Cisco VPN 3000 Concentrator Implementation Guide

Similar documents
BlackShield ID PRO. Steel Belted RADIUS 6.x. Implementation Guide. Copyright 2008 to present CRYPTOCard Corporation. All Rights Reserved

Cisco VPN Concentrator Implementation Guide

Apache Server Implementation Guide

Juniper Networks SSL VPN Implementation Guide

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

Check Point FW-1/VPN-1 NG/FP3

Borderware Firewall Server Version 7.1. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

BlackShield ID Agent for Remote Web Workplace

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Strong Authentication for Cisco ASA 5500 Series

Strong Authentication for Microsoft TS Web / RD Web

Strong Authentication for Juniper Networks SSL VPN

Strong Authentication for Microsoft SharePoint

BlackShield ID MP Token Guide. for Java Enabled Phones

Strong Authentication for Juniper Networks

Implementation Guide for protecting

Strong Authentication for Microsoft Windows Logon

Cisco ASA Authentication QUICKStart Guide

Cisco ASA. Implementation Guide. (Version 5.4) Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Active Directory Synchronization Agent for CRYPTO-MAS1.7

Juniper SSL VPN Authentication QUICKStart Guide

Administration Guide. SafeWord for Internet Authentication Service (IAS) Agent Version 2.0

Integration Guide. SafeNet Authentication Service. VMWare View 5.1

CRYPTOLogon Agent. for Windows Domain Logon Authentication. Deployment Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved.

Endpoint Security VPN for Windows 32-bit/64-bit

If you have questions or find errors in the guide, please, contact us under the following address:

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Issue 1. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

DIGIPASS Authentication for Cisco ASA 5500 Series

DIGIPASS Authentication for GajShield GS Series

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Aventail Connect Client with Smart Tunneling

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Oracle Enterprise Manager

Agent Configuration Guide for Microsoft Windows Logon

CRYPTOCard. Strong Two Factor Authentication

Configuring SSL VPN on the Cisco ISA500 Security Appliance

SafeNet Cisco AnyConnect Client. Configuration Guide

Clientless SSL VPN Users

NetMotion Mobility XE

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Sample Configuration: Cisco UCS, LDAP and Active Directory

Fireware How To Authentication

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

Oracle Enterprise Manager

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Agent Configuration Guide

Device LinkUP + Desktop LP Guide RDP

Omniquad Exchange Archiving

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Configuring the Watchguard Edge for RADIUS authentication

iphone in Business How-To Setup Guide for Users

RSA Authentication Manager 7.1 Basic Exercises

DualShield. for. Microsoft TMG. Implementation Guide. (Version 5.2) Copyright 2011 Deepnet Security Limited

CA VPN Client. User Guide for Windows

Software Token. Installation and User Guide MasterCard Proprietary. All rights reserved.

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

RSA SecurID Ready Implementation Guide

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Microsoft Dynamics GP Release

DualShield Authentication Platform

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

WatchGuard Mobile User VPN Guide

epass2003 User Guide V1.0 Feitian Technologies Co., Ltd. Website:

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

While every effort was made to verify the following information, no warranty of accuracy or usability is expressed or implied.

RMFT Outlook Add-In User Guide

MANUFACTURER RamSoft Incorporated 243 College St, Suite 100 Toronto, ON M5T 1R5 CANADA

CA Spectrum and CA Embedded Entitlements Manager

Using Microsoft Active Directory Server and IAS Authentication

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Administration guide. Océ LF Systems. Connectivity information for Scan-to-File

Citrix Access Gateway Plug-in for Windows User Guide

1.6 HOW-TO GUIDELINES

VPN Client User s Guide Issue 2

Pulse Secure Client for Chrome OS

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Security Provider Integration RADIUS Server

Defender EAP Agent Installation and Configuration Guide

PULSE. Pulse for Windows Phone Quick Start Guide. Release Published Date

Configuring IBM Cognos Controller 8 to use Single Sign- On

SafeWord Domain Login Agent Step-by-Step Guide

Defender 5.7. Remote Access User Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

MadCap Software. Upgrading Guide. Pulse

HOTPin Integration Guide: DirectAccess

DIGIPASS Authentication for Check Point Security Gateways

Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Dell SonicWALL Aventail Connect Tunnel User Guide

Oracle Enterprise Manager. Description. Versions Supported

PHD Virtual Backup for Hyper-V

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Transcription:

Cisco VPN 3000 Concentrator Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 www.cryptocard.com Please check CRYPTOCard web site for updates to this and other documentation.

