DIGIPASS Authentication for [Solution Partner] · PDF file3 DIGIPASS Authentication for Cisco...

DIGIPASS Authentication for

Cisco ASA 5505

INTEGRATION GUIDE

1 DIGIPASS Authentication for Cisco ASA 5505

DIGIPASS Authentication for Cisco ASA5505

Disclaimer

Disclaimer of Warranties and Limitation of Liabilities

All information contained in this document is provided 'as is'; VASCO Data Security assumes no

responsibility for its accuracy and/or completeness.

In no event will VASCO Data Security be liable for damages arising directly or indirectly from any

use of the information contained in this document.

Copyright

Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All

rights reserved. VASCO®, Vacman®, IDENTIKEY Authentication Server®, aXsGUARD™™,

DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security,

Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO

Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed

under all title, rights and interest in VASCO Products, updates and upgrades thereof, including

copyrights, patent rights, trade secret rights, mask work rights, database rights and all other

intellectual and industrial property rights in the U.S. and other countries. Microsoft and

Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may

be trademarks of their respective owners.



Table of Contents

Reference guide ............................................................................................................. 4

1 Overview................................................................................................................... 5

2 Technical Concepts ................................................................................................... 6

2.1 Cisco ................................................................................................................... 6

2.1.1 ASA 5505 ....................................................................................................... 6

2.1.2 Adaptive Security Device Manager ..................................................................... 6

2.1.3 Internet Protocol Security ................................................................................ 6

2.1.4 Secure Socket Layer ........................................................................................ 6

2.2 VASCO ................................................................................................................. 6

2.2.1 IDENTIKEY Authentication Server ...................................................................... 6

3 Cisco ASA 5505 setup ............................................................................................... 7

3.1 Architecture .......................................................................................................... 7

3.2 Prerequisites ......................................................................................................... 7

3.3 Cisco ASA5505...................................................................................................... 8

3.3.1 Active Directory Back-end implementation ......................................................... 8

3.3.2 IPsec tunnel configuration .............................................................................. 11

3.3.3 SSL VPN configuration ................................................................................... 13

3.4 Test the setup .................................................................................................... 15

3.4.1 Testing IPsec VPN connection ......................................................................... 15

3.4.1.1 Microsoft Windows 7 ................................................................................ 15

3.4.2 Testing SSL VPN connection ........................................................................... 16

4 Solution .................................................................................................................. 18

4.1 Architecture ........................................................................................................ 18

4.2 Cisco ASA 5505 ................................................................................................... 18

4.2.1 Creating IDENTIKEY server back-end ............................................................... 18

4.2.2 Attaching the new back-end to the IPsec VPN ................................................... 20



4.2.3 Attaching the new back-end to the SSL VPN ..................................................... 21

4.3 IDENTIKEY Authentication Server .......................................................................... 21

4.3.1 Policies ........................................................................................................ 21

4.3.2 Client .......................................................................................................... 22

4.3.3 User ............................................................................................................ 23

4.3.4 DIGIPASS .................................................................................................... 23

4.4 Test the Solution ................................................................................................. 26

4.4.1 Testing IPsec VPN ......................................................................................... 26

4.4.2 Testing SSL VPN ........................................................................................... 26

5 Challenge/Response ............................................................................................... 28

5.1 Architecture ........................................................................................................ 28

5.2 Cisco ASA 5505 ................................................................................................... 29

5.3 IDENTIKEY Authentication Server .......................................................................... 29

5.3.1 Policy .......................................................................................................... 29

5.3.2 User ............................................................................................................ 29

5.4 Test the Solution ................................................................................................. 31

5.4.1 Testing IPsec ................................................................................................ 31

5.4.2 Testing SSL VPN ........................................................................................... 31



Reference guide

ID Title Author Publisher Date ISBN



1 Overview

Cisco ASA 5505Internal network

VPN connection

LDAP RADIUS



2 Technical Concepts 2.1 Cisco

2.1.1 ASA 5505

The Cisco ASA 5505 is a small all-in-one firewall that provides a wide range of additional services.

These services include: VPN, intrusion prevention, content security, unified communications and

remote access.

2.1.2 Adaptive Security Device Manager

Adaptive Security Device Manager, or ASDM, is a simple GUI based firewall appliance

management tool. It provides an easy way to configure, monitor and troubleshoot Cisco firewall

devices.

2.1.3 Internet Protocol Security

Internet Protocol Security, or IPsec, is a protocol suite for securing the Internet Protocol. This

suite contains protocols for authentication and encryption of each packet as well as mutual

authentications between agents and the negotiation of cryptographic keys per session. IPsec VPN

solutions are end to end setups.

