Array Networks SSL VPN Integration
Last updated
Last updated
This guide explains the configuration of multi-factor authentication (MFA) for Array Networks Server and SSL VPN client with Mirket. Prior configuration and deployment of Array are required before setting up MFA with Mirket.
This integration was tested with Array Networks Server version AG.9.4.0.5 and Array SSL VPN client for Windows version 9.0.1.115
Before proceeding with these procedures, ensure the following:
You've completed the installation and configuration of the Mirket (go to Mirket Installation Steps).
End-users can access the Array.
Array offers various user authentication methods. This document focuses on RADIUS-based authentication.
Access the Array administrative interface.
Select the "Config" option for Mode.
Select Virtual Sites.
Click on Add. Then, enter the site name in the Site Name field.
Input an IP address to be used for the virtual site in the IP Address field. This IP address should belong to a subnet within the interface IP address utilized for SSLVPN requests. For instance, if the interface IP address is "x.x.x.1/24", the IP address range can be from "x.x.x.2" to "x.x.x.254".
If there's an existing SSL security certificate for VPN usage, import it. Otherwise, fill in all the fields in the SSL Certificate section.
Click on Save to confirm settings.
Select the virtual site you've created from the dropdown list in the left-hand menu.
Go to Site Configuration > AAA.
On the General tab, enable AAA by checking the Enable AAA checkbox.
Select the Server tab. Then click on RADIUS.
Enter a Server Name and Description in their fields. Then click on Add.
Double-click on the added RADIUS server.
Click on Add RADIUS Server in the RADIUS Server Configuration section.
Input the IP address of your installed Mirket (RADIUS server) in the Server IP field.
Input the port number for communication with the Mirket (Radius Server) in the Server Port field. The default Gateway ports are 1812 and 1645.
Fill in the Secret Password, Timeout, Redundancy, Order, and Retries fields. Keep the default value in the Accounting Port field.
Then click on Save to confirm settings.
Select the Method tab. Then click on Add Method.
Enter a Method Name and Method Description in their fields.
Choose the RADIUS server you created, from the Authentication dropdown list.
Click on Save to confirm settings.
Go to Access Methods > VPN. Then, select VPN Resource, from the Common Settings tab.
Click on Add. Then, enter a group name in the Group Name field.
In the Network-type VPN Resource Item list, input "0.0.0.0/0" in the Network Resource column. Click on Add.
Then click on Save to confirm settings.
Select the Netpools tab. Then click on Add Netpool.
Input the Netpool Name in the Netpool Name field.
Then click on Save.
Double-click on the netpool that you have previously created.
Input a First IP Address and Last IP Address in the Dynamic IP Address Range list. Then click on Add. Keep other settings at their default values.
Click on Back to top option and then select the SSL VPN tab. Check the Enable VPN checkbox.
Then click on Apply Changes to confirm settings.
Go to User Policies > Role.
Enter a descriptive name in the Role Name field.
Enter a priority value in the Priority field. For example input "1". Then click on Add.
Select the Role Qualification tab and click on Add.
Choose the created role from the Role Name dropdown list.
Enter a qualification name in the Qualification field.
Then click on Save to confirm settings.
Select the Role Resource tab and then select VPN.
Click on Add in the Netpool Resources section.
Choose the created Role from the Role Name dropdown list.
Choose the created Netpool from the Netpool Name dropdown list.
Then click on Save to confirm settings.
Click on Add in the VPN-Resource-Group Resource section.
Choose the created Role from the Role Name dropdown list.
Choose the created Group from the Group Name dropdown list.
Click on Save to confirm settings.
To enable Mirket to receive authentication requests from Array, follow these steps:
Define Array as a RADIUS client resource within Mirket.
Create an authentication policy for the Array RADIUS client resource or include it in an existing authentication policy.
Attach the Array resource to the Mirket Radius.
Before starting, ensure that you have installed Mirket Radius Gateway. To add a Radius Client to the Mirket Radius Gateway, follow these steps:
First, navigate to the directory C:\MirketRadius and open the config.json file.
Fill in the gateway and radiusClientList fields according to the provided specifications to ensure accurate and secure network configuration.
samName: Enter the SAM name of the gateway. In Mirket, user identification is done using the SAM (Security Account Manager) name. This is preferred over the standard username. This username is used for authentication and access controls. Please provide your domain name, such as 'mirket'.
authenticationPort: Enter the authentication port value you set for the gateway. The default value is 1812.
accountingPort: Enter the accounting port value you specified for the gateway. The default value is 1813.
gatewayIp: Enter the IP address of the server where the Mirket is installed.
ipAddress: Enter the IP address of your firewall.
secretKey: Enter your secret key. This secret key is used to link your radius client and radius server, so ensure they are identical.
Once you've made the necessary changes to the config.json file, save and close it. Note: You can add multiple RADIUS clients.
After completing the configuration, restart the 'Mirket Radius Gateway Service'.
To set up multifactor authentication, make sure you have at least one user group in Mirket.
If it is preferred to use a local user, first create a local group and then create a local user and make the user a member of the group.
If it is preferred to use LDAP users, the priority LDAP group is created by pulling users from Active Directory or OpenLDAP in Mirket.
Radius Rules define user access to resources and the authentication methods available (such as SMS, Approve / Deny, OTP etc.).
First, you should follow these steps:
Select Rules > Radius Rules.
Click on Add New.
Enter a rule name in the Name field.
Enter the rule description in the Description field.
Select the group to which the rule applies from the Group dropdown list.
Select the provider to which the rule applies from the Provider dropdown list.
Select the authorization profile to which the rule applies from the Authorization dropdown list.
Click on Save to confirm settings.
To validate the integration between Mirket MFA and your Array SSL VPN client, perform authentication using a mobile token on your mobile device. For RADIUS resources, available authentication methods include Approve/Deny authentication.
In this example, we illustrate the use of the approve/deny authentication method.
Launch the Array SSL VPN client.
Go to Profile > Create. Then enter a Profile Name in the Profile Name field.
Input 443 port number in the VPN Port field. Then click on OK to confirm settings.
Choose the profile you created and click on Connect.
Enter your Mirket username in the Username field.
Input your password in the Password field.
Click on OK. Then, select the 'Approve' option(found in the Mirket mobile app) immediately and make sure it doesn't time out.
Input the IP address you determined for the virtual site into the VPN Server field in the .
