Cisco ASA Authentication QUICKStart Guide

Cisco ASA Authentication QUICKStart Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY

Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Support SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs. To contact SafeNet Authentication Service support directly: Europe / EMEA Freephone: Telephone: 0800 694 1000 (UK) +44 (0)1276 608 000 (Int l) North America Toll Free: 800-307-7042 Telephone: +1 613 599 2441 E-mail: sassupport@safenet-inc.com E-mail: sassupport@safenet-inc.com 2

Publication History Date Changes Version 2012.06.30 Updates to reflect SafeNet branding. 1.3 2010.09.15 Updated for GrIDsure, MP and different auth methods 1.2 2009.07.09 Copyright year updated 1.1 2009.01.26 Document created 1.0 3

Contents Applicability... 5 Environment... 6 Overview... 7 Preparation and Prerequisites... 8 Configure Cisco ASA for Two Factor Authentication... 8 Step 1: Define a RADIUS enabled AAA Server group... 8 Step 2: Assigning a RADIUS AAA Server to the AAA Server group... 9 Step 3: Assigning SafeNet Authentication to a Clientless SSL VPN Connection Profile... 10 Step 4: Assigning SafeNet Authentication to a IPSec VPN Connection Profile... 11 Step 5: Assigning SafeNet Authentication to a AnyConnect Connection Profile... 12 Clientless SSL VPN and GrIDsure authentication... 13 Hardware token and GrIDsure aware logon page.... 14 Clientless SSL VPN and MP Token detection... 16 Uploading custom SafeNet login pages... 17 Creating an SSL VPN Portal Page Customization Object... 17 Verifying the Connection and Group profile... 18 Cisco ASA AnyConnect Client... 19 SafeNet Cisco AnyConnect Client... 20 Cisco AnyConnect Client and MP Token Detection... 21 BlackShield Cisco AnyConnect Agent registry key... 22 Troubleshooting... 25 RADIUS Authentication issues... 25 GrIDsure Authentication issues... 26 Applicability 4

Applicability The information in this document applies to: SafeNet Authentication Service (SAS) A cloud authentication service of SafeNet Inc. SafeNet Authentication Service Service Provider Edition (SAS-SPE) The software used to build a SafeNet authentication service. SafeNet Authentication Service Private Cloud Edition (SAS-PCE) A term used to describe the implementation of SAS-SPE on-premise. Note: references to BlackShield and CRYPTOCard reflect CRYPTOCard branding prior to acquisition by SafeNet. Over time these references will change to reflect SafeNet branding including program installation locations. Applicability 5

Environment This integration guide is applicable to: Summary Security Partner Product Name Cisco Cisco ASA 5500 series ASA Version 8.3 ADSM Version 6.3(1) RADIUS Server Microsoft Internet Authentication Service (IAS) Microsoft Network Policy Server (NPS) Juniper Steel Belted RADIUS server FreeRADIUS server Environment 6

Overview By default Cisco ASA user authentication requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a SafeNet token by using the instructions below. Overview 7

Preparation and Prerequisites Ensure a test user account can authenticate through the Cisco ASA with a static password before configuring the Cisco Secure ASA to use RADIUS authentication. If using SAS-SPE or SAS-PCE: Configure the SafeNet Authentication Service Agent for IAS/NPS, Juniper Steel Belted RADIUS to accept authentication requests from the ASA device. Add the test user account to SAS and assign a token. If use SAS Add the Cisco ASA as an Auth Node (Comms tab Auth Nodes Module) Add the test user account to SAS and assign a token. Configure Cisco ASA for Two Factor Authentication Step 1: Define a RADIUS enabled AAA Server group In the Cisco ASDM client select Configuration. Select Remote Access VPN. Under Remote Access VPN expand AAA/Local Users then select AAA Server Group. Select Add in the AAA Server Group section. Enter the Server Group name (ex. CRYPTOCard) and RADIUS as the Protocol. Preparation and Prerequisites 8

Step 2: Assigning a RADIUS AAA Server to the AAA Server group Under Remote Access VPN expand AAA/Local Users, AAA Server Group then on the right highlight the CRYPTOCard Group. In the Servers in the Selected Group section select Add. Select or enter the following: Choose the interface IP address of the RADIUS server. RADIUS authentication port (1812) RADIUS accounting port (1813) Server Secret Key (Shared Secret) After adding the AAA Server to the AAA Server group, you will see it appear in the AAA Servers in the selected group section. Configure Cisco ASA for Two Factor Authentication 9

