Download - Cisco ASA - Implementation Guide - Deepnet Security ASA... · Cisco ASA - Implementation Guide ()
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 1
Cisco ASA Implementation Guide
(Version 5.4)
Copyright 2011
Deepnet Security Limited
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 2
Trademarks
Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,
SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.
Copyrights
Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.
Licence Conditions
Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.
Disclaimer
This document is provided “as is” without warranty of any kind, either expressed or
implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.
Contact
If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.
Deepnet Security Limited
Northway House
1379 High Road
London N20 9LP
United Kingdom
Tel: +44(0)20 8343 9663
Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: [email protected]
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 3
Table of Contents
Overview ......................................................................................... 4
Preparation ...................................................................................... 5
DualShield Configuration ................................................................... 6
Create a RADIUS logon procedure ........................................................................ 6
Create a RADIUS application................................................................................ 6
Register the Cisco ASA as a Radius client .............................................................. 7
Cisco ASA Configuration .................................................................... 9
Register DualShield Radius Server ........................................................................ 9
Clientless SSL VPN .......................................................................... 11
One-Time Password .......................................................................................... 11
Edit Logon Procedure ...................................................................................................................11
Configure Cisco ASA.....................................................................................................................11
Test Logon ..................................................................................................................................13
Customise Logon Form .................................................................................................................13
Test Logon ..................................................................................................................................14
On-Demand Password ...................................................................................... 15
Edit Logon Procedure ...................................................................................................................15
Configure Cisco ASA.....................................................................................................................15
Test Logon ..................................................................................................................................16
AnyConnect SSL VPN ...................................................................... 17
One-Time Password .......................................................................................... 17
Logon Procedure..........................................................................................................................17
ASA Configuration .......................................................................................................................17
Test Logon ..................................................................................................................................18
On-Demand Password ...................................................................................... 19
Logon Procedure..........................................................................................................................19
ASA Configuration .......................................................................................................................19
Test Logon ..................................................................................................................................19
IPSec Remote VPN .......................................................................... 21
ASA Configuration ............................................................................................ 21
DualShild Configuration .................................................................................... 21
Test Logon ...................................................................................................... 21
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 4
Overview
This implementation guide describes how to integrate Cisco ASA appliance with the
DualShield unified authentication platform in order to add two-factor authentication into
the IPSec VPN and SSL VPN login process.
Cisco ASA supports external RADIUS server as its authentication server. DualShield
unified authentication platform includes a fully compliant RADIUS server – DualShield
Radius Server. DualShield provides a wide selection of portable one-time password
tokens in a variety of form factors, ranging from hardware tokens, software tokens,
mobile tokens to USB tokens. These include:
• Deepnet SafeID
• Deepnet MobileID
• Deepnet GridID
• Deepnet CryptoKey
• RSA SecurID
• VASCO DigiPass Go
• OATH-compliant OTP tokens
In addition to the support of one-time password, DualShield also supports on-demand
password for RADIUS authentication. The product that provides on-demand password in
the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less
strong authentication that delivers logon passwords via SMS texts, phone calls, twitter
direct messages or email messages.
The complete solution consists of the following components:
• Cisco ASA Appliance
• DualShield Radius Server
• DualShield Authentication Server
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 5
Preparation
Prior to configuring Cisco ASA for two-factor authentication, you must have the
DualShield Authentication Server and DualShield Radius Server installed and operating.