2.1.4 Secure Socket Layer

Secure Socket Layer, or SSL, is a security implemented mainly on application level (any HTTPS

request makes use of SSL). This provides with a secure way of transporting packets between the

application and the server.

2.2 VASCO

2.2.1 IDENTIKEY Authentication Server

IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that

supports the deployment, use and administration of DIGIPASS strong user authentication. It

offers complete functionality and management features without the need for significant budgetary

or personnel investments.

IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems.

IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to

corporate networks and web-based applications.

The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY

Appliance is similar.



3 Cisco ASA 5505 setup Before adding 2 factor authentication it is important to validate a standard configuration without

One Time Password (OTP).

3.1 Architecture

A user creates a VPN connection with the ASA5505. The ASA will send the credentials to the

Windows Active Directory back-end to see if the user exists. If so, the VPN connection is

successful and the user is allowed to the internal network.

3.2 Prerequisites

For this setup we are going to make use of Cisco’s ASDM. To run the ASDM you need to have a

Java Runtime Environment on your pc.

Make sure that you have enabled WEB access to your ASA5505 firewall. If you have not enabled

this you will need to connect to your device using SSH or the console port and enable this by

using the following commands:

enable

configure terminal

int vlan 1

ip address x.x.x.x y.y.y.y (IP address and subnet mask of the management

VLAN)

http server enable

If you now use a browser and navigate to the address you gave to the management VLAN you

will see the homepage that will allow you to install the ASDM.

10.4.0.226 Cisco ASA 550510.4.0.165

10.4.0.10

Internal network10.4.0.x

VPN connection

LDAP



3.3 Cisco ASA5505

3.3.1 Active Directory Back-end implementation

To setup a VPN connection we need to have a database with users to authenticate to. We can use

the internal database but it is more likely to use the Active Directory database for these

authentications.

Log into the ASA5505 with the ASDM.

Go to the tab Configurations.

At the bottom left click Remote Access VPN.

Click open AAA/Local Users.

Select AAA Server Group.



Create a new server group by clicking the Add button.

Server Group: Demo-Backend

Protocol: LDAP

Reactivation Mode: Depletion

Dead Time: 10

Max failed Attempts: 3

In the window below it click Add to add a server.



Interface Name: inside

IP Address: 10.4.0.10

Timeout: 10

Enable LDAP over SSL: unchecked

Server Port: 389

Server Type: Microsoft

Base DN: DC=labs,DC=vasco,DC=com

Scope: All levels beneath the base DN

Naming Attributes: leave blank

Login DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com

Password: your_password (This password is bound to the user defined in login DN)

LDAP attribute map: –None—

SASL MD5 authentication: unchecked

SASL Kerberos authentication: unchecked

Group Base DN: empty

Group Search Timeout: 10

Click on OK and the server is added to the group.

Click on Apply.

Click on Test.

Select Authentication

Enter demo

Set Test12345 as password



Replace the credentials by any user and matching password in your Active Directory.

Click OK.

When configured correctly you will receive:

3.3.2 IPsec tunnel configuration

At the top: click Wizards.

Click IPsec VPN Wizard…

Select Remote Access.

Set the correct interface (for this test Inside)

Leave the checkbox checked.

Click Next.

Select Microsoft Windows client using L2TP over IPsec

Check PAP

Leave Client will send tunnel group name as username@tunnelgroup unchecked.

We will use PAP as authentication protocol, this way we can enjoy additional features of

the IDENTIKEY Authentication Server.

Click Next.

Select Pre-Shared key and use Test1234 as the pre-shared key.

Click Next.



Select Authenticate using AAA server group and select Demo-Backend.

Click Next.

Click New.

Name: Demo-Pool

Starting IP Address: 10.4.0.81

Ending IP Address: 10.4.0.89

Subnet Mask: 255.255.255.0

Select the pool you just made.

Normally the Tunnel Group Name is default: DefaultRAGroup. We need this group later

when upgrading to use IDENTIKEY Authentication Server.

Click Next.

Leave everything default and click Next.



Leave everything default and click Next.

Uncheck enable perfect forwarding secrecy.

Click Next.

Click Finish.

Click Apply.

3.3.3 SSL VPN configuration

At the top: click Wizards.

Click SSL VPN Wizard…

Check Clientless SSL VPN.

Click Next.



Connection Name: SSL-Demo

SSL VPN Interface: Inside

Certificate: --None—

Remember the Information, it is needed to access the SSL portal of the Cisco ASA

5505.

Click Next.

Select your Active Directory back-end. (Demo-Backend, for more information please view “3.3.1

Active Directory Back-end implementation”)

Click Next.