Step 3: Assigning SafeNet Authentication to a Clientless SSL VPN Connection Profile The Clientless SSL VPN Connection Profiles include the type of authentication method used during the negotiation of a VPN connection. To allow SafeNet authentication a RADIUS enabled profile must be created. In the Cisco ASDM client select Configuration, Remote Access VPN. Expand Clientless SSL VPN Access and highlight Connection Profiles. In Connection Profiles select Add. Enter a name for the profile. Under Authentication select AAA. In the AAA Server Group dropdown select CRYPTOCard. Complete the additional entries with the settings required by your organization. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles. Configure Cisco ASA for Two Factor Authentication 10

Step 4: Assigning SafeNet Authentication to a IPSec VPN Connection Profile The IPSec VPN Connection Profiles include the type of authentication method used during the negotiation of a VPN connection. To allow SafeNet authentication a RADIUS enabled profile must be created. In the Cisco ASDM client select Configuration, Remote Access VPN. Expand Network (Client) Access and highlight IPsec Connection Profiles. In Connection Profiles select Add. Enter a name for the profile. Under Authentication select AAA. In the AAA Server Group dropdown select CRYPTOCard. Complete the additional entries with the settings required by your organization. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles. Configure Cisco ASA for Two Factor Authentication 11

Step 5: Assigning SafeNet Authentication to a AnyConnect Connection Profile The IPSec VPN Connection Profiles include the type of authentication method used during the negotiation of a VPN connection. To allow SafeNet authentication a RADIUS enabled profile must be created. In the Cisco ASDM client select Configuration, Remote Access VPN. Expand Network (Client) Access and highlight AnyConnect Connection Profiles. In Connection Profiles select Add. Enter a name for the profile. Under Authentication select AAA. In the AAA Server Group dropdown select CRYPTOCard. Complete the additional entries with the settings required by your organization. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles. Configure Cisco ASA for Two Factor Authentication 12

Clientless SSL VPN and GrIDsure authentication The Cisco SSL VPN login page can be configured to authenticate hardware and GrIDsure token users. 1. The user enters the Cisco SSL VPN URL into their web browser. 2. The Cisco SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID button. 3. The user enters their username into the Username field then selects Get Grid. The request is submitted from the user s web browser to the BlackShield Self Service site. 4. The BlackShield Self Service site displays the user s GrIDsure Grid within the Cisco SSL VPN login page. 5. The user enters their GrIDsure password into the OTP field then submits the request. 6. The Cisco ASA device performs a RADIUS authentication request against the BlackShield server. If the SafeNet credentials entered are valid, the user is presented with their Cisco ASA portal otherwise, the attempt is rejected. Clientless SSL VPN and GrIDsure authentication 13

Hardware token and GrIDsure aware logon page. 1. In the BlackShield distribution package browse to the html, agents, Cisco, GrIDsure directory. 2. Copy the ciscogridsure.js file to a temporary folder then open the file with a text editor. 3. Modify the gridmakerurl value to reflect the location of the BlackShield Self Service site. Example: var gridmakerurl = "https://mycompany.com/blackshieldss/index.aspx?getchallengeimage=true&username="; Note: If gridmakerurl references https, you must have a certificate installed on the BlackShield Self Service IIS server. 4. In the Cisco ASDM client select Configuration, Remote Access VPN. 5. Expand Clientless SSL VPN Access, Portal and highlight Customization. 6. In Customization objects select Add. 7. In General, Customization Object Name enter CCGrid as the title. Select the Connection Profile and Group Policy for which the customization will be applied. 8. Expand Logon page and select Logon Form. In the Password Prompt section replace Password with OTP. Clientless SSL VPN and GrIDsure authentication 14

9. Expand Logon page and select Informational Panel. Place a checkmark in Display informational panel. In Panel Position select Right. Copy the contents of the ciscogridsure.js into the Text box. Leave the Logo Image blank. Set the Image Position to Below Text. 10. In Clientless SSL VPN Access, Connection Profiles highlight the GrIDsure enabled profile and select Edit. 11. Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization references the newly created GrIDsure enabled portal. Clientless SSL VPN and GrIDsure authentication 15

12. In Clientless SSL VPN Access, Group Profiles highlight the GrIDsure enabled profile and select Edit. 13. Expand More Options then select Customization. Verify Portal Customization references the newly created GrIDsure enabled portal. Clientless SSL VPN and MP Token detection The default Cisco ASA login page is unable to detect the presence of BlackShield software tokens. The following section allows a Cisco Administrator to enable software token detection for a Cisco Clientless SSL VPN site. The Cisco ASA Login page can be configured to display primary authentication credential fields (i.e. one username and password field) or primary and secondary authentication credential fields (i.e. multiple username and password fields). If the Clientless SSL VPN site is configured to use primary authentication credentials (i.e. SafeNet only), the CCMPPri.inc and CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom configuration. If the Clientless SSL VPN site is configured to use primary and secondary authentication credentials (i.e. Microsoft and SafeNet credentials), the CCMPPriSec.inc and CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom configuration. Note: All three files (CCMPPri.inc, CCMPPriSec.inc and CRYPTOCardScript.js) may be added to Web Contents but only one.inc file can be assigned to a WebVPN site. Perform the following steps to enabled software token detection. Clientless SSL VPN and MP Token detection 16