For the installation, configuration and administration of DualShield Authentication and
Radius servers please refer to the following documents:
• DualShield Authentication Platform – Installation Guide
• DualShield Authentication Platform – Quick Start Guide
• DualShield Authentication Platform – Administration Guide
• DualShield Radius Server - Installation Guide
You also need to have a RADIUS application created in the DualShield authentication
server. The application will be used for the two-factor authentication in Cisco ASA. The
document below provides general instructions for RADIUS authentication with the
DualShield Radius Server:
VPN & RADIUS - Implementation Guide
Following outlines the key steps:
In DualShield
1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for Cisco ASA 3. Register the Cisco ASA as a RADIUS client
In Cisco ASA
1. Register the DualShield RADIUS authentication server 2. Configure Remote Access Profiles
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 6
DualShield Configuration
Create a RADIUS logon procedure
1. Login to the DualShield management console 2. In the main menu, select “Authentication | Logon Procedure” 3. Click the “Create” button on the toolbar 4. Enter “Name” and select “RADIUS” as the Type
5. Click “Save” 6. Click the Context Menu icon of the newly create logon procedure, select “Logon
Steps”
7. In the popup windows, click the “Create” button on the toolbar 8. Select the “Static Password” as the authenticator
9. Click “Save”
Create a RADIUS application
1. In the main menu, select “Authentication | Applications” 2. Click the “Create” button on the toolbar 3. Enter “Name”
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 7
4. Select “Realm” 5. Select the logon procedure that was just created
6. Click “Save” 7. Click the context menu of the newly created application, select “Agent”
8. Select the DualShield Radius server, e.g. ”Local Radius Server” 9. Click “Save” 10. Click the context menu of the newly created application, select “Self Test”
Register the Cisco ASA as a Radius client
1. In the main menu, select “RADIUS | Clients” 2. Click the “Register” button on the toolbar
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 8
3. Select the application that was created in the previous steps 4. Enter Cisco ASA’s IP in the IP address 5. Enter the Shared Secret which will be used in Cisco ASA. 6. Click “Save”
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 9
Cisco ASA Configuration
It is assumed that the Cisco ASA is setup and operational. An existing Domain user can
authenticate using a Domain AD password and access applications, your users can
access through IPSec VPN and/or SSL VPN using Domain accounts.
Register DualShield Radius Server
1. Launch the Cisco Adaptive Security Device Manager (ASDM), select Configuration in top toolbar, select Device Management in the accordion menu on the bottom
2. In the control panel on the left, select Users/AAA and select AAA Server Groups. 3. Click “Add” button on the right
Enter name
Select the Radius protocol
Set max failed attempts to 1.
Click Ok when completed.
4. Select the newly created AAA server, i.e. DualShield 5. Click ”Add” in the “Servers in the Selected Group
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 10
Select “inside” interface
Enter the IP of the DualShield Radius
server
Set Authentication Port to 1812
Set Accounting Port to 1813
Enter Server Secret Key.
Unselect Microsoft CHAP2 Capable
Click OK when completed.
6. Click “Apply” button to save settings
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 11
Clientless SSL VPN
One-Time Password
If you plan to deploy only the one-time password based authentication in your user base
using OTP tokens such as Deepnet SafeID, MobileID, then you will configure your Cisco
ASA in such way that it will use your AD as the primary authentication server and your
DualShield as the secondary authentication server. Your AD will be responsible for
verifying users’ AD passwords and your DualShield will be responsible for verifying users’
one-time passwords only.
Edit Logon Procedure
In the DualShield Management Console, edit the logon procedure for your Cisco ASA
application. You will only need one logon step and typically the logon step will have
“One-Time Password” as the authentication method:
Configure Cisco ASA
1. Select Remote Access in the accordion menu on the bottom 2. Select Clientless SSL VPN Access, select Connection Profiles 3. In the Connection Profiles section, select your existing SSL VPN profile and click Edit
(Click Add to you do not yet have a SSL VPN profile)
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 12
If this is an existing SSL connection profile then you would have your AD server set as
its authentication server.
If this is a new SSL connection profile then set your AD server set as its authentication
server as shown above.
