Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Cisco ASA Implementation Guide (Version 5.4) Copyright 2011 Deepnet Security Limited Copyright 2011, Deepnet Security. All Rights Reserved. Page 1

Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2011, Deepnet Security. All Rights Reserved. Page 2

Table of Contents Overview... 4 Preparation... 5 DualShield Configuration... 6 Create a RADIUS logon procedure... 6 Create a RADIUS application... 6 Register the Cisco ASA as a Radius client... 7 Cisco ASA Configuration... 9 Register DualShield Radius Server... 9 Clientless SSL VPN... 11 One-Time Password... 11 Edit Logon Procedure...11 Configure Cisco ASA...11 Test Logon...13 Customise Logon Form...13 Test Logon...14 On-Demand Password... 15 Edit Logon Procedure...15 Configure Cisco ASA...15 Test Logon...16 AnyConnect SSL VPN... 17 One-Time Password... 17 Logon Procedure...17 ASA Configuration...17 Test Logon...18 On-Demand Password... 19 Logon Procedure...19 ASA Configuration...19 Test Logon...19 IPSec Remote VPN... 21 ASA Configuration... 21 DualShild Configuration... 21 Test Logon... 21 Copyright 2011, Deepnet Security. All Rights Reserved. Page 3

Overview This implementation guide describes how to integrate Cisco ASA appliance with the DualShield unified authentication platform in order to add two-factor authentication into the IPSec VPN and SSL VPN login process. Cisco ASA supports external RADIUS server as its authentication server. DualShield unified authentication platform includes a fully compliant RADIUS server DualShield Radius Server. DualShield provides a wide selection of portable one-time password tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for RADIUS authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: Cisco ASA Appliance DualShield Radius Server DualShield Authentication Server Copyright 2011, Deepnet Security. All Rights Reserved. Page 4

Preparation Prior to configuring Cisco ASA for two-factor authentication, you must have the DualShield Authentication Server and DualShield Radius Server installed and operating. For the installation, configuration and administration of DualShield Authentication and Radius servers please refer to the following documents: DualShield Authentication Platform Installation Guide DualShield Authentication Platform Quick Start Guide DualShield Authentication Platform Administration Guide DualShield Radius Server - Installation Guide You also need to have a RADIUS application created in the DualShield authentication server. The application will be used for the two-factor authentication in Cisco ASA. The document below provides general instructions for RADIUS authentication with the DualShield Radius Server: VPN & RADIUS - Implementation Guide Following outlines the key steps: In DualShield 1. Create a logon procedure for RADIUS authentication 2. Create an RADIUS application for Cisco ASA 3. Register the Cisco ASA as a RADIUS client In Cisco ASA 1. Register the DualShield RADIUS authentication server 2. Configure Remote Access Profiles Copyright 2011, Deepnet Security. All Rights Reserved. Page 5

DualShield Configuration Create a RADIUS logon procedure 1. Login to the DualShield management console 2. In the main menu, select Authentication Logon Procedure 3. Click the Create button on the toolbar 4. Enter Name and select RADIUS as the Type 5. Click Save 6. Click the Context Menu icon of the newly create logon procedure, select Logon Steps 7. In the popup windows, click the Create button on the toolbar 8. Select the Static Password as the authenticator 9. Click Save Create a RADIUS application 1. In the main menu, select Authentication Applications 2. Click the Create button on the toolbar 3. Enter Name Copyright 2011, Deepnet Security. All Rights Reserved. Page 6

4. Select Realm 5. Select the logon procedure that was just created 6. Click Save 7. Click the context menu of the newly created application, select Agent 8. Select the DualShield Radius server, e.g. Local Radius Server 9. Click Save 10. Click the context menu of the newly created application, select Self Test Register the Cisco ASA as a Radius client 1. In the main menu, select RADIUS Clients 2. Click the Register button on the toolbar Copyright 2011, Deepnet Security. All Rights Reserved. Page 7

3. Select the application that was created in the previous steps 4. Enter Cisco ASA s IP in the IP address 5. Enter the Shared Secret which will be used in Cisco ASA. 6. Click Save Copyright 2011, Deepnet Security. All Rights Reserved. Page 8

Cisco ASA Configuration It is assumed that the Cisco ASA is setup and operational. An existing Domain user can authenticate using a Domain AD password and access applications, your users can access through IPSec VPN and/or SSL VPN using Domain accounts. Register DualShield Radius Server 1. Launch the Cisco Adaptive Security Device Manager (ASDM), select Configuration in top toolbar, select Device Management in the accordion menu on the bottom 2. In the control panel on the left, select Users/AAA and select AAA Server Groups. 3. Click Add button on the right Enter name Select the Radius protocol Set max failed attempts to 1. Click Ok when completed. 4. Select the newly created AAA server, i.e. DualShield 5. Click Add in the Servers in the Selected Group Copyright 2011, Deepnet Security. All Rights Reserved. Page 9

Select inside interface Enter the IP of the DualShield Radius server Set Authentication Port to 1812 Set Accounting Port to 1813 Enter Server Secret Key. Unselect Microsoft CHAP2 Capable Click OK when completed. 6. Click Apply button to save settings Copyright 2011, Deepnet Security. All Rights Reserved. Page 10