Uploading custom SafeNet login pages All files referenced in this section can be found in the BlackShield distribution package under the html, agents, Cisco, MP Clientless SSL VPN. 1. In ASDM, select Configuration, Remote Access VPN. 2. Expand Clientless SSL VPN Access then Portal. 3. Highlight Web Contents then select Import. 4. In Destination select No. For example, use this option to make the content available only to the portal page. 5. In the Source - Local Computer select Browse Local Files. 6. Select CRYPTOCardScript.js then click Import Now. 7. In Web Contents select Import. 8. In Destination select No. For example, use this option to make the content available only to the portal page. 9. In the Source - Local Computer select Browse Local Files. 10. Select CCMPPri.inc or CCMPPriSec.inc then click Import Now. Creating an SSL VPN Portal Page Customization Object 1. In ASDM, select Configuration, Remote Access VPN. 2. Expand Clientless SSL VPN Access then Portal. 3. Highlight Customization then select Add. 4. In Customization Object Name enter CRYPTOCard MP Detection select OK then apply the settings. 5. Select the Connection Profile and Group Policy for which the customization will be applied. 6. Highlight Logon Page then select Replace pre-defined logon page with a custom page (full customization). In the Custom Page dropdown select /+CSCOU+/CCMPPri.inc or /+CSCOU+/CCMPPriSec.inc. Clientless SSL VPN and MP Token detection 17

Verifying the Connection and Group profile 1. In Clientless SSL VPN Access, Connection Profiles highlight the MP detection enabled profile and select Edit. 2. Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization references the newly created MP detection enabled portal. 3. In Clientless SSL VPN Access, Group Profiles highlight the MP detection enabled profile and select Edit. 4. Expand More Options then select Customization. Verify Portal Customization references the newly created MP detection enabled portal. Open your web browser and proceed to the Clientless SSL VPN site. If this is the first time accessing the page you will be prompted to install a CRYPTOCard ActiveX Web API. If a software token exists, the page will detect and display all software tokens otherwise a hardware login mode will appear. When primary authentication credential mode is enabled with software tokens the login fields appear in the following order: Token name, PIN. When primary and secondary authentication credential mode is enabled with software tokens, the login fields appear in the following order: token name, PIN, password (Microsoft). Clientless SSL VPN and MP Token detection 18

Cisco ASA AnyConnect Client The Cisco AnyConnect SSL VPN client is very different from the IPSec VPN client. The Cisco ASA device can dynamically display login field names and login field based on the settings defined in each Group Profile. The Cisco ASA device may also restrict users from selecting the Group Profile and it can place additional customizable options within the Preferences button. Here are a couple of examples on how the Cisco AnyConnect will show depending on the group selected. Username and Password (MS Password) Field Username, Password (MS Password), and Second Password (OTP) Field Cisco ASA AnyConnect Client 19

SafeNet Cisco AnyConnect Client Organizations may wish to integrate software based two factor authentication tokens with the Cisco AnyConnect client to simplify the login process for users, thus eliminating the need to copy and paste a One Time Password from one application to another. With the SafeNet Authentication Service Cisco AnyConnect agent, the ability to integrate software based two factor authentication tokens with the Cisco AnyConnect becomes a reality. The two versions of the Cisco AnyConnect client that SafeNet works with are Cisco AnyConnect client 2.4.1012 or 2.5.0217. Here are a couple of examples on how the SafeNet Authentication Service Cisco AnyConnect agent will look like depending on which group is selected and which field the agent has been configured to display the software token detection. MP Token detection on Primary Password field MP Token detection on Secondary Password field MP Token detection in both Primary and Secondary Password fields SafeNet Cisco AnyConnect Client 20