Select Create new group policy and fill in DemoSSLgrppolicy.

Click Next.

From the drop down list Bookmark List: Google.

Click Next.

Click Finish.

Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access

and click on Connection Profiles.



Select SSL-Demo and click Edit.

Aliases: SSL-Demo.

Click OK.

Check Allow user to select connection profile, identified by its alias, on the login page. Otherwise,

DefaultWebVPNGroup will be the connection profile.

Click Apply.

3.4 Test the setup

3.4.1 Testing IPsec VPN connection

3.4.1.1 Microsoft Windows 7

From the network and sharing center, click on Set Up a Connection or Network.

Select Connect to a workplace and click Next.

If you already have VPN networks set up, select No, create a new connection and click Next.

Click on Use my Internet connection (VPN).

Set the IP address to 10.4.0.165

Set the destination name to Demo-ASA

Check Don’t connect now; just set it up so I can connect later

Click Next.

Fill in the Active Directory credentials (for this test: username demo and password Test12345.)

Click Create.

Click Close.

In the taskbar, click on your network icon.

Right mouse click on Demo-ASA and click on Properties.

Go to Security.



Set the type of VPN to Layer 2 tunneling protocol with IPsec

Set the data encryption to Optional encryption

Check PAP

Uncheck any other encryption

Since we have selected PAP as encryption on the Cisco ASA 5505, we need to allow our

client to connect using PAP as well.

Click on Advanced setting.

Select Use pre-shared key for authentication and type Test1234 in the textbox.

Click OK.

Click OK.

Click on your Network icon.

Click on Demo-ASA and click Connect.

Fill in the credentials, username demo and password Test12345.

Replace the credentials by any user and matching password in your Active Directory.

Click Connect.

You now have connected to the ASA using a Windows Active Directory system for user

authentication.

3.4.2 Testing SSL VPN connection

Open a browser and navigate to https://10.4.0.165/.

You will be redirected to a login page.

Fill in your Active Directory username and password (demo / Test12345).

https://10.4.0.165/



Click Logon.

When successful you will see the following page:



4 Solution 4.1 Architecture

10.4.0.226 Cisco ASA 550510.4.0.165

Internal network10.4.0.x

VPN connection

LDAP

10.4.0.13

RADIUS

4.2 Cisco ASA 5505

Starting from our VPN connection with Windows Active Directory as back-end, we only need to

create a new back-end and attach this to the default radius group.

4.2.1 Creating IDENTIKEY server back-end

Log into the ASA5505 using Cisco ASDM.

Navigate to Configuration.

Click on Remote Access VPN.

Open AAA/Local Users and click on AAA Server Groups.



Create a new AAA server group by clicking on Add.

Server Group: Demo-IK

Protocol: RADIUS

Leave all other options on their Default values

Click OK.

Select Demo-IK and add a server by clicking Add in the box below.

Interface: Inside

Server IP Address: 10.4.0.13

Timeout: 10

Authentication Port: 1812

Accounting Port: 1813

Retry Interval: 10 seconds



Server Secret Key: Test1234

ACL Network Convert: Standard

The server secret key needs to be the same as the RADIUS secret key set up on the

IDENTIKEY Authentication Server RADIUS client component.

Click OK.

Click Apply.

We can test this connection only if the basic setup was performed on the IDENTIKEY

Authentication Server. More detail can be found in “4.3 IDENTIKEY Authentication

Server”.

Select the server group Demo-IK and the server 10.4.0.13.

Click Test.

Select Authentication.

Enter the username (demo) and the OTP.

Click OK.

If everything was configured correctly we get this message:

4.2.2 Attaching the new back-end to the IPsec VPN

Navigate to Configuration, click on Remote Access VPN and open Network (Client) Access.

Click on IPsec Connection Profiles.

Select the DefaultRAGroup and click on Edit.



Change the Server Group from Demo-Backend to Demo-IK.

Click OK.

4.2.3 Attaching the new back-end to the SSL VPN

Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access

and click on Connection Profiles.

Select SSL-Demo and click Edit.

Change AAA Server Group from Demo-Backend to Demo-IK.

4.3 IDENTIKEY Authentication Server

There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate

with:

Local users (Defined in IDENTIKEY Authentication Server)

Active Directory (Windows)

In this whitepaper we will use Local users to authenticate.

4.3.1 Policies

In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got

a user and a password, what now?

Create a new Policy



Policy ID : Test

Inherits From: Base Policy

Inherits means: The new policy will have the same behavior as the policy from which he

inherits, except when otherwise specified in the new policy.

