INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE DIGIPASS Authentication for Cisco ASA 5505

Disclaimer DIGIPASS Authentication for Cisco ASA5505 Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO Data Security assumes no responsibility for its accuracy and/or completeness. In no event will VASCO Data Security be liable for damages arising directly or indirectly from any use of the information contained in this document. Copyright Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO, Vacman, IDENTIKEY Authentication Server, axsguard, DIGIPASS and logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed under all title, rights and interest in VASCO Products, updates and upgrades thereof, including copyrights, patent rights, trade secret rights, mask work rights, database rights and all other intellectual and industrial property rights in the U.S. and other countries. Microsoft and Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may be trademarks of their respective owners. 1 DIGIPASS Authentication for Cisco ASA 5505

Table of Contents Reference guide... 4 1 Overview... 5 2 Technical Concepts... 6 2.1 Cisco... 6 2.1.1 ASA 5505... 6 2.1.2 Adaptive Security Device Manager... 6 2.1.3 Internet Protocol Security... 6 2.1.4 Secure Socket Layer... 6 2.2 VASCO... 6 2.2.1 IDENTIKEY Authentication Server... 6 3 Cisco ASA 5505 setup... 7 3.1 Architecture... 7 3.2 Prerequisites... 7 3.3 Cisco ASA5505... 8 3.3.1 Active Directory Back-end implementation... 8 3.3.2 IPsec tunnel configuration... 11 3.3.3 SSL VPN configuration... 13 3.4 Test the setup... 15 3.4.1 Testing IPsec VPN connection... 15 3.4.1.1 Microsoft Windows 7... 15 3.4.2 Testing SSL VPN connection... 16 4 Solution... 18 4.1 Architecture... 18 4.2 Cisco ASA 5505... 18 4.2.1 Creating IDENTIKEY server back-end... 18 4.2.2 Attaching the new back-end to the IPsec VPN... 20 2 DIGIPASS Authentication for Cisco ASA 5505

4.2.3 Attaching the new back-end to the SSL VPN... 21 4.3 IDENTIKEY Authentication Server... 21 4.3.1 Policies... 21 4.3.2 Client... 22 4.3.3 User... 23 4.3.4 DIGIPASS... 23 4.4 Test the Solution... 26 4.4.1 Testing IPsec VPN... 26 4.4.2 Testing SSL VPN... 26 5 Challenge/Response... 28 5.1 Architecture... 28 5.2 Cisco ASA 5505... 29 5.3 IDENTIKEY Authentication Server... 29 5.3.1 Policy... 29 5.3.2 User... 29 5.4 Test the Solution... 31 5.4.1 Testing IPsec... 31 5.4.2 Testing SSL VPN... 31 3 DIGIPASS Authentication for Cisco ASA 5505

Reference guide ID Title Author Publisher Date ISBN 4 DIGIPASS Authentication for Cisco ASA 5505

1 Overview DIGIPASS Authentication for Cisco ASA5505 LDAP RADIUS VPN connection Cisco ASA 5505 Internal network 5 DIGIPASS Authentication for Cisco ASA 5505

2 Technical Concepts 2.1 Cisco 2.1.1 ASA 5505 The Cisco ASA 5505 is a small all-in-one firewall that provides a wide range of additional services. These services include: VPN, intrusion prevention, content security, unified communications and remote access. 2.1.2 Adaptive Security Device Manager Adaptive Security Device Manager, or ASDM, is a simple GUI based firewall appliance management tool. It provides an easy way to configure, monitor and troubleshoot Cisco firewall devices. 2.1.3 Internet Protocol Security Internet Protocol Security, or IPsec, is a protocol suite for securing the Internet Protocol. This suite contains protocols for authentication and encryption of each packet as well as mutual authentications between agents and the negotiation of cryptographic keys per session. IPsec VPN solutions are end to end setups. 2.1.4 Secure Socket Layer Secure Socket Layer, or SSL, is a security implemented mainly on application level (any HTTPS request makes use of SSL). This provides with a secure way of transporting packets between the application and the server. 2.2 VASCO 2.2.1 IDENTIKEY Authentication Server IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that supports the deployment, use and administration of DIGIPASS strong user authentication. It offers complete functionality and management features without the need for significant budgetary or personnel investments. IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems. IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to corporate networks and web-based applications. The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY Appliance is similar. 6 DIGIPASS Authentication for Cisco ASA 5505

