GoldKey and Cisco AnyConnect



Similar documents
Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

ASA 8.x Manually Install 3rd Party Vendor Certificates for use with WebVPN Configuration Example

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

WHITE PAPER Citrix Secure Gateway Startup Guide

ASA 8.x: Renew and Install the SSL Certificate with ASDM

Technical Certificates Overview

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

etoken Enterprise For: SSL SSL with etoken

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Cisco ASA configuration for SMS PASSCODE SMS PASSCODE 2014

HOTPin Integration Guide: DirectAccess

Scenario: IPsec Remote-Access VPN Configuration

Defender EAP Agent Installation and Configuration Guide

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Secure IIS Web Server with SSL

ASA 8.x: VPN Access with the AnyConnect VPN Client Using Self Signed Certificate Configuration Example

Exchange 2010 PKI Configuration Guide

Install the Production Treasury Root Certificate (Vista / Win 7)

ECA IIS Instructions. January 2005

Certificates for computers, Web servers, and Web browser users

Active Directory integration with CloudByte ElastiStor

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Chapter 2 Editor s Note:

Managing Software and Configurations

SSL Installing your new Certificate

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

CA Nimsoft Service Desk

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

Wavecrest Certificate

Using Microsoft s CA Server with SonicWALL Devices

To install the SMTP service:

Using TLS Encryption with Microsoft Outlook 2007

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

VPN Configuration Guide. Cisco ASA 5500 Series

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

Yubico PIV Management Tools

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

CA VPN Client. User Guide for Windows

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Defender Token Deployment System Quick Start Guide

HDAccess Administrators User Manual. Help Desk Authority 9.0

Using Entrust certificates with VPN

Video Administration Backup and Restore Procedures

Using Device Discovery

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Installing Logos SSL Certificates on Mobile Devices

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Clientless SSL VPN Users

How to Configure a Secure Connection to Microsoft SQL Server

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

Sophos UTM. Remote Access via PPTP Configuring Remote Client

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

Lab 05: Deploying Microsoft Office Web Apps Server

Generating an Apple Enterprise MDM Certificate

MadCap Software. Upgrading Guide. Pulse

Defender Configuring for Use with GrIDsure Tokens

Global VPN Client Getting Started Guide

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

APNS Certificate generating and installation

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Configuring Load Balancing

Configuring Digital Certificates

Setting Up Exchange. In this chapter, you do the following tasks in the order listed:

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Scenario: Remote-Access VPN Configuration

Quest Soft Token for Windows Mobile User Guide

ProjectWise Mobile Access Server, Product Preview v1.1

How to set up Outlook Anywhere on your home system

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

1/4/12 Installing and Configuring WebDAV on IIS 7 : WebDAV for IIS 7.0 : Publishing Content to Web Sites : T

Setting Up and Accessing VPN

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Avery Wizard: Using the wizard with Microsoft Word. This is a simple step-by-step guide showing how to use the Avery wizard in word

Configure ISE Version 1.4 Posture with Microsoft WSUS

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

Defender 5.7. Remote Access User Guide

Importing Contacts to Outlook

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

How to setup a VPN on Windows XP in Safari.

Authenticating users of Cisco NCS or Cisco Prime Infrastructure against Microsoft NPS (RADIUS)

Ascend Interface Service Installation

SSL Decryption Certificates

Information to configure your Windows 7 office computer is described below.

Security Certificate Configuration for IM and Presence Service

Configuring Microsoft RADIUS Server and Gx000 Authentication. Configuration Notes. Revision 1.0 February 6, 2003

Account Create for Outlook Express

In the Active Directory Domain Services Window, click Active Directory Domain Services.

Copyright

Cisco ASA Multi-tier VPN access with Active Directory Group Authentication

Connecting and Setting Up Your Laptop Computer

App Orchestration 2.5

Installing Exchange and Extending the Active Directory Schema for Cisco Unity 8.x

Transcription:

Two-Factor VPN Authentication using GoldKey and Cisco AnyConnect Configuration Guide GoldKey Security Corporation www.goldkey.com 1

Table of Contents Configuration of the Cisco ASA... 3 Install the Active Directory Root Certificate... 3 Generate an Identity Certificate... 5 Issuing a Router Certificate for the ASA... 10 Configuring Cisco AnyConnect... 12 Implementing GoldKey Authentication... 13 Customer Support... 13 Acknowledgments and Disclosures... 13 2

Configuration of the Cisco ASA These instructions are intended to assist IT administrators in configuring their ASA to trust certificates issued by their Active Directory Certificate Authority, and apply to Cisco AnyConnect version 2.5. Install the Active Directory Root Certificate The first step in configuring the Cisco ASA to add two-factor authentication using GoldKey tokens and Active Directory certificates is to install the Active Directory root certificate on the ASA. To do this, log into the ASDM and click the Configuration button. Then choose Device Management, expand Certificate Management, and select CA Certificates. Next, click Add in the pane on the right. This will open the Install Certificate wizard. 3

From here, click on Browse, select the root certificate, and click install. Then click on Install Certificate. Finally, click Send to finish installing the Active Directory root certificate on the ASA. A message will be displayed letting you know if the certificate has been installed correctly. 4

