This product use to be called Netmotion mobility, however, since version 12.70 it’s changed from Netmotion to Absolute and mobility to secure access
Apologies if you find me referring to it with the old name, it’s a change that recently happened so it’s very easy to say the wrong product name.
This guide will show you this service using either device authentication certificates or user authentication certificates, obviously for privacy and security reasons certain names and connections screenshots have been changed.
The fundamentals and workflow are exactly the same, just before we begin remember absolute is a VPN solution that creates a private tunnel from the device to your corporate network, the end result is your laptop will appear to be on your own internal network.
Absolute can be installed as it single server instance, which you should not deploy if you wish to have more than 50 connections active at once, this is fine for a proof of concepts or a demo.
The components of this software are as follows:
Absolute Warehouse Server (x2)
Absolute Publisher Server
Absolute Reputation Server
Absolute Secure Access Server (x4)
NPS server (x2)
Overview Diagram : High Level
Device v User Authentication
Let’s also be clear on device authentication versus user authentication, if you opt for device authentication will utilize the certificate that will be issued to the laptop which means you will be able to remote control the laptop with or without a user logged into it, this is also known as unattended mode
However, if you up for User authentication the user needs his own unique certificate in order to log into the VPN, unlike the device authentication the laptop will not be available when an active user is not signed in and working, when do use the logs off it was either block all traffic or disconnect all traffic depending on your options.
You will also need as part of a set a process a RADIUS server, or the newer term for this kind of server in windows is called a network policy server, or NPS.
For the sake of having resiliency, it’s not recommended to build a single server here as if that server is unavailable then your VPN will be useless, without a successful authentication to this server, you will not be able to connect.
This guide will only focus on "distributed deployment" not the easier one size fits all "small deployment server".
Setup : Absolute Warehouse Server
This is required for all the other services to work so rom the options only select "Warehouse" as you can see here:
Once the core components are installed you will then setup the warehouse service.
If you have more than one warehouse server, in v12.70 and above both the databases are active and there is no longer a passive database anymore.
Setup : New Warehouse
If this is the first warehouse then you need to select the top option as you will be creating the first server for the first time:
Then you will need to select the IP of the server, this is not the localhost one so please do not select 127.0.0.1 or ::1 select the actual name of the server which should be there:
You then need a data port, configuration port and replication port as you can see here:
If you have a previous LDIF file to import you can do so here, if not click next:
Then you have to select the option to configure backups, I would highly recommend this is completed and you do not disable this option:
Setup : Existing Warehouse
Select the option for "existing warehouse" then you will be asked for the location and the port (which is TCP:4444) and the password, from there this warehouse will work with the new warehouse.
No screenshots for that, its simple.
Setup : Publisher/Reputation Servers
First you need to connect to the database server, which are the details from before:
Install this with the defaults as the configuration is done from the website interface the setup is not that in-depth and you really just need the basics.
Setup : Secure Access Server (VPN server)
Once you have provided the server and the password then click next, you will be asked to if you would like to disable the firewall - even if you have another provider for your firewall please leave this ticked....
Then you need to choose the web server settings, I would recommend you use port TCP:443 the standard for HTTPS, if you wish to change this to a different port this does not make it anymore secure.
Also note you have an external port, this is the port secure access will listen on, that also needs to be allowed on the firewall and NAT rules, finally DO NOT open other ports from the internet, only this port should be opened publically.
Then you need to choose the IP address scheme, for this we will use a pool of addresses which you will need to add here in the notation of address range then the CIDR and the gateway, this is the addresses that your secure access server will deploy to the clients that connect.
Once the setup is finished you should be access the server name as a HTTPS address and it should look like this, please note you will be on a self signed certificate so you will need to get that updated, which is next, exciting stuff......
NOTE : The server will be offline not online as per the image
Setup : Self Signed to actual SSL certificate
Then click the web server tab and then choose server certificate as shown below:
Fill in the details here where applicable like Host and ensure you add a DNS:<host> that matches once filled in continue....