3 Cisco ASA 5505 setup Before adding 2 factor authentication it is important to validate a standard configuration without One Time Password (OTP). 3.1 Architecture 10.4.0.10 LDAP VPN connection 10.4.0.226 Cisco ASA 5505 10.4.0.165 Internal network 10.4.0.x A user creates a VPN connection with the ASA5505. The ASA will send the credentials to the Windows Active Directory back-end to see if the user exists. If so, the VPN connection is successful and the user is allowed to the internal network. 3.2 Prerequisites For this setup we are going to make use of Cisco s ASDM. To run the ASDM you need to have a Java Runtime Environment on your pc. Make sure that you have enabled WEB access to your ASA5505 firewall. If you have not enabled this you will need to connect to your device using SSH or the console port and enable this by using the following commands: enable configure terminal int vlan 1 ip address x.x.x.x y.y.y.y (IP address and subnet mask of the management VLAN) http server enable If you now use a browser and navigate to the address you gave to the management VLAN you will see the homepage that will allow you to install the ASDM. 7 DIGIPASS Authentication for Cisco ASA 5505

3.3 Cisco ASA5505 3.3.1 Active Directory Back-end implementation To setup a VPN connection we need to have a database with users to authenticate to. We can use the internal database but it is more likely to use the Active Directory database for these authentications. Log into the ASA5505 with the ASDM. Go to the tab Configurations. At the bottom left click Remote Access VPN. Click open AAA/Local Users. Select AAA Server Group. 8 DIGIPASS Authentication for Cisco ASA 5505

Create a new server group by clicking the Add button. Server Group: Demo-Backend Protocol: LDAP Reactivation Mode: Depletion Dead Time: 10 Max failed Attempts: 3 In the window below it click Add to add a server. 9 DIGIPASS Authentication for Cisco ASA 5505

Interface Name: inside IP Address: 10.4.0.10 Timeout: 10 Enable LDAP over SSL: unchecked Server Port: 389 Server Type: Microsoft Base DN: DC=labs,DC=vasco,DC=com Scope: All levels beneath the base DN Naming Attributes: leave blank Login DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com Password: your_password (This password is bound to the user defined in login DN) LDAP attribute map: None SASL MD5 authentication: unchecked SASL Kerberos authentication: unchecked Group Base DN: empty Group Search Timeout: 10 Click on OK and the server is added to the group. Click on Apply. Click on Test. Select Authentication Enter demo Set Test12345 as password 10 DIGIPASS Authentication for Cisco ASA 5505

Replace the credentials by any user and matching password in your Active Directory. Click OK. When configured correctly you will receive: 3.3.2 IPsec tunnel configuration At the top: click Wizards. Click IPsec VPN Wizard Select Remote Access. Set the correct interface (for this test Inside) Leave the checkbox checked. Click Next. Select Microsoft Windows client using L2TP over IPsec Check PAP Leave Client will send tunnel group name as username@tunnelgroup unchecked. We will use PAP as authentication protocol, this way we can enjoy additional features of the IDENTIKEY Authentication Server. Click Next. Select Pre-Shared key and use Test1234 as the pre-shared key. Click Next. 11 DIGIPASS Authentication for Cisco ASA 5505

Select Authenticate using AAA server group and select Demo-Backend. Click Next. Click New. Name: Demo-Pool Starting IP Address: 10.4.0.81 Ending IP Address: 10.4.0.89 Subnet Mask: 255.255.255.0 Select the pool you just made. Click Next. Normally the Tunnel Group Name is default: DefaultRAGroup. We need this group later when upgrading to use IDENTIKEY Authentication Server. Leave everything default and click Next. 12 DIGIPASS Authentication for Cisco ASA 5505

Leave everything default and click Next. Uncheck enable perfect forwarding secrecy. Click Next. Click Finish. Click Apply. 3.3.3 SSL VPN configuration At the top: click Wizards. Click SSL VPN Wizard Check Clientless SSL VPN. Click Next. 13 DIGIPASS Authentication for Cisco ASA 5505

Connection Name: SSL-Demo SSL VPN Interface: Inside Certificate: --None Click Next. Remember the Information, it is needed to access the SSL portal of the Cisco ASA 5505. Select your Active Directory back-end. (Demo-Backend, for more information please view 3.3.1 Active Directory Back-end implementation ) Click Next. Select Create new group policy and fill in DemoSSLgrppolicy. Click Next. From the drop down list Bookmark List: Google. Click Next. Click Finish. Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access and click on Connection Profiles. 14 DIGIPASS Authentication for Cisco ASA 5505

