SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011



Similar documents
Cisco ASA configuration for SMS PASSCODE SMS PASSCODE 2014

Citrix Netscaler Advanced guide for SMS PASSCODE SMS PASSCODE 2014

VMware Horizon View for SMS PASSCODE SMS PASSCODE 2014

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

SMSEagle with SMS PASSCODE 8.0 SMS PASSCODE 2015

Using a Web Service Dispatcher with SMS PASSCODE version 7.2 SMS PASSCODE 2014

Hosting topology SMS PASSCODE 2015

Configuring Remote Access IPSec VPNs

VPN Configuration Guide. Cisco ASA 5500 Series

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

REMOTE ACCESS VPN NETWORK DIAGRAM

Configuring Moxa Nport SMS PASSCODE 2014

GoldKey and Cisco AnyConnect

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Configure ISE Version 1.4 Posture with Microsoft WSUS

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco VPN Concentrator Implementation Guide

Scenario: Remote-Access VPN Configuration

Scenario: IPsec Remote-Access VPN Configuration

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Lab Configure Remote Access Using Cisco Easy VPN

VPN SECURITY POLICIES

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

DIGIPASS Authentication for Cisco ASA 5500 Series

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Two-Factor Authentication

Clientless SSL VPN Users

Chapter 3 Authenticating Users

Interoperability Guide

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco ASA Authentication QUICKStart Guide

Juniper Networks SSL VPN Implementation Guide

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Lab a Configure Remote Access Using Cisco Easy VPN

SingTel VPN as a Service. Quick Start Guide

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

Virtual Private Network (VPN)

C H A P T E R Management Cisco SAFE Reference Guide OL

Configuring L2TP over IPsec

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Accessing the Media General SSL VPN

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

ADVANCED TWO-FACTOR AUTHENTICATION VIA YOUR MOBILE PHONE

Cisco ASA Multi-tier VPN access with Active Directory Group Authentication

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring Clientless SSL VPN

Configuring IPsec between a Microsoft Windows XP Professional (1 NIC) and the VPN router

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Cisco ASA

ipad in Business Security

Implementing Core Cisco ASA Security (SASAC)

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Configuring Clientless SSL VPN

IPSec interoperability between Palo Alto firewalls and Cisco ASA. Tech Note PAN-OS 4.1. Revision A 2011, Palo Alto Networks, Inc.

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Integration Guide. Duo Security Authentication

Defender EAP Agent Installation and Configuration Guide

HOTPin Integration Guide: DirectAccess

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

VPN Tracker for Mac OS X

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Keeping your VPN protected

VPN L2TP Application. Installation Guide

ASA 8.x: Renew and Install the SSL Certificate with ASDM

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

LAN-Cell to Cisco Tunneling

Management Authentication using Windows IAS as a Radius Server

Chapter 5 Virtual Private Networking Using IPsec

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

Strong Authentication for Cisco ASA 5500 Series

ZyWALL OTPv2 Support Notes

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Transcription:

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Introduction SMS PASSCODE is widely used by Cisco customers extending the Cisco ASA VPN concentrators with both IPsec and SSL VPN extensions. This document provides a visual step-by-step guide for configuring the system to support SMS PASSCODE. Cisco Setup VPN group and radius client 1. Start ASDM and login to the Web interface. 2. Go to the wizards menu and select IPsec VPN Wizard or SSL VPN Wizard (the following is from IPsec wizard, but configuration is quite similar) 3. Select Remote Access and click next:

4. Select the Cisco VPN Client option and click next: 5. Click next once you have set the Pre-Shared Key parameter:

6. Name the Server Group Name: SMS PASSCODE and set the IP address and the Server Secret key and click ok: 7. Select the AAA server option and select the SMSPasscode Group

8. Select the SMS Pool Name from the pull-down menu and click next. If you do not have a pool defined, click New and create the IP pool, select it and click next : 9. Set encryption to 3DES, Authentication to SHA and Diffie-Hellman Group to 2 and click next: 10. Verify Enable Perfect Forwarding Secrecy (PFS) is checked and click next:

11. You have now set up the Cisco ASA for SMS PASSCODE two-factor authentication. Optional setup of the VPN concentrator using command line interface (CLI) To use the command line interface, access the Cisco ASA VPN concentrator through the command line window and configure it as follows: access-list inside_nat0_outbound line 4 extended permit ip any 10.255.253.0 255.255.255.240 aaa-server SMSPasscode protocol radius aaa-server SMSPasscode (inside) host 10.10.10.10 timeout 5 key ********** tunnel-group GroupNameHasToMachOnVPNClient type remote-access tunnel-group GroupNameHasToMachOnVPNClient general-attributes authentication-server-group SMSPasscode address-pool SMS tunnel-group GroupNameHasToMachOnVPNClient ipsec-attributes pre-shared-key ********** crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1 Configuring SMS PASSCODE authentication for radius To set-up SMS PASSCODE for RADIUS, please consult the SMS PASSCODE Administrators Guide under the section Configuring RADIUS Protection.

