implementation guide for protecting cisco asa 5500...

Copyright © 2010 CRYPTOCard Inc. http://www.cryptocard.com

Implementation Guide for protecting

Cisco ASA 5500 Series

Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) i

Copyright

Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be

reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any

language in any form or by any means without the written permission of CRYPTOCard.

Trademarks

BlackShield ID and BlackShield ID Pro are either registered trademarks or trademarks of

CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their

owners.

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and

implementing CRYPTOCard in your network. In addition to aiding in the selection of the

appropriate authentication products, CRYPTOCard can suggest deployment procedures that

provide a smooth, simple transition from existing access control systems and a satisfying

experience for network users. We can also help you leverage your existing network

equipment and systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support

services. If you purchased this product through a CRYPTOCard channel partner, please

contact your partner directly for support needs.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441

North America Toll Free: 1-800-307-7042

[email protected]

For information about obtaining a support contract, see our Support Web page at

http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional

documentation and interoperability guides: http://www.cryptocard.com.

Publication History

Date Changes Version

January 26, 2009 Document created 1.0

July 9, 2009 Copyright year updated 1.1

Sept 15, 2010 Updated for GrIDsure, MP and different auth methods 1.2

Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) ii

Table of Contents

Overview................................................................................................................ 1

Applicability ........................................................................................................... 1

Preparation and Prerequisites................................................................................ 1

Configuration ......................................................................................................... 2 Configure Cisco ASA for Two Factor Authentication.....................................................2 Define a RADIUS enabled AAA Server group ..............................................................2 Assigning a RADIUS AAA Server to the AAA Server group ...........................................3 Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection Profile...........4 Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile ......................5 Assigning CRYPTOCard Authentication to a AnyConnect Connection Profile ....................6

Clientless SSL VPN and GrIDsure authentication.................................................... 7

Clientless SSL VPN and MP Token detection ......................................................... 10 Uploading custom CRYPTOCard login pages .............................................................10 Creating an SSL VPN Portal Page Customization Object.............................................11 Verifying the Connection and Group profile..............................................................11

Cisco AnyConnect Client and Software Token Detection....................................... 12

Troubleshooting ................................................................................................... 18 RADIUS Authentication issues................................................................................18 GrIDsure Authentication issues ..............................................................................19

Further Information ............................................................................................. 19

Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 1

Overview

By default Cisco ASA user authentication requires that a user provide a correct user name

and password to successfully logon. This document describes the steps necessary to

augment this logon mechanism with strong authentication by adding a requirement to

provide a one-time password generated by a CRYPTOCard token by using the instructions

below.

Applicability

This integration guide is applicable to:

Security Partner Information

Security Partner Cisco

Product Name Cisco ASA 5500 series

ASA Version 8.3

ADSM Version 6.3(1)

CRYPTOCard Server

Authentication Server BlackShield ID Server 2.4 or higher

BlackShield ID Server 2.7 or higher (GrIDsure support)

RADIUS Server Microsoft Internet Authentication Service (IAS)

Microsoft Network Policy Server (NPS)

Juniper Steel Belted RADIUS server

Preparation and Prerequisites

• Ensure end users can authenticate through the Cisco ASA with a static password before

configuring the Cisco Secure ASA to use RADIUS authentication.

• BlackShield Pro server installed and a user account assigned with a CRYPTOCard token.

• BlackShield Agent for Internet Authentication Service (IAS), Network Policy Server

(NPS) or Juniper Steel Belted RADIUS is installed.


Configuration

Configure Cisco ASA for Two Factor Authentication

Configuring the Cisco ASA consists of 4 steps:

• Step 1: Define a RADIUS enabled AAA Server group.

• Step 2: Assign a RADIUS AAA Server to the AAA Server group.

• Step 3: Assign RADIUS Authentication to a Clientless SSL VPN Connection Profile

• Step 4: Assign RADIUS Authentication to a IPSec VPN Connection Profile

• Step 5: Assign RADIUS Authentication to an AnyConnect VPN Connection Profile

Define a RADIUS enabled AAA Server group

1. In the Cisco ASDM client select

Configuration.

2. Select Remote Access VPN.

3. Under Remote Access VPN expand

AAA/Local Users then select AAA Server

Group.

4. Select Add in the AAA Server Group

section. Enter the Server Group name

(ex. CRYPTOCard) and RADIUS as the

Protocol.


Assigning a RADIUS AAA Server to the AAA Server group

1. Under Remote Access VPN expand

AAA/Local Users, AAA Server Group

then on the right highlight the

CRYPTOCard Group.

2. In the “Servers in the Selected

Group” section select Add.

3. Enter the following information

• Choose the interface

• IP address of the supported RADIUS

server.