That will lead you to this screen:
You will see the CSR you require in Base64 right there in the main window this looks something like this:
Once you have this you need to sign this with your certificate authority servers, so save that to the desktop as a txt file the extension is not important only the content of the file, if you have internal servers you can use this command:
certreq -submit -attrib "CertificateTemplate:Web-Server" <path to file>
You will then need to select a certificate server (CA) to process that file, which will then ask you where you wish to save the file, if you save this to the desktop you can continue.
Once you have this file, navigate back to the server certificate windows as below and click the response button below:
Restart the webserver for this to take effect, it will take a minute to get the UI back online, it will prompt you to do this when you update the certificate.
NOte : Highly recommend you have more than one NPS server for larger deployments
Build a base build of Windows Server, then once you have all the updates installed on it and you have joined it to the domain, all you need is this command:
I would recommend using the Core version of Windows (aka the non GUI version) as you can remote manage this absolutely fine with no issues, once this is installed you may need to reboot the server.
Once installed all you need is the NPS remote management tool, this is what you are looking for:
There is no requirement to register this server in Active Directory, Absolute will not be looking for this server automatically.
Logging should be automatically setup to log all the events required to monitor and troubleshoot, however if you want to check this you can do so in Accounting then change log file properties, this is what I have setup for this solution:
NPS is installed and the ports used are the usual RADIUS main ports of 1812 for authentication and 1813 for accounting, as you can see here:
I would created a shared secret so you do not need to keep entering it all the time, if you have many servers this can prevent typos later on, so to do that find the Template Management then choose Shared Secrets, right click there and choose New.....
Setup : NPS Clients and Servers
This section of the NPS servers at the top as below......
The RADIUS clients is what we need here, if you navigate to that section and right click there and choose New this will allow you to add a client, you need to add all the Secure Access VPN servers to this list, this enables these servers to talk to the NPS server.
Ensure all the Secure Access servers are added as clients.
Setup : NPS Connection Request Policy (CRP)
NOTE : This needs to be setup for your company requirements, this is just a guide and should not be taken literally.
Right, now you have the clients all added you then need to setup the CRP policy which is the pre-policy for the connections the server gets, as you can see you can have more than one policy on the same server, here we cover both of the scenarios including Device and User authentication
You need the precedence or processing order to be correct if you are using the same for both, so lets get creating these as per below, the 4th rule is default, so that is included when you install NPS, the 3rd rule is also a backup rule that is disabled.
Setup : User Authentication CRP
Give it a name and type is unspecified.....
Add condition of "NAS Identifier"
Add the NAS Identified or UA for User Authentication:
Ensure you authenticate on this server as below:
In this example the authentication methods come later, leave this unselected:
Confirm the settings in the CRP which should be NAS is equal to UA, then you are done, this alone does not do anything but assess the inbound connection, you now need to link this to the Secure Access server which is done later in the guide.
Setup : Device Authentication CRP
Give it a name and type is unspecified.....
Add condition of "NAS Identifier"
Add the NAS Identified or DA for Device Authentication:
Ensure you authenticate on this server as below:
In this example the authentication methods come later, leave this unselected:
Confirm the settings in the CRP which should be NAS is equal to DA, then you are done, this alone does not do anything but assess the inbound connection, you now need to link this to the Secure Access server which is done later in the guide.
Right, now we move on to the Network Policies this is where more conditions are set for NPS entry requirements, so like before lets do one for User and one for Device Authentication, if you only need one ignore the other one, simple.
If you have an internal certificate authority the base template for this is called "Computer Authentication" on the other hand if you have an external CA this will be a server authencation certificate.
Then you want to navigate to the Personal store, this is where the certificate need to be located, once here right click the certificates folder and choose "Request New Certificate"
Give the policy a name and ensure you choose "unspecified"
Then you require a Windows Groups to apply this policy to....
When you add select the groups you require to add from your domain.....this is unique to your company..
