Cisco VPN Concentrator Implementation Guide

Transcription

1 Cisco VPN Concentrator Implementation Guide Copyright Copyright 2006, CRYPTOCard Corp. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Corp.

2 Cisco VPN Concentrator Application Overview This document presents the necessary steps to configure a Cisco VPN 3000 Concentrator (models 3005 through 3080) for use with CRYPTOCard tokens. The Cisco VPN 3000 Concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password. CRYPTO-Server works in conjunction with the Cisco VPN 3000 Concentrator to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: 1. Using the Cisco VPN Client, the user establishes a connection to the internal network using his/her logon name and PIN + One-time password. 2. The VPN concentrator passes the authentication information to the CRYPTO-Server (via the RADIUS protocol). 3. CRYPTO-MAS Server sends back Access-Accept/Deny to the VPN concentrator. 4. Once successfully authenticated, the user gains access to the network. The CRYPTO-Server distribution includes a plug-in for the Cisco VPN Client software which, when used in conjunction with a CRYPTOCard ST-1 Software, SC-1 Smart Card, or UB-1 USB token, automates the authentication and logon process for users. The CRYPTOCard Cisco VPN plug-in is supported in version 4.9 of the Cisco VPN client on PPC and Intel Macs and 4.8 on Windows. Cisco VPN Concentrator Implementation Guide 1

3 Prerequisites The following systems must be installed and operational prior to configuring the VPN concentrator to use CRYPTOCard authentication: Ensure that the end user can authenticate through the concentrator with a static password before configuring the concentrator to use CRYPTOCard authentication. An initialized CRYPTOCard token assigned to a valid CRYPTOCard user. The following CRYPTO-MAS server information is also required: Primary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address: Secondary CRYPTO-MAS RADIUS Server Fully Qualified Hostname or IP Address (OPTIONAL): CRYPTO-MAS RADIUS Authentication port number: CRYPTO-MAS RADIUS Accounting port number (OPTIONAL): CRYPTO-MAS RADIUS Shared Secret: Cisco VPN Concentrator Implementation Guide 2

4 Cisco VPN 3000 Concentrator Configuration In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS authentication must be configured on the concentrator and an IPSec group must be created for CRYPTOCard token users. Configuring the Cisco VPN 3000 Concentrator consists of 4 steps: Step 1: Add a RADIUS server Step 2: Test the authentication server Step 3: Create a CRYPTOCard group Step 4: Cisco VPN Client Configuration Step 1: Add a RADIUS Server 1. In the VPN configuration manager, select Configuration Servers Authentication. 2. Click Add to add a new authentication server. Fill in the information for the CRYPTO-MAS RADIUS server obtained from the prerequisites section. Once all the information is entered click Add. Ensure that the RADIUS server is the first entry in the Authentication Servers list Cisco VPN Concentrator Implementation Guide 3

5 Step 2: Test the Authentication Server 1. Once the RADIUS server has been added to the VPN concentrator setup, use the internal test mechanism to ensure the VPN concentrator can authenticate to it using a CRYPTOCard token. From the Authentication Servers menu, select the RADIUS server, and click Test. 2. Enter the User Name of a CRYPTOCard account, and the next Password generated by the token assigned to that user. Click OK. Step 3: Creating a CRYPTOCard group In order for CRYPTOCard token users to make VPN connections, a VPN Group must be properly configured. 1. In the VPN configuration manager, select Configuration User Management Groups. 2. Click Add Group to add a new group. 3. Enter a Group Name and a static Password. Select Internal group as the Type. This internal group name and password must be used by all CRYPTOCard end-users when they want to connect using the VPN client. 4. Under the IPSec tab, select RADIUS in the Authentication pull-down menu. 5. Click Add to add this group to the VPN concentrator. 6. Ensure this newly created group has an Address Pool of IP addresses that can be assigned to the VPN client connections. Select the Group and click Address Pools. Then click Add and enter the Range Start, Range End, and Subnet Mask. Apply the change. Cisco VPN Concentrator Implementation Guide 4

6 Step 4: Cisco VPN Client Configuration You must configure the VPN client software to enable the end user to connect to the IPSec group. Create a New VPN Connection Entry From the Cisco VPN Client software, click New to create a new connection entry. Fill in the information for the connection entry, using the group name and password specified in Step 3. Connect using the Cisco VPN client Choose the connection entry created and click Connect. A dialog box will open requesting a Username and Password. Enter the CRYPTOCard Username. Generate a one-time password from the CRYPTOCard token and enter your PIN followed by the one-time password in the Password field. Click OK. Once the concentrator has verified the username and password with the CRYPTO-Server database, the connection will be established. Cisco VPN Concentrator Implementation Guide 5

7 Solution Overview Summary Product Name Cisco VPN Concentrator 3000 Vendor Site Supported VPN Client Software Windows 2000/XP 4.8, Mac OS X Tiger 4.9 Authentication Method RADIUS authentication Supported RADIUS Functionality RADIUS Authentication Encryption Authentication Mode New PIN Mode PAP MSCHAPv2 One-time password Challenge-response Static password User-changeable Alphanumeric 4-8 digit PIN User-changeable Numeric 4-8 digit PIN Server-changeable Alphanumeric 4-8 digit PIN Server-changeable Numeric 4-8 digit PIN Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Corp. Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Publication History Date October 25, 2006 November 5, 2006 November 29, 2006 Changes First Draft Creation Global Edit Minor revision Cisco VPN Concentrator Implementation Guide 6