cisco asa - implementation guide - deepnet security asa... · cisco asa - implementation guide ()

Implementation Guide Citrix Netscaler

Copyright © 2011, Deepnet Security. All Rights Reserved.

Cisco ASA Implementation Guide

(Version 5.4)

Copyright 2011

Deepnet Security Limited



Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp

are trademarks of Deepnet Security Limited. All other brand names and product names

are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or

documentation may be copied, reproduced, translated or reduced to any electronic

medium or machine readable form, in whole or in part, without the prior written consent

of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you

understand the exact terms of usage. In particular, for which projects, on which

platforms and at which sites, you are allowed to use the product. You are not allowed to

make any modifications to the product. If you feel the need for any modifications, please

contact Deepnet Security.

Disclaimer

This document is provided “as is” without warranty of any kind, either expressed or

implied, including, but not limited to, the implied warranties of merchantability, fitness

for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are

periodically made to the information herein; these changes will be incorporated in new

editions of the document. Deepnet Security may make improvements of and/or changes

to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security

products, you are always welcome to contact us.

Deepnet Security Limited

Northway House

1379 High Road

London N20 9LP

United Kingdom

Tel: +44(0)20 8343 9663

Fax: +44(0)20 8446 3182

Web: www.deepnetsecurity.com

Email: [email protected]



Table of Contents

Overview ......................................................................................... 4

Preparation ...................................................................................... 5

DualShield Configuration ................................................................... 6

Create a RADIUS logon procedure ........................................................................ 6

Create a RADIUS application................................................................................ 6

Register the Cisco ASA as a Radius client .............................................................. 7

Cisco ASA Configuration .................................................................... 9

Register DualShield Radius Server ........................................................................ 9

Clientless SSL VPN .......................................................................... 11

One-Time Password .......................................................................................... 11

Edit Logon Procedure ...................................................................................................................11

Configure Cisco ASA.....................................................................................................................11

Test Logon ..................................................................................................................................13

Customise Logon Form .................................................................................................................13

Test Logon ..................................................................................................................................14

On-Demand Password ...................................................................................... 15

Edit Logon Procedure ...................................................................................................................15

Configure Cisco ASA.....................................................................................................................15

Test Logon ..................................................................................................................................16

AnyConnect SSL VPN ...................................................................... 17

One-Time Password .......................................................................................... 17

Logon Procedure..........................................................................................................................17

ASA Configuration .......................................................................................................................17

Test Logon ..................................................................................................................................18

On-Demand Password ...................................................................................... 19

Logon Procedure..........................................................................................................................19

ASA Configuration .......................................................................................................................19

Test Logon ..................................................................................................................................19

IPSec Remote VPN .......................................................................... 21

ASA Configuration ............................................................................................ 21

DualShild Configuration .................................................................................... 21

Test Logon ...................................................................................................... 21



Overview

This implementation guide describes how to integrate Cisco ASA appliance with the

DualShield unified authentication platform in order to add two-factor authentication into

the IPSec VPN and SSL VPN login process.

Cisco ASA supports external RADIUS server as its authentication server. DualShield

unified authentication platform includes a fully compliant RADIUS server – DualShield

Radius Server. DualShield provides a wide selection of portable one-time password

tokens in a variety of form factors, ranging from hardware tokens, software tokens,

mobile tokens to USB tokens. These include:

• Deepnet SafeID

• Deepnet MobileID

• Deepnet GridID

• Deepnet CryptoKey

• RSA SecurID

• VASCO DigiPass Go

• OATH-compliant OTP tokens

In addition to the support of one-time password, DualShield also supports on-demand

password for RADIUS authentication. The product that provides on-demand password in

the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less

strong authentication that delivers logon passwords via SMS texts, phone calls, twitter

direct messages or email messages.

The complete solution consists of the following components:

• Cisco ASA Appliance

• DualShield Radius Server

• DualShield Authentication Server



Preparation

Prior to configuring Cisco ASA for two-factor authentication, you must have the

DualShield Authentication Server and DualShield Radius Server installed and operating.

For the installation, configuration and administration of DualShield Authentication and

Radius servers please refer to the following documents:

• DualShield Authentication Platform – Installation Guide

• DualShield Authentication Platform – Quick Start Guide

• DualShield Authentication Platform – Administration Guide

• DualShield Radius Server - Installation Guide

You also need to have a RADIUS application created in the DualShield authentication

server. The application will be used for the two-factor authentication in Cisco ASA. The

document below provides general instructions for RADIUS authentication with the

DualShield Radius Server:

VPN & RADIUS - Implementation Guide

Following outlines the key steps:

In DualShield

1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for Cisco ASA 3. Register the Cisco ASA as a RADIUS client

In Cisco ASA

1. Register the DualShield RADIUS authentication server 2. Configure Remote Access Profiles



DualShield Configuration

Create a RADIUS logon procedure

1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “RADIUS” as the Type

5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon

Steps”

7. In the popup windows, click the “Create” button on the toolbar 8. Select the “Static Password” as the authenticator

9. Click “Save”

Create a RADIUS application

1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name”



4. Select “Realm” 5. Select the logon procedure that was just created

6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”

8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”

Register the Cisco ASA as a Radius client

1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar



3. Select the application that was created in the previous steps 4. Enter Cisco ASA’s IP in the IP address 5. Enter the Shared Secret which will be used in Cisco ASA. 6. Click “Save”



Cisco ASA Configuration

It is assumed that the Cisco ASA is setup and operational. An existing Domain user can

authenticate using a Domain AD password and access applications, your users can

access through IPSec VPN and/or SSL VPN using Domain accounts.