Clientless SSL VPN One-Time Password If you plan to deploy only the one-time password based authentication in your user base using OTP tokens such as Deepnet SafeID, MobileID, then you will configure your Cisco ASA in such way that it will use your AD as the primary authentication server and your DualShield as the secondary authentication server. Your AD will be responsible for verifying users AD passwords and your DualShield will be responsible for verifying users one-time passwords only. Edit Logon Procedure In the DualShield Management Console, edit the logon procedure for your Cisco ASA application. You will only need one logon step and typically the logon step will have One-Time Password as the authentication method: Configure Cisco ASA 1. Select Remote Access in the accordion menu on the bottom 2. Select Clientless SSL VPN Access, select Connection Profiles 3. In the Connection Profiles section, select your existing SSL VPN profile and click Edit (Click Add to you do not yet have a SSL VPN profile) Copyright 2011, Deepnet Security. All Rights Reserved. Page 11

If this is an existing SSL connection profile then you would have your AD server set as its authentication server. If this is a new SSL connection profile then set your AD server set as its authentication server as shown above. 4. Expand Advance and select Secondary Authentication Select DualShield in the Server Group Enable Use primary username 5. Click OK 6. Finally, Click Apply to save all settings. Copyright 2011, Deepnet Security. All Rights Reserved. Page 12

Test Logon Navigate to the Cisco ASA SSL VPN logon page: The logon form consists of 3 fields: User name: User s domain account login name Password: AD password 2 nd Password: One-time password Customise Logon Form You can customise Cisco ASA logon page to make it more user friendly. For instance, you may want to change 2 nd Password to Passcode or One-Time Password. The basis of the customisation is to change relevant messages or HTML and Javascript files in the Cisco ASA appliance. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal -> Customization. Click on Add to add a new customization object. Enter a name for the customization object. Expand Login Page and select Logon Form Copyright 2011, Deepnet Security. All Rights Reserved. Page 13

Change 2 nd Password to Passcode in the Secondary Password Prompt. Click OK. Click Assign and assign the newly created Customization Object to the SSL VPN connection profile Test Logon The SSL VPN logon page will now be presented as: Copyright 2011, Deepnet Security. All Rights Reserved. Page 14

On-Demand Password If you plan to deploy only the on-demand password based authentication in your user base using Deepnet T-Pass, then you will configure your Cisco ASA in such way that it will use your DualShield Radius server as the primary authentication server. Your DualShield server will be responsible for verifying both users AD password and one-time passwords. There should be no secondary authentication servers. Edit Logon Procedure In the DualShield Management Console, edit the logon procedure for your Cisco ASA application. You will need to define two logon steps: the first step requires users to enter their static password (AD password), which will also trigger the DualShield server to send the user s on-demand password. The second step will then ask users to enter their on-demand password. Configure Cisco ASA 1. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Connection Profiles 2. Edit your SSL VPN profile, change its primary authentication to DualShield 3. Remove the secondary authentication by changing its server group to none Copyright 2011, Deepnet Security. All Rights Reserved. Page 15

4. Click Apply to save changes. Test Logon Navigate to the SSL VPN logon page: Enter your username and your AD password. Your DualShield server will send an on-demand password via the delivery channel defined in your T-Pass policy, e.g. SMS text message or email message. The user will then be prompted to enter a T-Pass one-time password: Copyright 2011, Deepnet Security. All Rights Reserved. Page 16

AnyConnect SSL VPN The process of enabling two-factor authentication on AnyConnect SSL VPN with DualShield is almost identical to the process of enabling Clientless SSL VPN. One-Time Password Logon Procedure ASA Configuration Primary Authentication Server: AD Secondary Authentication Server: DualShield Copyright 2011, Deepnet Security. All Rights Reserved. Page 17

Test Logon AnyConnect Desktop Client User s login name AD Password One-time password AnyConnect Mobile Client Copyright 2011, Deepnet Security. All Rights Reserved. Page 18

On-Demand Password Logon Procedure ASA Configuration Primary Authentication Server: DualShield Secondary Authentication Server: None Test Logon Copyright 2011, Deepnet Security. All Rights Reserved. Page 19

Enter the user's login name and static password (AD password), and click OK. DualShield will verify the user s password. If the second authenticator is an on-demand password, your DualShield authentication server will automatically send out a one-time password to the user via SMS or email message. Cisco AnyConnect client will prompt the user to enter the one-time password: Copyright 2011, Deepnet Security. All Rights Reserved. Page 20

IPSec Remote VPN The process of enabling two-factor authentication on IPSEC VPN with DualShield is almost identical to the process of enabling SSL VPN, apart from the Remote VPN access supports only one authentication server. In order to support two-factor authentication, i.e. user s static password (AD password) and one-time password, the DualShield should be configured to verify both the user s static password and one-time password. ASA Configuration Edit the IPSec remote access connection profile, set DualShield as the authentication server. DualShild Configuration Create a logon procedure with two logon steps: Test Logon Launch the Cisco IPSec VPN Client, click Connect : Copyright 2011, Deepnet Security. All Rights Reserved. Page 21

Enter the user's login name and static password (AD password), and click OK. DualShield will verify the user s password. If the second authenticator is an on-demand password, your DualShield authentication server will automatically send out a one-time password to the user via SMS or email message. Cisco VPN client will prompt the user to enter the one-time password: Enter a valid one-time password, click OK. Cisco VPN client will now establish connection. Copyright 2011, Deepnet Security. All Rights Reserved. Page 22