Authentication Mode : User Certificate
Authentication Type : Protected EAP (PEAP)
EAP Type : Certificate (user)
Mode Type : User Group
Fast Connect : Enabled
Then we need the user group, not be careful here about what you click, more on that in the troubleshooting section, but ensure you choose "User Group"
Then you need to use a group you have created, if you have not created on, when you need to do that (obvioulsy)
This will then add itself to the condition, once you have this move right along, to the access type - here choose Access Granted
With Authentication methods you need to add "Protected EAP" as the EAP type, then you need to untick all the "less secure methods"
Then when you click on the "Protected PEAP" you can click the edit button and you will see this, this is the PEAP options.......
This is also wrong, the EAP type here is secure password which is wrong for this guide, so you will need to update that, you will also need to ensure Fast Reconnect is ticked for this solution, if when you try to add PEAP you get no certificates that is because you have skipped a set above to generate that certificate, go back and do that.
Finally you need to ensure that you remove "secure password" and add "certificate or smartcard"
Firstly add the new EAP type:
You should now only see the certification option in the list like this:
The EAP will pickup the main certificate automatically, then we can move on to constraints, here NPS will only allow connections for 8 hours after disconnecting people from the VPN, this is optional if required:
Encryption settings wise we require MPPE 128bit and do not pass the policy with this, with this set it will stop very legacy connecting to your network via VPN......
Then on the review screen, ensure the setting are set, then you can finish to save the policy, then you have done the User Authentication Policy.
Setup : Device Authentication Policy (NPS-NP)
Authentication Mode : Device Certificate
Authentication Type : Certificate Authentication
EAP Type : Certificate (device)
Mode Type : Windows Group
Fast Connect : Enabled
Then we need the user group, not be careful here about what you click, more on that in the troubleshooting section, but ensure you choose "Machine Group"
Then you need to use a group you have created, if you have not created on, when you need to do that (obvioulsy)
This will then add itself to the condition, once you have this move right along, to the access type - here choose Access Granted
With Authentication methods you need to add "Protected EAP" as the EAP type, then you need to untick all the "less secure methods"
Encryption settings wise we require MPPE 128bit and do not pass the policy with this, with this set it will stop very legacy connecting to your network via VPN......
Then on the review screen, ensure the setting are set, then you can finish to save the policy, then you have done the Device Authentication Policy.
Setup : NPS Summary
- Deny Access
- SSL - User Authentication
- Device Authentication VPN
This is more generic advise linked to VPN, but if you navigate to the custom event log which is installed once you install NPS, for this exact task, this the Server Role > Network Policy and Access Service log:
This is how it works for the majority:
6272 is a successful authentication or access granted
6273 is a denied authentication or access denied
This is what a successful login looks like:
Network Policy Server granted access to a user.User:Security ID: bear.local/DA-Test-Laptop$Account Name: host/DA-Test-Laptop.bear.localAccount Domain: BEARNAS:NAS IPv4 Address: -NAS IPv6 Address: -NAS Identifier: DANAS Port-Type: -NAS Port: -RADIUS Client:Client Friendly Name: Secure Access Server #1Client IP Address: 12.778.12.445Authentication Details:Connection Request Policy Name: Absolute - User AuthNetwork Policy Name: Device Authentication VPNAuthentication Provider: WindowsAuthentication Server: nps-1.bear.localAuthentication Type: EAPEAP Type: Microsoft: Smart Card or other certificateAccount Session Identifier: -Logging Results: Accounting information was written to the local log file.
Authentication Details:Connection Request Policy Name: Absolute - User AuthNetwork Policy Name: Device Authentication VPNAuthentication Provider: WindowsAuthentication Server: nps-1.bear.localAuthentication Type: EAPEAP Type: Microsoft: Smart Card or other certificateAccount Session Identifier: -Logging Results: Accounting information was written to the local log file.Reason Code: 34Reason: The user or computer account that is specified in the RADIUS Access-Request message is disabled.