• RADIUS authentication port (1812)

• RADIUS accounting port (1813)

• Server Secret Key (Shared Secret)

4. After adding the AAA Server to the

AAA Server group, you will see it

appear in the AAA Servers in the

selected group section.


Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection

Profile

The Clientless SSL VPN Connection Profiles include the type of authentication method used

during the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS

enabled profile must be created.


Configuration, Remote Access

VPN.

2. Expand Clientless SSL VPN

Access and highlight Connection

Profiles.

3. In Connection Profiles select

Add.

4. Enter a name for the profile.

5. Under Authentication select

AAA.

6. In the AAA Server Group

dropdown select CRYPTOCard.

7. Complete the additional entries

with the settings required by

your organization.

8. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection

Profiles.


Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile

The IPSec VPN Connection Profiles include the type of authentication method used during

the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS




VPN.

2. Expand Network (Client) Access

and highlight IPsec Connection

Profiles.


Add.



AAA.





your organization.


Profiles.


Assigning CRYPTOCard Authentication to a AnyConnect Connection Profile

The IPSec VPN Connection Profiles include the type of authentication method used during

the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS




VPN.

2. Expand Network (Client) Access

and highlight AnyConnect

Connection Profiles.


Add.



AAA.





your organization.


Profiles.


Clientless SSL VPN and GrIDsure authentication

The Cisco SSL VPN login page can be configured to authenticate hardware and GrIDsure

token users.

1. The user enters the Cisco SSL VPN URL into their web browser.

2. The Cisco SSL VPN login page displays a Username and OTP field as well as a Login

and Get GrID button.

3. The user enters their username into the Username field then selects Get Grid. The

request is submitted from the user’s web browser to the BlackShield Self Service site.

4. The BlackShield Self Service site displays the user’s GrIDsure Grid within the Cisco SSL

VPN login page.

5. The user enters their GrIDsure password into the OTP field then submits the request.

6. The Cisco ASA device performs a RADIUS authentication request against the

BlackShield server. If the CRYPTOCard credentials entered are valid, the user is

presented with their Cisco ASA portal otherwise, the attempt is rejected.


The following steps will enable a hardware and GrIDsure aware logon page.

1. In the BlackShield distribution package browse to the html, agents, Cisco, GrIDsure

directory.

2. Copy the ciscogridsure.js file to a temporary folder then open the file with a text editor.

3. Modify the gridMakerURL value to reflect the location of the BlackShield Self Service site.

Example

var gridMakerURL = "https://mycompany.com/blackshieldss/index.aspx?getChallengeImage=true&userName=";

Note: If gridMakerURL references https, you must have a certificate installed on the

BlackShield Self Service IIS server.

4. In the Cisco ASDM client

select Configuration, Remote

Access VPN.

5. Expand Clientless SSL VPN

Access, Portal and highlight

Customization.

6. In Customization objects

select Add.

7. In General, Customization

Object Name enter CCGrid as

the title. Select the

Connection Profile and Group

Policy for which the

customization will be applied.

8. Expand Logon page and

select Logon Form. In the

Password Prompt section

replace Password with OTP.


9. Expand Logon page and

select Informational Panel.

Place a checkmark in Display

informational panel.

In Panel Position select Right.

Copy the contents of the

ciscogridsure.js into the Text

box.

Leave the Logo Image blank.

Set the Image Position to

Below Text.

10. In Clientless SSL VPN

Access, Connection Profiles

highlight the GrIDsure enabled

profile and select Edit.

11. Expand Advanced then

select Clientless SSL VPN.

Verify Portal Page

Customization references the

newly created GrIDsure enabled

portal.

12. In Clientless SSL VPN

Access, Group Profiles highlight

the GrIDsure enabled profile

and select Edit.

13. Expand More Options then

select Customization. Verify

Portal Customization references

the newly created GrIDsure

enabled portal.


Clientless SSL VPN and MP Token detection

The default Cisco ASA login page is unable to detect the presence of BlackShield software

tokens. The following section allows a Cisco Administrator to enable software token

detection for a Cisco Clientless SSL VPN site.

The Cisco ASA Login page can be configured to display primary authentication credential

fields (i.e. one username and password field) or primary and secondary authentication

credential fields (i.e. multiple username and password fields).

• If the Clientless SSL VPN site is configured to use primary authentication credentials (i.e.

CRYPTOCard only), the CCMPPri.inc and CRYPTOCardScript.js file must be added to Web

Contents then referenced in the custom configuration.

• If the Clientless SSL VPN site is configured to use primary and secondary authentication

credentials (i.e. Microsoft and CRYPTOCard credentials), the CCMPPriSec.inc and

CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom

configuration.