Table of Contents Overview: Cisco VPN 3000... 1 Prerequisites... 1 CRYPTO-Server Configuration... 3 Verify CRYPTO-Server RADIUS Protocol Settings... 4 Cisco VPN 3000 Concentrator Configuration... 5 Step 1: Add a RADIUS Server... 5 Step 2: Test the Authentication Server... 6 Step 3: Create a CRYPTOCard group... 7 Cisco VPN Client Configuration... 8 Step 1: Create a New VPN Connection Entry... 8 Step 2: Connect using the Cisco VPN client... 9 Enable the CRYPTOCard Authentication Plug-in for Cisco VPN Clients... 10 Step 1: Install the CRYPTOCard Software Tools...10 Step 2: Install the CRYPTOCard Cisco VPN Plug-in...11 Using the Cisco VPN Concentrator...11 Troubleshooting... 12 Cisco VPN 3000 Concentrator Implementation Guide i

License and Warranty Information CRYPTOCard Inc and its affiliates retain all ownership rights to the computer program described in this manual and other computer programs offered by the company (hereinafter called CRYPTOCard) and any documentation accompanying those programs. Use of CRYPTOCard software is governed by the license agreement accompanying your original media. CRYPTOCard software source code is a confidential trade secret of CRYPTOCard. You may not attempt to decipher, de-compile, develop, or otherwise reverse engineer CRYPTOCard software, or allow others to do so. Information needed to achieve interoperability with products from other manufacturers may be obtained from CRYPTOCard upon request. This manual, as well as the software described in it, is furnished under license and may only be used or copied in accordance with the terms of such license. The material in this manual is furnished for information use only, is subject to change without notice, and should not be construed as a commitment by CRYPTOCard. CRYPTOCard assumes no liability for any errors or inaccuracies that may appear in this document. Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, recording or otherwise, without the prior written consent of CRYPTOCard. CRYPTOCard reserves the right to make changes in design or to make changes or improvements to these products without incurring the obligation to apply such changes or improvements to products previously manufactured. The foregoing is in lieu of all other warranties expressed or implied by any applicable laws. CRYPTOCard does not assume or authorize, nor has it authorized any person to assume for it, any other obligation or liability in connection with the sale or service of these products. In no event shall CRYPTOCard or any of its agents be responsible for special, incidental, or consequential damages arising from the use of these products or arising from any breach of warranty, breach of contract, negligence, or any other legal theory. Such damages include, but are not limited to, loss of profits or revenue, loss of use of these products or any associated equipment, cost of capital, cost of any substitute equipment, facilities or services, downtime costs, or claims of customers of the Purchaser for such damages. The Purchaser may have other rights under existing federal, state, or provincial laws in the USA, Canada, or other countries or jurisdictions, and where such laws prohibit any terms of this warranty, they are deemed null and void, but the remainder of the warranty shall remain in effect. Customer Obligation Shipping Damage: The Purchaser must examine the goods upon receipt and any visible damage should immediately be reported to the carrier so that a claim can be made. Purchasers should also notify CRYPTOCard of such damage. The customer should verify that the goods operate correctly and report any deficiencies to CRYPTOCard within 30 days of delivery. In all cases, the customer should notify CRYPTOCard prior to returning goods. Goods returned under the terms of this warranty must be carefully packaged for shipment to avoid physical damage using materials and methods equal to or better than those with which the goods were originally shipped to the Purchaser. Charges for insurance and shipping to the repair facility are the responsibility of the Purchaser. CRYPTOCard will pay return charges for units repaired or replaced under the terms of this warranty. Copyright Copyright 2006, CRYPTOCard Inc All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Inc. Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Inc. Java is a registered trademarks of Sun Microsystems, Inc.; Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. SecurID is a registered trademark of RSA Security. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Publication History Date August 21, 2006 Changes Initial release Cisco VPN 3000 Concentrator Implementation Guide ii

Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. This complimentary support service is available from your first evaluation system download. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com/index.cfm?pid=364&pagename=support%20%26%20downloads Cisco VPN 3000 Concentrator Implementation Guide iii

Overview: Cisco VPN 3000 This document presents the necessary steps to configure a Cisco VPN 3000 Concentrator (models 3005 through 3080) for use with CRYPTOCard tokens. The Cisco VPN 3000 Concentrator is used to create encrypted tunnels between hosts. The product is able to control access to LAN resources and assign local IP addresses based on authentication information, such as a username and password. CRYPTO-Server works in conjunction with the Cisco VPN 3000 Concentrator to replace static passwords with strong two-factor authentication that prevents the use of lost, stolen, shared, or easily guessed passwords when establishing a tunnel to gain access to protected resources: Using the Cisco VPN Client, the user establishes a connection to the internal network using his/her logon name and CRYPTOCard token-generated one-time password. The VPN concentrator passes the authentication information to the CRYPTO-Server (via the RADIUS protocol). The username and password are verified by the CRYPTO-Server, and an Access-Accept message is returned to the VPN concentrator, allowing the user to access the network. The CRYPTO-Server distribution includes a plug-in for the Cisco VPN Client software which, when used in conjunction with a CRYPTOCard ST-1 software, SC-1 Smart Card, or UB-1 USB token, automates the authentication and logon process for users. The following Cisco VPN Client software is supported Version 4.9.0 for both Power PC and Intel versions of the Mac OS X platform Version 4.8.0 for Windows Prerequisites The following systems must be installed and operational prior to configuring the VPN concentrator to use CRYPTOCard authentication: CRYPTO-Server 6.4, including the CRYPTO-Protocol Server module. Cisco VPN 3000 Concentrator Implementation Guide 1

The CRYPTOPlugin for CiscoVPN package requires fully functional Cisco VPN Client software to be installed on the user system. Ensure that the end user can authenticate through the concentrator with a static password before configuring the concentrator to use CRYPTOCard authentication. The CRYPTOPlugin for CiscoVPN package requires the CRYPTOCard Software Tools to be installed on the system prior to installing the plugin. When using the CRYPTOPlugin for CiscoVPN package in conjunction with an ST-1, SC-1, or UB-1 token, the user may only have one active token assigned. RADIUS Server: The VPN concentrator can be configured to use the RADIUS Server facility provided by the CRYPTO-Protocol Server module included with CRYPTO-Server, or a third-party RADIUS server, such as Cisco Secure ACS, Funk Steel-Belted RADIUS, or IAS. Third-party RADIUS servers must be able to proxy the request to the RADIUS Server facility in the CRYPTO-Protocol Server module. CRYPTOCard user account and token: In order to authenticate to the VPN concentrator, a user account must exist on the CRYPTO-Server and a token must be assigned to that user. The following information is also required: IP Address of the RADIUS server: Port number used by the RADIUS server: Shared Secret: Cisco VPN 3000 Concentrator Implementation Guide 2

CRYPTO-Server Configuration If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the CRYPTO- Server is configured to accept RADIUS communications from the VPN concentrator. To configure the CRYPTO-Server 1. Open the CRYPTO-Console and connect to the CRYPTO-Server. Select Server System Configuration. 2. Select the RADIUSProtocol Entity and look at the Value corresponding to the NAS.2 Key. The Value of this Key defines which RADIUS clients are allowed to connect to the CRYPTO-Server and the shared secret they must use. By default, the CRYPTO-Server is configured to listen for RADIUS protocol requests from any host on the same subnet, using a shared secret of testing123. If a client is not within the NAS.2 IP address range it must be added. You can define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. Right-click on the RADIUSProtocol Entity and select New Key-Value. The syntax of a NAS.x Key Value is: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols>, <Prefix>, <Suffix>, <AgentID> <First IP>: is the first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: is the last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: only applies in cases where the NAS.# key is for one host. It is required for performing reverse lookup. <Shared Secret>: is a string used to encrypt the password being sent between the CRYPTO- Server and the RADIUS client. You will need to enter the exact same string into the RADIUS client (i.e. the VPN concentrator). The <Shared Secret> string can be any combination of numbers and uppercase and lowercase letters. <Perform Reverse Lookup?>: is an added security feature of the CRYPTO-Server that verifies the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the <Hostname> set in the NAS.# entry. The DNS should respond with the same IP address as Cisco VPN 3000 Concentrator Implementation Guide 3

configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client and ignores the request (also known as a man in the middle attack). <Authentication Protocols>: Currently, PAP and MSCHAPv2 are the available authentication protocols for RADIUS clients. These are entered as PAPCHAP and MSCHAP, respectively. <Prefix>: is the first field title string for the Challenge in Challenge-response mode (e.g. Challenge:). By default, this is blank. <Suffix>: is the first field title string for the Response in Challenge-response mode (e.g. Response:). By default, this is blank. <AgentID>: optionally identifies a service-type ACL by number (1-12). If a number is provided, only the specified client-side service type can log on through that NAS: o 1: Non-descript o 2: Desktop Login o 3: Web Login o 4: VPN (RADIUS) o 5: SSL VPN (RADIUS) o 6: Citrix ICA o 7: Citrix WI o 8: Citrix MSAM o 9: Outlook Web o 10: SSH o 11: Custom 1 o 12: Custom 2 3. Click Apply to save your NAS entry changes. 4. Restart the CRYPTO-Protocol service/daemon. Verify CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log includes information about the CRYPTO-Server RADIUS configuration. By default, this file is located in the \CRYPTOCard\CRYPTO-Server\log (Windows) or /Applications/CRYPTO-Server/log (Mac) directory. For example, after starting the Protocol Server service/daemon, the following information might be logged: Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099 RADIUS Receiver Started: listening on port 1812 UDP. RADIUS Receiver Started: listening on port 1813 UDP. This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and will accept requests sent from RADIUS clients within the IP range of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed. Cisco VPN 3000 Concentrator Implementation Guide 4

Cisco VPN 3000 Concentrator Configuration In order for the VPN concentrator to authenticate CRYPTOCard token users, RADIUS authentication must be configured on the concentrator and an IPSec group must be created for CRYPTOCard token users. Configuring the Cisco VPN 3000 Concentrator consists of 3 steps: Step 1: Add a RADIUS server Step 2: Test the authentication server Step 3: Create a CRYPTOCard group Step 1: Add a RADIUS Server To add a RADIUS server 1. In the VPN configuration manager, select Configuration Servers Authentication. 2. Click Add to add a new authentication server. Fill in the information for your RADIUS server. Once all the information is entered, click Add. Cisco VPN 3000 Concentrator Implementation Guide 5

3. Ensure that the RADIUS server is the first entry in the Authentication Servers list: The VPN concentrator must be configured as a client of the RADIUS server. The RADIUS server must have a configuration that matches the one described above to be able to receive authentication requests from the VPN concentrator. See the documentation for your particular RADIUS server for details about setting up a RADIUS client. Step 2: Test the Authentication Server 1. Once the RADIUS server has been added to the VPN concentrator setup, use the internal test mechanism to ensure the VPN concentrator can authenticate to it using a CRYPTOCard token. From the Authentication Servers menu, select the RADIUS server, and click Test. 2. Enter the User Name of a CRYPTOCard account, and the next Password generated by the token assigned to that user. Click OK. If the test fails, refer to section Troubleshooting on page 12. Cisco VPN 3000 Concentrator Implementation Guide 6