Select SSL-Demo and click Edit. Aliases: SSL-Demo. Click OK. Check Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile. Click Apply. 3.4 Test the setup 3.4.1 Testing IPsec VPN connection 3.4.1.1 Microsoft Windows 7 From the network and sharing center, click on Set Up a Connection or Network. Select Connect to a workplace and click Next. If you already have VPN networks set up, select No, create a new connection and click Next. Click on Use my Internet connection (VPN). Set the IP address to 10.4.0.165 Set the destination name to Demo-ASA Check Don t connect now; just set it up so I can connect later Click Next. Fill in the Active Directory credentials (for this test: username demo and password Test12345.) Click Create. Click Close. In the taskbar, click on your network icon. Right mouse click on Demo-ASA and click on Properties. Go to Security. 15 DIGIPASS Authentication for Cisco ASA 5505

Set the type of VPN to Layer 2 tunneling protocol with IPsec Set the data encryption to Optional encryption Check PAP Uncheck any other encryption Since we have selected PAP as encryption on the Cisco ASA 5505, we need to allow our client to connect using PAP as well. Click on Advanced setting. Select Use pre-shared key for authentication and type Test1234 in the textbox. Click OK. Click OK. Click on your Network icon. Click on Demo-ASA and click Connect. Fill in the credentials, username demo and password Test12345. Replace the credentials by any user and matching password in your Active Directory. Click Connect. You now have connected to the ASA using a Windows Active Directory system for user authentication. 3.4.2 Testing SSL VPN connection Open a browser and navigate to https://10.4.0.165/. You will be redirected to a login page. Fill in your Active Directory username and password (demo / Test12345). 16 DIGIPASS Authentication for Cisco ASA 5505

Click Logon. When successful you will see the following page: 17 DIGIPASS Authentication for Cisco ASA 5505

4 Solution 4.1 Architecture 10.4.0.13 LDAP RADIUS VPN connection 10.4.0.226 Cisco ASA 5505 10.4.0.165 Internal network 10.4.0.x 4.2 Cisco ASA 5505 Starting from our VPN connection with Windows Active Directory as back-end, we only need to create a new back-end and attach this to the default radius group. 4.2.1 Creating IDENTIKEY server back-end Log into the ASA5505 using Cisco ASDM. Navigate to Configuration. Click on Remote Access VPN. Open AAA/Local Users and click on AAA Server Groups. 18 DIGIPASS Authentication for Cisco ASA 5505

Create a new AAA server group by clicking on Add. Server Group: Demo-IK Protocol: RADIUS Leave all other options on their Default values Click OK. Select Demo-IK and add a server by clicking Add in the box below. Interface: Inside Server IP Address: 10.4.0.13 Timeout: 10 Authentication Port: 1812 Accounting Port: 1813 Retry Interval: 10 seconds 19 DIGIPASS Authentication for Cisco ASA 5505

Server Secret Key: Test1234 ACL Network Convert: Standard Click OK. Click Apply. The server secret key needs to be the same as the RADIUS secret key set up on the IDENTIKEY Authentication Server RADIUS client component. We can test this connection only if the basic setup was performed on the IDENTIKEY Authentication Server. More detail can be found in 4.3 IDENTIKEY Authentication Server. Select the server group Demo-IK and the server 10.4.0.13. Click Test. Select Authentication. Enter the username (demo) and the OTP. Click OK. If everything was configured correctly we get this message: 4.2.2 Attaching the new back-end to the IPsec VPN Navigate to Configuration, click on Remote Access VPN and open Network (Client) Access. Click on IPsec Connection Profiles. Select the DefaultRAGroup and click on Edit. 20 DIGIPASS Authentication for Cisco ASA 5505

Change the Server Group from Demo-Backend to Demo-IK. Click OK. 4.2.3 Attaching the new back-end to the SSL VPN Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access and click on Connection Profiles. Select SSL-Demo and click Edit. Change AAA Server Group from Demo-Backend to Demo-IK. 4.3 IDENTIKEY Authentication Server There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate with: Local users (Defined in IDENTIKEY Authentication Server) Active Directory (Windows) In this whitepaper we will use Local users to authenticate. 4.3.1 Policies In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got a user and a password, what now? Create a new Policy 21 DIGIPASS Authentication for Cisco ASA 5505

Policy ID : Test Inherits From: Base Policy Inherits means: The new policy will have the same behavior as the policy from which he inherits, except when otherwise specified in the new policy. Example: Base Policy New Policy Behaviour 1 a New policy will do a 2 b New policy will do b 3 c f New policy will do f 4 d New policy will do d 5 e g New policy will do g The new policy is created, now we are going to edit it. Click edit Local Authentication : Digipass/Password Click Save 4.3.2 Client In the clients we specify the location from which IDENTIKEY Authentication Server will accept requests and which protocol they use. We are going to add a new RADIUS client. 22 DIGIPASS Authentication for Cisco ASA 5505

