DIGIPASS Authentication for Cisco ASA 5500 Series

Similar documents
INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

MIGRATION GUIDE. Authentication Server

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS Authentication for Juniper ScreenOS

DIGIPASS Authentication for SonicWALL SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

Identikey Server Getting Started Guide 3.1

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

INTEGRATION GUIDE. General Radius Config

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Workspot Configuration Guide for the Cisco Adaptive Security Appliance

Step by step guide to implement SMS authentication to Cisco ASA Clientless SSL VPN and Cisco VPN

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Step by Step Guide to implement SMS authentication to F5 Big-IP APM (Access Policy Manager)

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Strong Authentication for Cisco ASA 5500 Series

IDENTIKEY Appliance Administrator Guide

Juniper Networks SSL VPN Implementation Guide

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Cisco VPN Concentrator Implementation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

DIGIPASS as a Service. Google Apps Integration

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Cisco ASA Authentication QUICKStart Guide

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Strong Authentication for Juniper Networks SSL VPN

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

BlackShield ID Agent for Remote Web Workplace

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

Juniper SSL VPN Authentication QUICKStart Guide

DIGIPASS Authentication for Windows Logon Product Guide 1.1

OVERVIEW. DIGIPASS Authentication for Office 365

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

axsguard Gatekeeper Open VPN How To v1.4

Check Point FDE integration with Digipass Key devices

Two-Factor Authentication

Integration Guide. SafeNet Authentication Service. Using RADIUS and LDAP Protocols for Cisco Secure ACS

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

Configuring Global Protect SSL VPN with a user-defined port

ESET SECURE AUTHENTICATION. SonicWall SSL VPN Integration Guide

Configuring Single Sign-on for WebVPN

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Cisco ASA

Hyper-V Installation Guide. Version 8.0.0

How to Configure Web Authentication on a ProCurve Switch

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

ESET SECURE AUTHENTICATION. Check Point Software SSL VPN Integration Guide

NetMotion Mobility XE

Agent Configuration Guide

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Integration Guide. SafeNet Authentication Service. Using RADIUS Protocol for Radiator RADIUS Server

Identikey Server Windows Installation Guide 3.1

Using Vasco IDENTIKEY Server with NetScaler

axsguard Gatekeeper IPsec XAUTH How To v1.6

NetMotion + YubiRADIUS Quick Start Guide

Strong Authentication for Microsoft SharePoint

Strong Authentication for Juniper Networks

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Get Success in Passing Your Certification Exam at first attempt!

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Keeping your VPN protected

Check Point FW-1/VPN-1 NG/FP3

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

Strong Authentication in details

Setting Up Scan to SMB on TaskALFA series MFP s.

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Strong Authentication for Microsoft TS Web / RD Web

WiNG5 CAPTIVE PORTAL DESIGN GUIDE

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

axsguard Gatekeeper Internet Redundancy How To v1.2

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Identikey Server Product Guide

NXC5500/2500. Application Note. Captive Portal with QR Code. Version 4.20 Edition 2, 02/2015. Copyright 2015 ZyXEL Communications Corporation

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Svn.spamsvn110. QuickStart Guide to Authentication. WebTitan Version 5

How To Configure A Kiwi Ip Address On A Gbk (Networking) To Be A Static Ip Address (Network) On A Ip Address From A Ipad (Netware) On An Ipad Or Ipad 2 (

1 Summary. Step by Step Guide to implement SMS authentication to Bluecoat ProxySG

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

IDENTIKEY Server Product Guide

Connecting an Android to a FortiGate with SSL VPN

Transcription:

DIGIPASS Authentication for Cisco ASA 5500 Series With IDENTIKEY Server 2010 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 20

Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2010 VASCO Data Security. All rights reserved. 2010 VASCO Data Security. All rights reserved. Page 2 of 20

Table of Contents DIGIPASS Authentication for Cisco ASA 5500 Series... 1 Disclaimer... 2 Table of Contents... 3 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 3.1 Web Access... 4 3.2 SSL/VPN tunnel... 5 4 Technical Concept... 6 4.1 General overview... 6 4.2 Cisco ASA prerequisites... 6 4.3 IDENTIKEY Server Prerequisites... 6 5 Cisco ASA configuration... 7 5.1 AAA Setup... 7 5.2 Connection Profile... 9 5.3 Save Changes...11 6 IDENTIKEY Server... 12 6.1 Policy configuration...12 6.2 Client configuration...15 7 Cisco ASA SSL/VPN test... 17 7.1 Response Only...17 7.2 Challenge / Response...18 8 About VASCO Data Security... 20 2010 VASCO Data Security. All rights reserved. Page 3 of 20

1 Overview The purpose of this document is to demonstrate how to use a Cisco ASA 55xx (ASA) in combination with a DIGIPASS. We will show you how to import a DPX file, how to assign a DIGIPASS to a user and show some administrative options. 2 Problem Description The basic working of the ASA is based on authentication to an existing media (LDAP, Radius, local authentication ). To use the IDENTIKEY Server with the ASA, the authentication settings need to be changed. 3 Solution After configuring IDENTIKEY Server and the ASA in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared. The ASA can serve 2 access modes to a user, Web Access and a SSL Tunnel. We can compare these modes like a firewall, the portal acts as a general rule to deny all traffic and specify which connections are allowed, the SSL/VPN tunnel allows all traffic, so you have to specify what kind of connections you want to deny. 3.1 Web Access Allows users to gain access to their (web-) applications from any location. The web servers remain safely hidden behind the firewall and are not publicly reachable. Administrators have the advantage to deploy granular access control on a user or group basis. For this solution the user only needs a browser on their local client. Figure 1: Web portal 2010 VASCO Data Security. All rights reserved. Page 4 of 20