Note: All three files (CCMPPri.inc, CCMPPriSec.inc and CRYPTOCardScript.js) may be added

to Web Contents but only one .inc file can be assigned to a WebVPN site.

Perform the following steps to enabled software token detection.

Uploading custom CRYPTOCard login pages

All files referenced in this section can be found in the BlackShield distribution package under

the html, agents, Cisco, MP Clientless SSL VPN.

1. In ASDM, select Configuration, Remote Access VPN.

2. Expand Clientless SSL VPN Access then Portal.

3. Highlight Web Contents then select Import.

4. In Destination select No. For example, use this option to make the content

available only to the portal page.

5. In the Source - Local Computer select Browse Local Files.

6. Select CRYPTOCardScript.js then click Import Now.

7. In Web Contents select Import.

8. In Destination select No. For example, use this option to make the content

available only to the portal page.

9. In the Source - Local Computer select Browse Local Files.

10. Select CCMPPri.inc or CCMPPriSec.inc then click Import Now.


Creating an SSL VPN Portal Page Customization Object

1. In ASDM, select Configuration, Remote Access VPN.

2. Expand Clientless SSL VPN Access then Portal.

3. Highlight Customization then select Add.

4. In Customization Object Name enter CRYPTOCard MP Detection select OK then apply

the settings.

5. Select the Connection Profile and Group Policy for which the customization will be

applied.

6. Highlight Logon Page then select Replace pre-defined logon page with a custom

page (full customization). In the Custom Page dropdown select

/+CSCOU+/CCMPPri.inc or /+CSCOU+/CCMPPriSec.inc.

Verifying the Connection and Group profile

1. In Clientless SSL VPN Access, Connection Profiles highlight the MP detection enabled

profile and select Edit.

2. Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization

references the newly created MP detection enabled portal.

3. In Clientless SSL VPN Access, Group Profiles highlight the MP detection enabled profile

and select Edit.

4. Expand More Options then select Customization. Verify Portal Customization references

the newly created MP detection enabled portal.

Open your web browser and proceed to the Clientless SSL VPN site. If this is the first time

accessing the page you will be prompted to install a CRYPTOCard ActiveX Web API.

If a software token exists, the page will detect and display all software tokens otherwise a

hardware login mode will appear.

When primary authentication credential mode is enabled with software tokens the login

fields appear in the following order: Token name, PIN.

When primary and secondary authentication credential mode is enabled with software

tokens, the login fields appear in the following order: token name, PIN, password

(Microsoft).


Cisco ASA AnyConnect Client

The Cisco AnyConnect SSL VPN client is very different from the IPSec VPN client. The Cisco

ASA device can dynamically display login field names and login field based on the settings

defined in each Group Profile.

The Cisco ASA device may also restrict users from selecting the Group Profile and it can

place additional customizable options within the Preferences button.

Here are a couple of examples on how the Cisco AnyConnect will show depending on the

group selected.

Username and Password (MS Password) Field Username, Password (MS Password),

and Second Password (OTP) Field


CRYPTOCard Cisco AnyConnect Client

Organizations may wish to integrate software based two factor authentication tokens with

the Cisco AnyConnect client to simplify the login process for users, thus eliminating the

need to copy and paste a One Time Password from one application to another.

With the BlackShield ID Cisco AnyConnect agent, the ability to integrate software based

two factor authentication tokens with the Cisco AnyConnect becomes a reality.

The two versions of the Cisco AnyConnect client that CRYPTOCard works with are Cisco

AnyConnect client 2.4.1012 or 2.5.0217.

Here are a couple of examples on how the BlackShield ID Cisco AnyConnect agent will

look like depending on which group is selected and which field the agent has been

configured to display the software token detection.

MP Token detection on Primary

Password field

MP Token detection on Secondary

Password field

MP Token detection in both Primary

and Secondary Password fields


Cisco AnyConnect Client and MP Token Detection

!!IMPORTANT!!: The Cisco AnyConnect client must be already installed prior to the installation of the CRYPTOCard

Cisco AnyConnect package.

CRYPTOCard provides a Cisco AnyConnect client capable of detecting the presence of

BlackShield software tokens. The following steps must be performed:

1. Install the BlackShield ID Software Tools.

NOTE: If you are on a 64bit Operating System, install the “BlackShield ID Software Tools for AnyConnect”. The

installer can be found in html, agents, x64 directory within the BlackShield download package.

2. Install the MP Token into the BlackShield ID Software Tools

3. Install the BlackShield ID Cisco AnyConnect package.

4. After installing the BlackShield ID Cisco AnyConnect, Click on:

• Start

• All Programs

• CRYPTOCard

• BlackShield ID Cisco AnyConnect

• Version 2.x (2.4 or 2.5)

• Cisco AnyConnect VPN Client 2.x (2.4 or

2.5)

Once connected to the Cisco ASA the following will be

displayed. This is the default configuration for the

BlackShield ID Cisco AnyConnect agent.