Client Type : select Radius Client from select from list Location : 10.4.0.165 Policy ID : Select the Policy that was created in Policies Protocol ID: RADIUS Shared Secret: Test1234 Confirm Shared Secret: reenter the shared secret Click Save The shared secret has to be identical to the secret key we set in the Cisco ASA 5505 (view 4.2.1 Creating IDENTIKEY server back-end ) 4.3.3 User We are going to create a user. User ID: Demo 4.3.4 DIGIPASS The purpose of using IDENTIKEY Authenticaction Server, is to be able to log in using One Time Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The Digipass is a device that generates the OTP s. Open the user by clicking on its name Select Assigned Digipass 23 DIGIPASS Authentication for Cisco ASA 5505

Click ASSIGN Click Next Grace period: 0 Days Grace period is the period that a user can log in with his static password. The first time the user uses his DIGIPASS the grace period will expire. Click ASSIGN 24 DIGIPASS Authentication for Cisco ASA 5505

Click Finish 25 DIGIPASS Authentication for Cisco ASA 5505

4.4 Test the Solution 4.4.1 Testing IPsec VPN Connect to the Demo-ASA VPN and fill in the username (Demo) and the OTP. You should be connected to the VPN and see the following in your network connections: If the connection test from 4.2.1 works and the VPN connection fails with error 691, please check in your ASDM if you applied the changes. 4.4.2 Testing SSL VPN Navigate to https://10.4.0.165 and logon using your username (Demo) and OTP. When successful you will see the following page: 26 DIGIPASS Authentication for Cisco ASA 5505

27 DIGIPASS Authentication for Cisco ASA 5505

5 Challenge/Response The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was triggered in a user authentication. The trigger mechanism is configured in the policy (see later). Virtual DIGIPASS is a DIGIPASS that needs to be ordered like a Hardware DIGIPASS Back-Up Virtual DIGIPASS is a feature that must be enabled while ordering other DIGIPASS (Hardware, DIGIPASS for Mobile, DIGIPASS for Web or DIGIPASS for Windows) Availability of Back-Up virtual DIGIPASS can be checked in the IDENTIKEY web administration. Select a DIGIPASS > Click on the first application and scroll down. For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is delivered with every IDENTIKEY Authentication Server 5.1 Architecture 1: User ID Trigger 2: Challenge 4: OTP received by SMS MDC 3: SMS with OTP This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server (for mail). The first step is to configure one of the servers. This is done in the Message Delivery Component (MDC) configuration. For more information see the IDENTIKEY Authentication Server manuals. 28 DIGIPASS Authentication for Cisco ASA 5505

Popular SMS-gateways: http://www.clickatell.com http://www.cm.nl http://www.callfactory.com 5.2 Cisco ASA 5505 There are no additional steps on the Cisco ASA 5505. 5.3 IDENTIKEY Authentication Server 5.3.1 Policy The configuration virtual Digipass can be used is done in the policy. Select the policy created in Policies. This should be Test. Select Test Go to Virtual Digipass Click Edit Delivery Method: SMS BVDP Mode: Yes Permitted Request Method: KeywordOnly Request Keyword: IwantOTP Click Save The request method is the trigger to send the message. The trigger can be: Static password: as stored inside IDENTIKEY Authentication Server (different for each individual user) Keyword: a text message (the same for all users) 5.3.2 User IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the User should be added. Select a user: Demo Click User Info Click Edit 29 DIGIPASS Authentication for Cisco ASA 5505

Mobile: +32 (for the sms) Email Address: mail@server.com (for mail) Click save 30 DIGIPASS Authentication for Cisco ASA 5505

5.4 Test the Solution 5.4.1 Testing IPsec Step 1: Log in using your username and the keyword (Demo / IwantOTP) Step 2: The ASA server will return that the connection was unsuccessful. Click Close. Step 3: Log in using your username and the received OTP (SMS). Step 4: When configured correctly, you are now connected to the VPN. 5.4.2 Testing SSL VPN 31 DIGIPASS Authentication for Cisco ASA 5505

Step 1: Log in using your username and the keyword (Demo / IwantOTP) Step 2: You will be asked for your OTP. Step 3: Use the received OTP (SMS) to logon. Step 4: When configured correctly, you will be redirected to the portal site. 32 DIGIPASS Authentication for Cisco ASA 5505