Using MSCHAPv2 protocol To use MSCHAPv2 protocol instead of PAP the ASA must have a bugfix for CSCtr85499 which should have been fixed in the following releases (please check cisco.com for CSCtr85499 for updated information): 8.4(4.2) 8.4(5) 8.6(1.4) 9.0(1) 9.1(1) 9.0(0.99) 100.8(0.133)M 100.8(33.4)M 100.7(13.75)M 100.8(11.21)M 100.7(6.79)M 100.9(2.1)M 100.8(27.7)M 100.9(0.1)M 8.4(4.99) 100.8(34.1)M When creating the AAA radius server make sure to enable Microsoft CHAPv2 capable And in the Connection Profile Enable password management

In SMS PASSCODE configuration tool you must make sure that Side-by-side to always And that there is a Network Policy allowing the user to log in and change password via the MSCHAPv2 protocol. Password change A normal logon flow with password change through AnyConnect or Clientless SSLVPN would look like this

Due to a bug in Cisco ASA password change is not possible via AnyConnect if the Anyconnect Client Software package is 3.0.x or 3.1.x but working with 2.5.x and below. So if password change is needed please make sure that the image is not on 3.x Logon and password change will work fine with 3.x AnyConnect, but if password change will fail with this error after reentering current password.

Authorization SMS PASSCODE support extension of a VPN connection with authorization detail. E.g. SMS PASSCODE can read the individual users group memberships in Active Directory and if there are Dynamic Access Policies defined, SMS PASSCODE can parse relevant membership attributes to the ASA Radius Client. This can be defined in below window or via CLI: Command line interface commands access-list Auth_Test line 1 extended permit ip any any (change ip any any to the appropriate) dynamic-access-policy-record SMS_Authorization description "Authorization attributes from SMS Passcode Radius" network-acl Auth_Test

How to configure SMS PASSCODE Authorization Set up SMS PASSCODE to use authorization with attribute number 25: Please note that the separator is a semikolon

Setup Group policies in ASA to match the groups And set up the pool to use the wanted address pools:

(Radius.25 must have a value matching the attribute value from the radius server to be aware that the value is case sensitive also for group name) To avoid problems with upper/lower case groups it is possible to specify ADGroupname;ASAgroupname Note; Group name in attribute is always lower case.

Configure SMS PASSCODE for co-existence with a token solution like RSA You can make SMS PASSCODE to co-exist with radius based token solutions. It is a pre-requisite that the SMS PASSCODCE radius server is configured with radius forwarding to the token solution s radius server. The Cisco concentrator sends the requests for both SMS PASSCODE and the Token solution to the SMS PASSCODE radius server. The SMS PASSCODE radius server will then forward the Token solution s request to the token solutions radius server. In the SMS PASSCODE configuration tool you specify the side-by-side as On failure only. Optional you can in the SMS PASSCODE configuration tool set a regular expression that denies the token code. This will save you from a request to the AD. In example this expression for numbers: ^\d*$ See screenshot for example. To read more about the advanced Radius configurations in SMS PASSCODE please refer to SMS PASSCODE administrators guide.

About SMS PASSCODE SMS PASSCODE is the leading technology in two-factor authentication using your mobile phone. To protect against the rise in internet based identity theft hitting both consumers and corporate employees, SMS PASSCODE offers a stronger authentication via the mobile phone SMS service compared to traditional alternatives. SMS PASSCODE installs in minutes and is much easier to implement and administer with the added benefit that users find it an intuitively smart way to gain better protection. The solution offers out-of-the-box protection of the standard login systems such as Citrix, Cisco, Microsoft, Juniper and other IPsec and SSL VPN systems as well as websites. Installed at thousands of sites, this is a proven patent pending technology. In 2009, SMS PASSCODE has been awarded to the prestigious Red Herring 100 most interesting tech companies list, to the TechTour 25 most interesting tech Companies in the Nordic Region and recently a Secure Computing Magazine Security Innovator. For more information visit: http://www.smspasscode.com SMS PASSCODE A/S Park Alle 350D DK-2605 Brøndby Denmark