform the following steps:

  1. Download the .tar.gz file of strongSwan version 5.5.2 or later and install it on the RADIUS or TACACS+ server.
    For example, if you download the strongswan-5.9.0.tar.gz file from the strongSwan - Download page, you must run the following commands to install strongSwan:
    tar -xzf strongswan-5.9.0.tar.gz
    cd strongswan-5.9.0
    ./configure
    make
    make install

  2. Start the strongSwan service using the following command to enable the IPsec service on the authentication server:
    ipsec start


    Note

    ipsec is the name of the strongSwan service that is installed from the source code.


  3. Configure the following server configuration files available in the specified paths:
    • /usr/local/etc/ipsec.conf
      Example:
      conn <connection name>
          authby=secret
          auto=route
          keyingtries=1
          keyexchange=ike
          left=<server IP>
          right=%any
          type=tunnel

    • /usr/local/etc/ipsec.secrets
      Example:
      # ipsec.secrets - strongSwan IPsec secrets file
      <server IP> : PSK "<server shared secret>"

  4. Add the iptables rules using the following commands to configure the firewall rules:
    iptables -I INPUT 1 -p udp --dport 500 --j ACCEPT
    iptables -I INPUT 1 -p udp --dport 4500 --j ACCEPT
    iptables -I INPUT 1 -p esp -j ACCEPT

Configuring the Authentication Using a strongSwan RPM File

To configure the RADIUS or TACACS+ authentication, perform the following steps:

  1. Download and install a binary RPM of strongSwan version 5.5.2 or later.
    For example, if you download the strongswan-5.8.2-5.fc32.x86_64.rpm file from the     RPM repository, you must run the following command to install the .rpm package:
    rpm -ihv strongswan-5.8.2-5.fc32.x86_64.rpm

  2. Start the strongSwan service using the following command:
    strongswan start


    Note

    strongswan is the name of the strongSwan service that is installed from the binary RPM package.


  3. Configure the following server configuration files available in the specified paths:
    • /etc/strongswan/ipsec.conf
    • /etc/strongswan/ipsec.secrets

  4. Add the iptables rules using the following commands to configure the firewall rules:
    iptables -I INPUT 1 -p udp --dport 500 --j ACCEPT
    iptables -I INPUT 1 -p udp --dport 4500 --j ACCEPT
    iptables -I INPUT 1 -p esp -j ACCEPT