External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy



Similar documents
How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Outlook Web Access 2013 Authenticating Users Using SecurAccess Server by SecurEnvoy

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Citrix Access Gateway Advanced Edition

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

SSH to Ubuntu Server Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Netscreen 25 Remote VPN Authenticating Users Using SecurAccess Server by SecurEnvoy

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

SecurEnvoy Windows Login Agent

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Cisco ASA Authentication QUICKStart Guide

Strong Authentication for Cisco ASA 5500 Series

SecurEnvoy IIS Web Agent. Version 7.2

Accessing the Media General SSL VPN

DIGIPASS Authentication for Cisco ASA 5500 Series

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

Configuring User Identification via Active Directory

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Defender Token Deployment System Quick Start Guide

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Two-Factor Authentication

Establishing two-factor authentication with Barracuda NG Firewall and HOTPin authentication server from Celestix Networks

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Authentication Node Configuration. WatchGuard XTM

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Clientless SSL VPN Users

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

BlackShield ID Best Practice

Establishing two-factor authentication with Cyberoam UTM appliances and HOTPin authentication server from Celestix Networks

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Cisco ASA configuration for SMS PASSCODE SMS PASSCODE 2014

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Cisco ASA

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Establishing two-factor authentication with Check Point and HOTPin authentication server from Celestix Networks

SecurEnvoy Security Server Administration Guide

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Setting Up Scan to SMB on TaskALFA series MFP s.

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Access to Webmail services via a Non Trust Computer

SecurEnvoy Reporting Wizard

BlackShield ID Agent for Remote Web Workplace

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Quick Scan Features Setup Guide

HOTPin Integration Guide: Google Apps with Active Directory Federated Services

ZyWALL OTPv2 Support Notes

SecurEnvoy Security Server Installation Guide

IIS, FTP Server and Windows

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

DIGIPASS Authentication for SonicWALL SSL-VPN

Setting Up and Accessing VPN

McAfee One Time Password

HOTPin Integration Guide: DirectAccess

Evaluating the Cisco ASA Adaptive Security Appliance VPN Subsystem Architecture

INSTALLATION INSTRUCTIONS FOR UKSSOGATEWAY

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Juniper SSL VPN Authentication QUICKStart Guide

Palo Alto Networks GlobalProtect VPN configuration for SMS PASSCODE SMS PASSCODE 2015

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

Cisco ASA. Administrators

Multi-factor Authentication using Radius

NSi Mobile Installation Guide. Version 6.2

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Multi-Factor Authentication Job Aide

NAC Guest. Lab Exercises

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

RSA SecurID Soft token. Cisco Anyconnect SSL VPN client. Connection guide: SSL VPN. SSL VPN (Soft token) First time user or after PIN reset

DIGIPASS Authentication for Check Point Connectra

OneLogin Integration User Guide

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

UBC Digital Signage Service: CoolSign 5.0 Initial Set- up Guide

Cloud Services ADM. Agent Deployment Guide

Scenario: IPsec Remote-Access VPN Configuration

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

Scenario: Remote-Access VPN Configuration

QUICK SELLING GUIDE THE FUTURE OF AUTHENTICATION

Configuring Global Protect SSL VPN with a user-defined port

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Transcription:

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 Merlin House Brunel Road Theale Reading RG7 4AB Phil Underwood Punderwood@securenvoy.com Tony Davis tdavis@securenvoy.com axonex hello@axonex.com 01242 535700