Cisco AnyConnect Client and MP Token Detection!!IMPORTANT!!: The Cisco AnyConnect client must be already installed prior to the installation of the SafeNet Cisco AnyConnect package. SafeNet provides a Cisco AnyConnect client capable of detecting the presence of BlackShield software tokens. The following steps must be performed: 1. Install the SafeNet Authentication Service Software Tools. NOTE: If you are on a 64bit Operating System, install the BlackShield ID Software Tools for AnyConnect. The installer can be found in html, agents, x64 directory within the BlackShield download package. 2. Install the MP Token into the SafeNet Authentication Service Software Tools 3. Install the BlackShield ID Cisco AnyConnect package. 4. After installing the BlackShield ID Cisco AnyConnect, Click on: Start All Programs CRYPTOCard BlackShield ID Cisco AnyConnect Version 2.x (2.4 or 2.5) Cisco AnyConnect VPN Client 2.x (2.4 or 2.5) Once connected to the Cisco ASA the following will be displayed. This is the default configuration for the BlackShield ID Cisco AnyConnect agent. If the default configuration is incorrect, and the MP Token detection are being detected in the incorrect fields then please go to the section below to change the MP Token detection. Cisco AnyConnect Client and MP Token Detection 21

BlackShield Cisco AnyConnect Agent registry key The registry entry allows specifying where the MP token dropdown will appear and what password field(s) will be used when the one-time password is submitted to the server. On a Windows XP/Vista/7 (32 bit), the registry key is located in: \HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CiscoAnyClientPlugin On a Windows XP/Vista/7 (64 bit), the registry key is located in: \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CRYPTOCard\CiscoAnyClientPlugin The registry key is called SoftTokenInclusion, and the default value for the key is: ALL+ALL+1; The Definition is as follows: Connect To + Group Profile + Field Position to display MP and submit one-time password ; So an example would be: ASA.cryptocard.com+CRYPTOCard Henry+1; Here is the explanation of the example above: This will work when connecting to ASA.cryptocard.com Cisco AnyConnect Client and MP Token Detection 22

MP token detection will only show up using the CRYPTOCard Henry Group profile. It will display the MP Token detection in the first field Here are examples of changing the MP Token detection to a different field: ALL+ALL+1 Display MPs in first username field and submit one-time password to first password field. This is the default setting after installing the BlackShield ID Cisco AnyConnect, and the BlackShield ID Software Tools This option is used if the authentication is going against the SafeNet Authentication Service. ALL+ALL+2 Display MPs in second username field and submit one-time password to second password field. This option is used if dual authentication is required. (e.g. Microsoft Password [Top], then SafeNet [Bottom].) Cisco AnyConnect Client and MP Token Detection 23

ALL+ALL+3 Display MPs in first and second username field and submit one-time password to first and second password field. This setting is used if there needs to be authentication against 2 SafeNet Authentication Service This would be an odd case as this setting would rarely be used. Multiple options can be appended to the SoftTokenInclusion registry key. Here is an example: SoftTokenInclusion registry key: ALL+Corporate+1;ALL+CRYPTOCard Henry+2;ALL+CRYPTOCard+3; Cisco AnyConnect Client and MP Token Detection 24

Troubleshooting RADIUS Authentication issues When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA device. All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. All logging information for the BlackShield IAS\NPS agent can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory. The following is an explanation of the logging messages that may appear in the event viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server. Error Message: Solution: Error Message: Solution: Packet DROPPED: A RADIUS message was received from an invalid RADIUS client. Verify a RADIUS client entry exists on the RADIUS server. Authentication Rejected: Unspecified This will occur when one or more of the following conditions occur: The username does not correspond to a user on the BlackShield Server. The SafeNet password does not match any tokens for that user. The shared secret entered in Cisco Secure ACS does not match the shared secret on the RADIUS server Troubleshooting 25

Error Message: Solution: Authentication Rejected: The request was rejected by a third-party extension DLL file. This will occur when one or more of the following conditions occur: The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server. The Pre-Authentication Rules on the BlackShield server do not allow incoming requests from the BlackShield Agent for IAS\NPS. The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on the BlackShield Server. The username does not correspond to a user on the BlackShield Server The SafeNet password does not match any tokens for that user. GrIDsure Authentication issues Issue: The GrIDsure enabled Clientless SSL VPN logon page does not appear. Solution: Verify the Clientless SSL VPN Connection and Group profile reference the customized GrIDsure enabled portal page. Verify the Information Panel settings are configured exactly as described in Step 9 of the Clientless SSL VPN and GrIDsure authentication section. Issue: The Get GrID button does not display the GrIDsure grid. Solution: A username must be supplied before a GrIDsure grid can be generated. The user must have been assigned a GrIDsure token and have completed selfenrolment. In a web browser enter the gridmakerurl and appended the username after the equal sign. Example https://company.com/blackshieldss/index.aspx?getchallengeimage=true&username=bob A webpage should appear with a GrIDsure grid for the user (ex. Bob). Verify the client browser can access the URL of the BlackShield self service web site. Verify the GrIDsure token is not in a suspended or locked state. Troubleshooting 26