Generate an Identity Certificate After the root certificate has been successfully installed, you will need to create an identity certificate on the ASA. To begin, select Identity Certificates from within Certificate Management and click Add. 5

Select Add a new identity certificate from within the Add Identity Certificate dialog and click on the New button to generate a key pair. Enter the name for the key pair as well as the size of the key, and then click Generate Now. 6

You will be given an opportunity to preview the CLI commands. Click on Send to finish generating the key pair. Next, you will be brought back to the ASDM Identity Certificates screen. Click on Add to continue creating an identity certificate. Select the Add a new identity certificate option and choose the new key pair from the drop-down list provided. Then, click on Select for the Certificate Subject DN. 7

Next, select the Common Name (CN) attribute and set the Internet-reachable name of the ASA, such as its fully qualified domain name, as the value. Then, click Add. If there are other attributes required in your environment, please add them at this time. Then, click OK. Click on the Advanced button from the Add Identity Certificate screen. From the Certificate Parameters tab in the Advanced Options screen, make sure that the FQDN field matches the CN entered in the Certificate Subject DN and click OK. 8

On the Add Identity Certificate screen, click Add Certificate. You will be given another opportunity to preview the CLI commands to be sent to the ASA. Then, click on Send. You will be prompted to save the certificate-signing request (CSR) to a file. Click on Browse and select the name and location for the CSR. Then, click OK. The ASDM will now display your certificate as pending, as shown below. 9

Issuing a Router Certificate for the ASA You will need to generate an Active Directory certificate based on the request created by the ASA. In order to accomplish this, you will need to enable the Router (Offline request) certificate template on your Certificate Authority. From your Microsoft CA, open Certification Authority under Start Administrative Tools. Then, select Certificate Templates from the pane on the left, and make sure that the Router (Offline request) template is listed. If it is not, select the New Certificate Template to Issue option under New in the Action menu, select Router (Offline request), and click OK to enable it. Next, copy the CSR file onto the desktop of the CA server. Then, hold down Shift and right-click to open a command prompt window from the Desktop. Run the following command to issue a certificate for the CSR that you generated through the ASDM: CertReq -submit -attrib "CertificateTemplate:OfflineRouter" newasa-2.csr newasaoutput2.cer For this command to work properly, you will need to replace newasa-2.csr with the name of the CSR file you created through the ASDM. You may also select a different name for the output file. Next, right-click on the output certificate file and open it with Notepad. Select and copy the certificate information, and then return to the ASDM. From the Identity Certificates screen, click on the Install button in the pane on the right. 10

Select the option to paste the certificate data in base-64 format, and paste the data you copied using Notepad, above. Finally, click on Install Certificate. You will notice that your certificate is no longer listed as pending. The Identity Certificates screen should now show only one entry, as shown below. 11

Configuring Cisco AnyConnect Once the ASA has been configured with the Active Directory root certificate and an identity certificate of its own, Cisco AnyConnect clients must be configured to use certificates for authentication. The following is an example AnyConnect configuration that requires certificates for authentication. Please note that some values have been modified to remove identifying information. ssl trust-point ASDM_TrustPoint3 outside webvpn enable outside svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1 svc enable tunnel-group-list enable tunnel-group-preference group-url group-policy xxxx-ssl internal group-policy xxxx-ssl attributes banner value Welcome to XXXX SSL VPN wins-server none dns-server value XXX.XXX.X.XXX vpn-idle-timeout 14400 vpn-tunnel-protocol svc split-tunnel-policy tunnelspecified split-tunnel-network-list value acl-clientvpn default-domain value XXXX.XXXXX address-pools value vpnippool 12

webvpn svc dtls enable svc keep-installer installed svc ask none default svc tunnel-group xxxx-ssl-cert type remote-access tunnel-group xxxx-ssl-cert general-attributes address-pool vpnippool default-group-policy xxxx-ssl tunnel-group xxxx-ssl-cert webvpn-attributes authentication certificate group-alias ssl-cert enable group-url https://xxxxx.xxxxxxx.xxx/cert enable tunnel-group-map DefaultCertificateMap 10 xxxxvpntest! Implementing GoldKey Authentication The final step in implementing two-factor VPN authentication using GoldKey is to load certificates from Active Directory onto your tokens. For more information on loading certificates onto your GoldKey tokens, please refer to our online support resources. http://www.goldkey.com/support/ Once the certificates are loaded properly and the AnyConnect configuration above has been completed, you will be prompted for your GoldKey PIN to authenticate connections to your VPN. Customer Support If you have questions or comments, please feel free to contact GoldKey Customer Support. General product information can be obtained from our website. Telephone: 888-220-4020 Email: techsupport@goldkey.com Website: http://www.goldkey.com/ Acknowledgments and Disclosures Cisco and AnyConnect are registered trademarks of Cisco Systems, Inc. GoldKey and the GoldKey logo are registered trademarks of GoldKey Security Corporation. Active Directory and Microsoft are registered trademarks of Microsoft Corporation. 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information