If the default configuration is incorrect, and the MP

Token detection are being detected in the incorrect

fields then please go to the section below to change the

MP Token detection.


BlackShield Cisco AnyConnect Agent registry key

The registry entry allows specifying where the MP token dropdown will appear and what

password field(s) will be used when the one-time password is submitted to the server.

On a Windows XP/Vista/7 (32 bit) , the registry key is located in:

• \HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CiscoAnyClientPlugin

On a Windows XP/Vista/7 (64 bit) , the registry key is located in:

• \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CRYPTOCard\CiscoAnyClientPlugin

The registry key is called “SoftTokenInclusion”, and the default value for the key is:

• ALL+ALL+1;

The Definition is as follows:

• “Connect To”+”Group Profile”+”Field Position to display MP and submit one-time

password”;


So an example would be:

• ASA.cryptocard.com+CRYPTOCard Henry+1;

Here is the explanation of the example above:

• This will work when connecting to

ASA.cryptocard.com

• MP token detection will only show up using the

“CRYPTOCard Henry” Group profile.

• It will display the MP Token detection in the first

field

Here are examples of changing the MP Token detection to a different field:

ALL+ALL+1

Display MPs in first username field and submit one-time

password to first password field.

This is the default setting after installing the BlackShield

ID Cisco AnyConnect, and the BlackShield ID Software

Tools

This option is used if the authentication is going against the

BlackShield ID Professional server.


ALL+ALL+2

Display MPs in second username field and submit one-time

password to second password field.

This option is used if dual authentication is required.

(e.g. Microsoft Password [Top], then CRYPTOCard

[Bottom].)

ALL+ALL+3

Display MPs in first and second username field and submit

one-time password to first and second password field.

This setting is used if there needs to be authentication

against 2 BlackShield ID Pro Server

This would be an odd case as this setting would rarely be

used.

Multiple options can be appended to the “SoftTokenInclusion” registry key.

Here is an example:

• “SoftTokenInclusion” registry key:

• “ALL+Corporate+1;ALL+CRYPTOCard Henry+2;ALL+CRYPTOCard+3;”


Troubleshooting

RADIUS Authentication issues

When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA

device.

All logging information for Internet Authentication Service (IAS) or Network Policy Server

(NPS) can be found in the Event Viewer.

All logging information for the BlackShield IAS\NPS agent can be found in the \Program

Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory.

The following is an explanation of the logging messages that may appear in the event

viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS

Server.

Error

Message:

Packet DROPPED: A RADIUS message was received from an invalid RADIUS

client.

Solution: • Verify a RADIUS client entry exists on the RADIUS server.

Error

Message:

Authentication Rejected: Unspecified

Solution: This will occur when one or more of the following conditions occur:

• The username does not correspond to a user on the BlackShield Server.

• The CRYPTOCard password does not match any tokens for that user.

• The shared secret entered in Cisco Secure ACS does not match the

shared secret on the RADIUS server

Error

Message:

Authentication Rejected: The request was rejected by a third-party extension

DLL file.

Solution: • This will occur when one or more of the following conditions occur:

• The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server.

• The Pre-Authentication Rules on the BlackShield server do not allow

incoming requests from the BlackShield Agent for IAS\NPS.

• The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile

stored on the BlackShield Server.


• The username does not correspond to a user on the BlackShield Server

• The CRYPTOCard password does not match any tokens for that user.

GrIDsure Authentication issues

Issue: The GrIDsure enabled Clientless SSL VPN logon page does not appear.

Solution: • Verify the Clientless SSL VPN Connection and Group profile reference

the customized GrIDsure enabled portal page.

• Verify the Information Panel settings are configured exactly as

described in Step 9 of the Clientless SSL VPN and GrIDsure

authentication section.

Issue: The Get GrID button does not display the GrIDsure grid.

Solution: • A username must be supplied before a GrIDsure grid can be

generated.

• The user must have been assigned a GrIDsure token and have

completed self-enrolment.

• In a web browser enter the gridMakerURL and appended the

username after the equal sign.

Example

https://company.com/blackshieldss/index.aspx?getChallengeImage=true&userName=bob

A webpage should appear with a GrIDsure grid for the user (ex. Bob).

• Verify the client browser can access the URL of the BlackShield self

service web site.

• Verify the GrIDsure token is not in a suspended or locked state.

Further Information

For further information, please visit http://www.cryptocard.com

implementation guide for protecting cisco asa 5500...

Documents