3.2 SSL/VPN tunnel Users have the ability to run their corporate client/server application from any location. Access can be filtered on Port, IP or IP range, giving administrators the ability to control application access on a user or group basis. Figure 2: SSL Tunnel 2010 VASCO Data Security. All rights reserved. Page 5 of 20

4 Technical Concept 4.1 General overview The main goal of the ASA is to perform authentication to secure all kind of VPN and firewall connections. As the ASA can perform authentication to an external service using the RADIUS protocol, we will place the IDENTIKEY Server as back-end service, to secure the authentication with our proven IDENTIKEY Server software. 4.2 Cisco ASA prerequisites Please make sure you have a working setup of a Cisco ASA device. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY Server. At this time this is a list of devices supported: Cisco ASA 5505 Cisco ASA 5510 Cisco ASA 5520 Cisco ASA 5540 Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 The screenshots used in the rest of this document, are taken from a Cisco ASA 5505 in combination with ASDM version 6.0. 4.3 IDENTIKEY Server Prerequisites In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features. 2010 VASCO Data Security. All rights reserved. Page 6 of 20

5 Cisco ASA configuration 5.1 AAA Setup The first changes you need to make, is adding the IDENTIKEY Server in the list as a new AAA Server Group. Go to AAA Setup > AAA Server Groups in the configuration part of the Cisco ASDM configuration utility. Click on the Add button on the right of the top window. Figure 3: AAA Setup (1) Fill in the Server Group name and select RADIUS as the protocol. Leave the rest of the settings as default. Figure 4: AAA Setup (2) 2007 VASCO Data Security. All rights reserved. Page 7 of 20

Select your newly create group in the top window and click the Add button in the right of the lower window. This way you can add a new AAA Server to your Group. Figure 5: AAA Setup (3) The Interface name has to be the location where your IDENTIKEY Server is residing. If this is in your LAN choose Inside, if this is located on another subnet, LAN or internet choose Outside. Also specify the IP or Name in the field below. Leave timeout default and change the authentication and accounting port to 1812 1813. The server secret key will contain the shared secret for the RADIUS connection. Click OK when all fields are filled in correctly. Figure 6: AAA Setup (4) 2007 VASCO Data Security. All rights reserved. Page 8 of 20

5.2 Connection Profile We now change the Connection Profile to make use of our newly create AAA server. Go to Clientless SSL VPN Access > Connection Profiles and select the current connection profile where you want to change the authentication profile. Click Edit to change the details. Figure 7: Connection Profile (1) Select your new AAA Server Group and click OK. Figure 8: Connection Profile (2) 2007 VASCO Data Security. All rights reserved. Page 9 of 20

You may see we also changed the Group Policy, but this was only for cosmetically reasons. This has no effect on the authentication part. To make the changes current, click the Apply button in the bottom of the screen. Figure 9: Connection Profile (3) 2007 VASCO Data Security. All rights reserved. Page 10 of 20

5.3 Save Changes To save the changes on the flash memory, click the Save button in the toolbar. Figure 10: Save Changes (1) Confirm the message (Apply) to save the running config to the flash memory. Figure 11: Save Changes (2) The running config will be saved. Figure 12: Save Changes (3) We now showed you how to set-up a RADIUS connection to IDENTIKEY Server but we still need to configure the IDENTIKEY Server and enable users in the database. 2007 VASCO Data Security. All rights reserved. Page 11 of 20

6 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account. 6.1 Policy configuration To add a new policy, select Policies Create. Figure 13: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies. 2007 VASCO Data Security. All rights reserved. Page 12 of 20

Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 14: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message. 2007 VASCO Data Security. All rights reserved. Page 13 of 20

In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 15: Policy configuration (3) The user details can keep their default settings. Figure 16: Policy configuration (4) 2007 VASCO Data Security. All rights reserved. Page 14 of 20

6.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 17: Client configuration (1) 2007 VASCO Data Security. All rights reserved. Page 15 of 20

As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 18: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working. 2007 VASCO Data Security. All rights reserved. Page 16 of 20

7 Cisco ASA SSL/VPN test 7.1 Response Only To start the test, browse to the public IP address or hostname of the ASA device. In our example this is https://asa.labs.vasco.com. Enter a Username and a One Time Password (OTP) and click the Login button. Figure 19: Response Only (1) If all goes well, you will be authenticated and see the SSL/VPN portal page. Figure 20: Response Only (2) 2007 VASCO Data Security. All rights reserved. Page 17 of 20

7.2 Challenge / Response For the challenge response test, enter a Username and a Password (challenge/response trigger). Click the Login button. In our case the challenge/response trigger is the user s static password. Figure 21: Challenge / Response (1) You will be presented with a DP300 Challenge code. Enter the response in the Answer field and click OK. Figure 22: Challenge / Response (2) 2007 VASCO Data Security. All rights reserved. Page 18 of 20

And if everything goes well, you will be shown the SSL/VPN portal page. Figure 23: Challenge / Response (3) 2007 VASCO Data Security. All rights reserved. Page 19 of 20

8 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries. 2007 VASCO Data Security. All rights reserved. Page 20 of 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information