Example:

Base Policy

New Policy Behaviour

1 a New policy will do a

2 b New policy will do b

3 c f New policy will do f

4 d New policy will do d

5 e g New policy will do g

The new policy is created, now we are going to edit it.

Click edit

Local Authentication : Digipass/Password

Click Save

4.3.2 Client

In the clients we specify the location from which IDENTIKEY Authentication Server will accept

requests and which protocol they use.

We are going to add a new RADIUS client.



Client Type : select Radius Client from “select from list”

Location : 10.4.0.165

Policy ID : Select the Policy that was created in Policies

Protocol ID: RADIUS

Shared Secret: Test1234

Confirm Shared Secret: reenter the shared secret

Click Save

The shared secret has to be identical to the secret key we set in the Cisco ASA 5505

(view “4.2.1 Creating IDENTIKEY server back-end”)

4.3.3 User

We are going to create a user.

User ID: Demo

4.3.4 DIGIPASS

The purpose of using IDENTIKEY Authenticaction Server, is to be able to log in using One Time

Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The

Digipass is a device that generates the OTP’s.

Open the user by clicking on its name

Select Assigned Digipass



Click ASSIGN

Click Next

Grace period: 0 Days

Grace period is the period that a user can log in with his static password. The first time

the user uses his DIGIPASS the grace period will expire.

Click ASSIGN



Click Finish



4.4 Test the Solution

4.4.1 Testing IPsec VPN

Connect to the Demo-ASA VPN and fill in the username (Demo) and the OTP.

You should be connected to the VPN and see the following in your network connections:

If the connection test from 4.2.1 works and the VPN connection fails with error 691,

please check in your ASDM if you applied the changes.

4.4.2 Testing SSL VPN

Navigate to https://10.4.0.165 and logon using your username (Demo) and OTP.

When successful you will see the following page:

https://10.4.0.165/



5 Challenge/Response The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual

DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was

triggered in a user authentication. The trigger mechanism is configured in the policy (see later).

Virtual DIGIPASS is a DIGIPASS that needs to be ordered like a Hardware

DIGIPASS

Back-Up Virtual DIGIPASS is a feature that must be enabled while ordering other

DIGIPASS (Hardware, DIGIPASS for Mobile, DIGIPASS for Web or DIGIPASS for

Windows)

Availability of Back-Up virtual DIGIPASS can be checked in the IDENTIKEY web

administration.

Select a DIGIPASS > Click on the first application and scroll down.

For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is

delivered with every IDENTIKEY Authentication Server

5.1 Architecture

1: User IDTrigger

2:Challenge

3: SMS with OTP

4:OTP received by SMS

MDC

This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server

(for mail). The first step is to configure one of the servers. This is done in the Message

Delivery Component (MDC) configuration. For more information see the IDENTIKEY

Authentication Server manuals.



Popular SMS-gateways:

http://www.clickatell.com

http://www.cm.nl

http://www.callfactory.com

5.2 Cisco ASA 5505

There are no additional steps on the Cisco ASA 5505.

5.3 IDENTIKEY Authentication Server

5.3.1 Policy

The configuration virtual Digipass can be used is done in the policy.

Select the policy created in Policies. This should be Test.

Select Test

Go to Virtual Digipass

Click Edit

Delivery Method: SMS

BVDP Mode: Yes – Permitted

Request Method: KeywordOnly

Request Keyword: IwantOTP

Click Save

The request method is the trigger to send the message. The trigger can be:

Static password: as stored inside IDENTIKEY Authentication Server (different for

each individual user)

Keyword: a text message (the same for all users)

5.3.2 User

IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the

User should be added.

Select a user: Demo

Click User Info

Click Edit

http://www.clickatell.com/

http://www.cm.nl/

http://www.callfactory.com/



Mobile: +32… (for the sms)

Email Address: [email protected] (for mail)

Click save



5.4 Test the Solution

5.4.1 Testing IPsec

Step 1:

Log in using your username and the keyword (Demo / IwantOTP)

Step 2:

The ASA server will return that the connection was unsuccessful.

Click Close.

Step 3:

Log in using your username and the received OTP (SMS).

Step 4:

When configured correctly, you are now connected to the VPN.

5.4.2 Testing SSL VPN



Step 1:

Log in using your username and the keyword (Demo / IwantOTP)

Step 2:

You will be asked for your OTP.

Step 3:

Use the received OTP (SMS) to logon.

Step 4:

When configured correctly, you will be redirected to the portal site.

DIGIPASS Authentication for [Solution Partner] · PDF file3 DIGIPASS Authentication for Cisco...

Documents

Transcript of DIGIPASS Authentication for [Solution Partner] · PDF file3 DIGIPASS Authentication for Cisco...