Cisco ASA Integration Guide This document describes how to integrate a Cisco ASA with SecurEnvoy two-factor Authentication solution called SecurAccess. Cisco ASA provides Secure Remote Access and Firewalling to the internal corporate network. SecurAccess provides two-factor, strong authentication for remote Access solutions (such as Cisco), without the complication of deploying hardware tokens or smartcards. Two-Factor authentication is provided by the use of (your PIN and your Phone to receive the one time passcode) SecurAccess is designed as an easy to deploy and use technology. It integrates directly into any LDAP server and negates the need for additional User Security databases. SecurAccess consists of two core elements: a Radius Server and Authentication server. The Authentication server is directly integrated with LDAP in real time. SecurEnvoy Security Server can be configured in such a way that it can use the existing LDAP password. Utilising the LDAP password as the PIN, allows the User to enter their UserID, Domain password and One Time Passcode received upon their mobile phone. This authentication request is passed via the Radius protocol to the SecurEnvoy Radius server where it carries out a Two-Factor authentication. It provides a seemless login into the Windows Server environment by entering three pieces of information. SecurEnvoy utilises a web GUI for configuration, as does the Cisco ASA (ASDM). All notes within this integration guide refer to this type of approach. The equipment used for the integration process is listed below: Cisco Cisco Adaptive Security Appliance Software Version 9.1(3) Device Manager Version 7.1(4) Cisco Anyconnect Mobile Client 3.1.03103 SecurEnvoy Windows 2012 R2 Server IIS installed with SSL certificate (required for management and remote administration) Active Directory installed or connection to Active Directory via LDAP protocol. SecurAccess software release v7.2.505 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 2

Index 1.0 Prerequisites... 3 1.1 Configuration of Cisco AAA server... 4 1.2 Configuration of Cisco ASA VPN configuration... 5 2.0 Configuration of SecurEnvoy - PIN configuration... 5 2.1 Configuration of SecurEnvoy - RADIUS configuration... 5 3.0 Cisco AnyConnect VPN Client Configuration... 7 4.0 Test logon SSL... 7 4.1 Test logon AnyConnect Client... 8 4.2 Configuration of OneSwipe(Optional)... 9 4.3 User Experience - OneSwipe... 10 5.0 Troubleshooting RADIUS connection... 11 1.0 Prerequisites It is assumed that the Cisco ASA has been installed and is authenticating VPN users with a username and password. Securenvoy Security Server has been installed with the Radius service and has a suitable account that has read and write privileges to the Active Directory. If firewalls are between the SecurEnvoy Security server, Active Directory servers, and the Routing and Remote Access server(s), additional open ports will be required. NOTE: Add radius profiles for each Cisco ASA that requires Two-Factor Authentication. The following table shows what token types are supported. Token Type Supported Real Time SMS or Email Preload SMS or Email Soft Token Code Soft Token Next Code Voice Call One Swipe 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 3

1.1 Configuration of Cisco AAA server Launch the Cisco Adaptive Security Device Manager (ASDM), select Configuration in top toolbar, navigate to AAA setup, go to AAA server Groups and click ADD. Enter name details and select the Radius protocol, set max failed attempts to 3. Click Ok when completed. Navigate to AAA setup, go to AAA server and click ADD. Enter details for interface, IP address of SecurEnvoy server. Set port to 1812 (this is the default port of SecurEnvoy Radius) Enter Server Secret Key. Make sure that Microsoft CHAPv2 is unticked. Click OK when completed. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 4

1.2 Configuration of Cisco ASA VPN configuration Within the ASDM, navigate to the Remote Access VPN. Then select the existing profile you wish to change. In this example the AnyConnect Connection profile was selected. Within the AnyConnect profile, change the AA server group to be the AA group that was configured earlier. Click OK when complete. Apply all changes to make the configuration active. 2.0 Configuration of SecurEnvoy - PIN configuration To help facilitate an easy to use environment, SecurEnvoy can utilise the existing LDAP password as the PIN. This allows the users to only remember their Domain password. SecurEnvoy supplies the second factor of authentication, which is the dynamic one time passcode (OTP) which is sent to the user s mobile phone via SMS, email or use a Soft Token. Launch the SecurEnvoy admin interface, by executing the Local Security Server Administration link on the SecurEnvoy Security Server. Click Config Select Windows Microsoft Password is the PIN under PIN Management This will now use the users existing password as the PIN. Click Update to confirm the changes 2.1 Configuration of SecurEnvoy - RADIUS configuration Click the Radius Button Click New then enter IP address and Shared secret for each Cisco ASA that wishes to use SecurEnvoy Two-Factor authentication. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 5