Step 3: Create a CRYPTOCard group In order for CRYPTOCard token users to make VPN connections, a VPN Group must be properly configured. 1. In the VPN configuration manager, select Configuration User Management Groups. 2. Click Add Group to add a new group. 3. Enter a Group Name and a static Password. Select Internal as the group Type: This internal group name and password must be used by all CRYPTOCard end-users when they want to connect using the VPN client. 4. Under the IPSec tab, select RADIUS in the Authentication pull-down menu, and check the Select the authentication method for users in this group box: 5. Click Add to add this group to the VPN concentrator. 6. Ensure this newly created group has an Address Pool of IP addresses that can be assigned to the VPN client connections. Select the Group and click Address Pools. Then click Add and enter the Range Start, Range End, and Subnet Mask. Apply the change. Cisco VPN 3000 Concentrator Implementation Guide 7

Cisco VPN Client Configuration You must configure the VPN client software to enable the end user to connect to the IPSec group. There are 2 steps to configuring the Cisco VPN Client: Step 1: Create a new VPN connection Step 2: Connect using the Cisco VPN client Step 1: Create a New VPN Connection Entry From the Cisco VPN Client software, click New to create a new connection entry. Fill in the information for the connection entry, using the group name and password specified in section Cisco VPN 3000 Concentrator Configuration on page 5. Cisco VPN 3000 Concentrator Implementation Guide 8

Step 2: Connect using the Cisco VPN client 1. Once the VPN client software has been configured correctly, the end user should be able to connect to the concentrator using their CRYPTOCard token. Choose the connection entry created and click Connect. 2. Once the group information has been passed to (and accepted by) the concentrator, a dialog box will open requesting a Username and Password. Enter the CRYPTOCard Username. Generate a one-time password from the CRYPTOCard token and enter your PIN followed by the one-time password in the Password field (depending on whether you have configured it to require serverside PIN). Click OK. 3. Once the concentrator has verified the username and password with the CRYPTO-Server database, the connection will be established. Cisco VPN 3000 Concentrator Implementation Guide 9

Enable the CRYPTOCard Authentication Plug-in for Cisco VPN Clients CRYPTO-Server includes a plug-in for Cisco VPN Clients that automates the authentication and logon process for end users with ST-1, UB-1, or SC-1 tokens. This requires installation of the CRYPTOCard Software Tools software. Enabling the CRYPTOCard authentication plug-in for Cisco VPN clients consists of 2 steps: Step 1: Install the CRYPTOCARD software tools Step 2: Install the CRYOTPCard Cisco VPN plug-in Step 1: Install the CRYPTOCard Software Tools 1. Distribute both the Software Tools installer and token initialization files to the end-user client machine(s) (e.g. using Microsoft SMS, drive ghosting, or a Web-based distribution mechanism). 2. Run the Software Tools installer. The Software Tools is installed as a library on the client machine: For Windows, use the Add/Remove Programs utility to execute CRYPTOCard_Software_Tools_for_Windows.exe. For Mac, execute CRYPTOCard_Software_Tools_for_Mac.app. 3. The installation wizard will prompt you to select an installation type. Typical installs the Software Tools in default directories and enables Software Tools management functions for all accounts. Custom installs the Software Tools in selected directories and defaults to Administrator access only for the Software Tools management functions. 4. The completed installation adds the following: For Windows, the Software Tools is installed as a library, an Authenticator icon is installed on the toolbar, and a Token Manager icon is installed in the Control Panel. For Mac, the Software Tools is installed as a library, an Authenticator icon is installed on the Dock, and a Token Manager icon is installed in the Home folder. Cisco VPN 3000 Concentrator Implementation Guide 10