4. Expand Advance and select Secondary Authentication
Select “DualShield” in the Server Group
Enable Use primary username
5. Click OK 6. Finally, Click Apply to save all settings.
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 13
Test Logon
Navigate to the Cisco ASA SSL VPN logon page:
The logon form consists of 3 fields:
User name: User’s domain account login name
Password: AD password
2nd Password: One-time password
Customise Logon Form
You can customise Cisco ASA logon page to make it more user friendly. For instance, you
may want to change “2nd Password” to “Passcode” or “One-Time Password”.
The basis of the customisation is to change relevant messages or HTML and Javascript
files in the Cisco ASA appliance.
In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal -> Customization. Click on Add to add a new customization object.
Enter a name for the customization object.
Expand Login Page and select Logon Form
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 14
Change “2nd Password” to “Passcode” in the Secondary Password Prompt.
Click “OK”. Click “Assign” and assign the newly created Customization Object to the SSL
VPN connection profile
Test Logon
The SSL VPN logon page will now be presented as:
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 15
On-Demand Password
If you plan to deploy only the on-demand password based authentication in your user
base using Deepnet T-Pass, then you will configure your Cisco ASA in such way that it
will use your DualShield Radius server as the primary authentication server. Your
DualShield server will be responsible for verifying both users’ AD password and one-time
passwords. There should be no secondary authentication servers.
Edit Logon Procedure
In the DualShield Management Console, edit the logon procedure for your Cisco ASA
application. You will need to define two logon steps: the first step requires users to enter
their static password (AD password), which will also trigger the DualShield server to
send the user’s on-demand password. The second step will then ask users to enter their
on-demand password.
Configure Cisco ASA
1. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Connection Profiles 2. Edit your SSL VPN profile, change its primary authentication to DualShield
3. Remove the secondary authentication by changing its server group to “none”
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 16
4. Click Apply to save changes.
Test Logon
Navigate to the SSL VPN logon page:
Enter your username and your AD password.
Your DualShield server will send an on-demand password via the delivery channel
defined in your T-Pass policy, e.g. SMS text message or email message.
The user will then be prompted to enter a T-Pass one-time password:
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 17
AnyConnect SSL VPN
The process of enabling two-factor authentication on AnyConnect SSL VPN with
DualShield is almost identical to the process of enabling Clientless SSL VPN.
One-Time Password
Logon Procedure
ASA Configuration
Primary Authentication Server: AD
Secondary Authentication Server: DualShield
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 18
Test Logon
AnyConnect Desktop Client
User’s login name
AD Password
One-time password
AnyConnect Mobile Client
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 19
On-Demand Password
Logon Procedure
ASA Configuration
Primary Authentication Server: DualShield
Secondary Authentication Server: None
Test Logon
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 20
Enter the user's login name and static password (AD password), and click “OK”.
DualShield will verify the user’s password.
If the second authenticator is an on-demand password, your DualShield authentication
server will automatically send out a one-time password to the user via SMS or email
message.
Cisco AnyConnect client will prompt the user to enter the one-time password:
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 21
IPSec Remote VPN
The process of enabling two-factor authentication on IPSEC VPN with DualShield is
almost identical to the process of enabling SSL VPN, apart from the Remote VPN access
supports only one authentication server. In order to support two-factor authentication,
i.e. user’s static password (AD password) and one-time password, the DualShield should
be configured to verify both the user’s static password and one-time password.
ASA Configuration
Edit the IPSec remote access connection profile, set DualShield as the authentication
server.
DualShild Configuration
Create a logon procedure with two logon steps:
Test Logon
Launch the Cisco IPSec VPN Client, click “Connect”:
Implementation Guide Citrix Netscaler
Copyright © 2011, Deepnet Security. All Rights Reserved. Page 22
Enter the user's login name and static password (AD password), and click “OK”.
DualShield will verify the user’s password.
If the second authenticator is an on-demand password, your DualShield authentication
server will automatically send out a one-time password to the user via SMS or email
message.
Cisco VPN client will prompt the user to enter the one-time password:
Enter a valid one-time password, click “OK”.
Cisco VPN client will now establish connection.