Make sure that Prompt all passcodes in the same way as Real Time Codes is ticked. If required Group membership can be achieved SecurEnvoy RADIUS can respond with LDAP group membership via Radius return attribute 3076-223. Click Update to confirm settings. Click Logout when finished. This will log out of the Administrative session. NOTE SecurEnvoy RADIUS has the ability to send Privilege level access by returning Radius Privilege-Level 220 attribute to an ASA. SecurEnvoy can search any LDAP attribute and respond with the data that is contained in that attribute. To set this up, first choose an LDAP attribute and populate with the correct data. This example uses pager. In this example the LDAP attribute Pager is used. It is then populated with 15 for level 15 access. Please see Cisco ASA reference guide for more information. Within the Radius set, provide a unique number and then the VendorID, 3076-220. Then select LDAP and type in the name of the LDAP attribute, this example uses pager. Click Update when complete. Cisco Attribute Name Attribute Syntax Value Privilege-Level 220 Integer 0-15 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 6

3.0 Cisco AnyConnect VPN Client Configuration The VPN client does not require any changes, if it was working by using a username and password it will now work with SecurEnvoy Two Factor authentication. 4.0 Test logon SSL Once the configuration has been saved, the connection can be initiated by navigating to the configured URL. In this example Https://server.securenvoy.com User then enters existing Domain User ID and Domain password. User is then prompted to enter a 6 digit passcode. This can be obtained from SMS, Email, Soft Token etc. Click continue to complete the logon. NOTE If a user is setup for Voice Call, the user enters User ID and password as described previously, but will then the following prompt will be displayed. The users phone will then receive a voice call; user then follows the prompt and enters the displayed passcode via the phone keypad. Once entered the user clicks continue on the logon prompt to complete the sequence. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 7

4.1 Test logon AnyConnect Client User then enters existing Domain User ID and Domain password. Click OK to continue. User is then prompted to enter a 6 digit passcode. This can be obtained from SMS, Email, Soft Token etc. Click Continue to complete the logon. NOTE If a user is setup for Voice Call, the user enters User ID and password as described previously, but will then the following prompt will be displayed. The users phone will then receive a voice call; user then follows the prompt and enters the displayed passcode via the phone keypad. Once entered the user clicks continue on the logon prompt to complete the sequence. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 8

4.2 Configuration of OneSwipe (Optional) Customise the SSL WebVPN portal with OneSwipe-specific details: Configuration >> Remote Access VPN >> Clientless SSL VPN Access >> Portal >> Customization Highlight DfltCustomization and click Edit and select Title Panel from the Logon Page menu In the Text box, enter the following HTML code: SSL VPN Service <img src="/+cscou+/oneswipe.gif" onclick="se_oneswipe_click()" onload="var button = document.getelementsbyname('login')[0];button.id = 'Login';se_oneswipe_username='username';se_oneswipe_pin='password';se_oneswipe_passc ode='secondary_password';se_oneswipe_submit='login';"> <div id="se_oneswipe_status"></div> <canvas id="se_oneswipe_canvas" width="400" height="300" style="display:none"></canvas> <div id="outdiv"></div> <script type="text/javascript" src="/+cscou+/oneswipe.js"></script> Click OK and then click Web Contents from the Portal menu. Select Import and import the oneswipe.gif and oneswipe.js files from the link below into the default web contents folder. For each file, select the option stating that no authentication is required. https://www.dropbox.com/s/6wt8npsa2aeb54y/oneswipe.zip 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 9

4.3 User Experience - OneSwipe Select Swipe from the phone Soft Token Enter your PIN /Password into the PIN / Password field and click Done. Browse to ASA Clientless SSL WebVPN portal Click on the OneSwipe button and scan the QR code using your webcam. UserID, password and passcode are passed to the Cisco ASA authentication page and user successfully logs in. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 10

User is presented with Cisco Web Portal 5.0 Troubleshooting RADIUS connection Navigate to AAA setup, go to AAA server, select the SecurEnvoy AAA server and Test authentication Enter Domain UserID in username field and domain password; click OK to continue. User is then prompted to enter a 6 digit passcode. Click OK Information window will show response. 2014 SecurEnvoy Ltd. All rights reserved Confidential Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information