Register DualShield Radius Server

1. Launch the Cisco Adaptive Security Device Manager (ASDM), select Configuration in top toolbar, select Device Management in the accordion menu on the bottom

2. In the control panel on the left, select Users/AAA and select AAA Server Groups. 3. Click “Add” button on the right

Enter name

Select the Radius protocol

Set max failed attempts to 1.

Click Ok when completed.

4. Select the newly created AAA server, i.e. DualShield 5. Click ”Add” in the “Servers in the Selected Group



Select “inside” interface

Enter the IP of the DualShield Radius

server

Set Authentication Port to 1812

Set Accounting Port to 1813

Enter Server Secret Key.

Unselect Microsoft CHAP2 Capable

Click OK when completed.

6. Click “Apply” button to save settings



Clientless SSL VPN

One-Time Password

If you plan to deploy only the one-time password based authentication in your user base

using OTP tokens such as Deepnet SafeID, MobileID, then you will configure your Cisco

ASA in such way that it will use your AD as the primary authentication server and your

DualShield as the secondary authentication server. Your AD will be responsible for

verifying users’ AD passwords and your DualShield will be responsible for verifying users’

one-time passwords only.

Edit Logon Procedure

In the DualShield Management Console, edit the logon procedure for your Cisco ASA

application. You will only need one logon step and typically the logon step will have

“One-Time Password” as the authentication method:

Configure Cisco ASA

1. Select Remote Access in the accordion menu on the bottom 2. Select Clientless SSL VPN Access, select Connection Profiles 3. In the Connection Profiles section, select your existing SSL VPN profile and click Edit

(Click Add to you do not yet have a SSL VPN profile)



If this is an existing SSL connection profile then you would have your AD server set as

its authentication server.

If this is a new SSL connection profile then set your AD server set as its authentication

server as shown above.

4. Expand Advance and select Secondary Authentication

Select “DualShield” in the Server Group

Enable Use primary username

5. Click OK 6. Finally, Click Apply to save all settings.



Test Logon

Navigate to the Cisco ASA SSL VPN logon page:

The logon form consists of 3 fields:

User name: User’s domain account login name

Password: AD password

2nd Password: One-time password

Customise Logon Form

You can customise Cisco ASA logon page to make it more user friendly. For instance, you

may want to change “2nd Password” to “Passcode” or “One-Time Password”.

The basis of the customisation is to change relevant messages or HTML and Javascript

files in the Cisco ASA appliance.

In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal -> Customization. Click on Add to add a new customization object.

Enter a name for the customization object.

Expand Login Page and select Logon Form



Change “2nd Password” to “Passcode” in the Secondary Password Prompt.

Click “OK”. Click “Assign” and assign the newly created Customization Object to the SSL

VPN connection profile

Test Logon

The SSL VPN logon page will now be presented as:



On-Demand Password

If you plan to deploy only the on-demand password based authentication in your user

base using Deepnet T-Pass, then you will configure your Cisco ASA in such way that it

will use your DualShield Radius server as the primary authentication server. Your

DualShield server will be responsible for verifying both users’ AD password and one-time

passwords. There should be no secondary authentication servers.

Edit Logon Procedure

In the DualShield Management Console, edit the logon procedure for your Cisco ASA

application. You will need to define two logon steps: the first step requires users to enter

their static password (AD password), which will also trigger the DualShield server to

send the user’s on-demand password. The second step will then ask users to enter their

on-demand password.

Configure Cisco ASA

1. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Connection Profiles 2. Edit your SSL VPN profile, change its primary authentication to DualShield

3. Remove the secondary authentication by changing its server group to “none”



4. Click Apply to save changes.

Test Logon

Navigate to the SSL VPN logon page:

Enter your username and your AD password.

Your DualShield server will send an on-demand password via the delivery channel

defined in your T-Pass policy, e.g. SMS text message or email message.

The user will then be prompted to enter a T-Pass one-time password:



AnyConnect SSL VPN

The process of enabling two-factor authentication on AnyConnect SSL VPN with

DualShield is almost identical to the process of enabling Clientless SSL VPN.

One-Time Password

Logon Procedure

ASA Configuration

Primary Authentication Server: AD

Secondary Authentication Server: DualShield



Test Logon

AnyConnect Desktop Client

User’s login name

AD Password

One-time password

AnyConnect Mobile Client



On-Demand Password

Logon Procedure

ASA Configuration

Primary Authentication Server: DualShield

Secondary Authentication Server: None

Test Logon



Enter the user's login name and static password (AD password), and click “OK”.

DualShield will verify the user’s password.

If the second authenticator is an on-demand password, your DualShield authentication

server will automatically send out a one-time password to the user via SMS or email

message.

Cisco AnyConnect client will prompt the user to enter the one-time password:



IPSec Remote VPN

The process of enabling two-factor authentication on IPSEC VPN with DualShield is

almost identical to the process of enabling SSL VPN, apart from the Remote VPN access

supports only one authentication server. In order to support two-factor authentication,

i.e. user’s static password (AD password) and one-time password, the DualShield should

be configured to verify both the user’s static password and one-time password.

ASA Configuration

Edit the IPSec remote access connection profile, set DualShield as the authentication

server.

DualShild Configuration

Create a logon procedure with two logon steps:

Test Logon

Launch the Cisco IPSec VPN Client, click “Connect”:



Enter the user's login name and static password (AD password), and click “OK”.

DualShield will verify the user’s password.

If the second authenticator is an on-demand password, your DualShield authentication

server will automatically send out a one-time password to the user via SMS or email

message.

Cisco VPN client will prompt the user to enter the one-time password:

Enter a valid one-time password, click “OK”.

Cisco VPN client will now establish connection.

cisco asa - implementation guide - deepnet security asa... · cisco asa - implementation guide ()

Documents