Authentication Details:
Connection Request Policy Name: Absolute - User Auth
Network Policy Name: Device Authentication VPN
Authentication Provider: Windows
Authentication Server: nps-1.bear.local
Authentication Type: EAP
EAP Type: Microsoft: Smart Card or other certificate
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
If you need to do more detailed logs analysis, the default location for these logs are %windir%\System32\Logfiles however if you have customised the location, you will need to look in that folder instead, here you can see the folder has been redirected in the NPS panel.....
The ones in red can cause interruption to connections if misconfigured, be particularly careful with the ones in bold.
Server settings - Set server wide settings per server or globally
Client settings - Set client device settings per device or globally
Authentication settings - Set Authentication settings for all clients to NPS/Radius
Device - shows the devices that are registered with Absolute
User groups - Assign users to groups to then assign policy to those users
Licensing - Check the number of valid licenses for your organisation
NOTE : These setting are custom (partially) to this environment, you will have different requirements
Console > Logon Notice : Set a login banner for the environment you are managing
Deployment > Resource Location : Set a custom deployment location
Setup : Client Authentication
Display > Screen Setting : Stay Awake, Never Sleep
Virtual Address > Allocation Method: IPv4 : Address Pool
Careful, there be dragons here - especially in this section
The orange box is required for "all" configurations, the red box is required for device authentication or "DA" and the green box is required for user authentication or "UA" - regardless of configuration you require the orange box configured and a red or green box.
Setup : Authentication Settings Warning
A thing to note is that this guide covers both Device and User authentication, when you set the policy you can set the policy on device groups, however remember all devices that absolute does not know about will need to start off in the "New" device group - or more technically its the group where the "default group for new devices" is ticked.
Note : It is not a good idea to have both policies setup as the "New" group needs to have one policy assigned to it, that will either be a "device" authentication profile or a "user" authentication profile, please note that many people will follow one or the other not both.
Then you want the new option:
Then give the policy a name:
NOTE : Ensure you do not put settings in the USER section of the policy, you need DEVICE
Next, set the settings under RADIUS: Device Authentication > NAS ID, this needs to be set to the NPS server expected NAS ID which is DA for this example:
Next, you need the NPS servers under RADIUS: Device Authentication - Servers you need to add the IP addresses of the NPS servers, by using the Add button:
You will need the IP address, the Port which is 1812 unless you have customised it, then the shared secret you created back in the NPS setup.
Then you should see them all there on port 1812 as below:
Then you want the new option:
Then give the policy a name:
This is the Device Authentication, so first you need to set the mode to "Unattended" this is from Authentication > Mode:
Next, set the settings under RADIUS: User Authentication > NAS ID, this needs to be set to the NPS server expected NAS ID which is DA for this example:
Next, you need the NPS servers under RADIUS: User Authentication - Servers you need to add the IP addresses of the NPS servers, by using the Add button:
You will need the IP address, the Port which is 1812 unless you have customised it, then the shared secret you created back in the NPS setup.
Then you should see them all there on port 1812 as below:
Once here add a new one:
Then you need to navigate to "Client Settings" to set the Authentication settings:
Under the device settings tree, you will see that group click on it and then find the Authentication Settings Profile
You will then need to give it the authentication policy from the last step.
This is the last section in this guide, and it will only show you how to setup the recommended routing for sending traffic down the tunnel of not, for that go to Policy > Policy Management
Then go to Rules and you need to create the options below:
So to complete this choose New, give the policy the name as per above and the contents of the policy are as follows:
Setup : Inside Tunnel Policy
Then in the definition at the bottom select the hosts and website in blue and add your internal domains with the *.domain so for example *.bear.local
Then in the hosts just add a * entry for everything that is not in the other rule.....
The pop to rule sets....
Give this new policy a relevant name:
Then add those rules to the ruleset:
You do get more options like policies and Network Access Control (NAC) however as these are very much tailed to your company requirements they cannot really be explained in a generic guide in to much detail.