5. The token initialization file contains the encryption key used to generate passcodes, as well as other operational parameters, such as PIN complexity and the PIN retry threshold. The initialization file is generated by the CRYPTO-Server and is unique for every token. The initialization file is applied to the Software Tools, changing the Software Tools from generic software to a user-specific token. As with any CRYPTOCard token, software tokens can be initialized as often as desired. Initialization files are encrypted and stored in a secure system container on the end-user computer. Locate the initialization file on the local machine. On all operating systems, the initialization file has a.token extension. If you are initializing an SC-1 or UB-1 token, ensure that the smart card or USB dongle is inserted into the reader/port prior to executing the file. For Windows and Mac, double-click on the file to execute it. Alternatively, the token can be initialized using the Token Manager utility s Load Token button. 6. Complete the installation by entering the initial deployment PIN when prompted. Upon completion, the CRYPTOCard Token Authenticator window appears and the applied token is displayed in the Token Name field. The token is now ready for use. Plug-ins and agents can now be installed, if required. Step 2: Install the CRYPTOCard Cisco VPN Plug-in 1. Install the CRYPTOCard CRYPTOPlugin for Cisco VPN package. Using the Cisco VPN Concentrator Once the CRYPTOCard Cisco VPN Plug-in is installed, launching a VPN tunnel is simple for the end user: 1. Click on the Cisco VPN icon that was added to the client machine: 2. On computers with more than one Software Tools token, select the token to be used for authentication from the Token Name drop-down menu. 3. Select the Cisco VPN Connection from the Connection entry drop-down menu: 4. Enter the PIN and click OK. Cisco VPN 3000 Concentrator Implementation Guide 11

Troubleshooting When troubleshooting issues with setting up RADIUS authentication on a Cisco VPN concentrator it may be helpful to refer to the log files on the VPN concentrator. Refer to Cisco documentation for details about the VPN concentrator logging facility. The CRYPTO-Server RADIUSProtocol.dbg log includes information about the CRYPTO-Server RADIUS configuration. By default, this file is located in the \CRYPTOCard\CRYPTO-Server\log (Windows) or /Applications/CRYPTO-Server/log (Mac) directory. Error message: Authentication Error: No response from Server Possible causes: This message indicates that the concentrator is unable to reach the RADIUS server. This will occur when one or more of the following conditions occur: The RADIUS server is not running The RADIUS server has not been configured to allow requests from the VPN concentrator The RADIUS server IP and/or port are incorrectly entered in the VPN concentrator There is a network routing issue Resolution: To verify that the CRYPTO-Server Protocol Server service/daemon is running and listening for RADIUS requests, verify that the CRYPTO-Protocol Server service/daemon exists and is started. If not, start this service/daemon. If the service/daemon is already running, open the CRYPTO-Server RADIUSProtocol.dbg file. If the VPN concentrator has not been configured as a RADIUS client, the following message will be in the log file: Packet DROPPED: Source IP address <IP_addr_VPN_concentrator> does not have a NAS entry. To correct this, verify that you have followed the steps in section CRYPTO-Server. If no information is logged in the RADIUSProtocol.dbg file when the VPN concentrator Authentication Server Test is run, the RADIUS request sent by the VPN concentrator is not reaching the CRYPTO- Server, or is going to the wrong port. Cisco VPN 3000 Concentrator Implementation Guide 12

If the RADIUS authentication port in the VPN concentrator configuration matches the RADIUS port on the CRYPTO-Server, verify network connectivity by using the Ping utility on the VPN concentrator. If that succeeds, then you will need to use a network-monitoring tool such as NetMon or Ethereal to verify that the RADIUS requests from the concentrator are reaching the CRYPTO-Server. Error Message: Authentication Rejected: Unspecified Possible causes: This message confirms that the concentrator is communicating with the RADIUS server but is unable to authenticate using the username and password provided. This will occur when one or more of the following conditions occur: The username does not correspond to a user on the CRYPTO-Server The password does not match any tokens for that user The shared secret entered in the VPN concentrator does not match the shared secret on the RADIUS server. Resolution: The CRYPTO-Server RADIUSProtocol.dbg log will show a message like this if there is no CRYPTOCard user with a username matching the one provided: User's token(s) cannot be retrieved. To verify that the password is correct, test the token using the CRYPTO-Console. If the username is correct, and the password is correct, then it is possible that the shared secret entered in the VPN concentrator does not exactly match the shared secret on the CRYPTO-Server. Error Message: Authentication Challenged: No error This message indicates that the concentrator is communicating with the RADIUS server and the username provided was found on the CRYPTO-Server. However, the password provided did not match the password for any tokens assigned to the user. Cisco VPN 3000 Concentrator Implementation Guide 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information