integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1 integrating cisco ASA VPN clients with safeword strong authentication version 1integrating cisco ASA VPN clients with safeword strong authentication version 1
Trang 1Integrating Cisco ASA VPN Clients with SafeWord Strong Authentication
Version 1.0
Publication Date: June 2010
Information provided is confidential and proprietary to SafeNet, Inc (“SafeNet”) SafeNet assumes no
responsibility or liability for the accuracy of the information contained in this presentation
Trang 2Date of Publication: June, 2010
Last update: Wednesday, June 02, 2010
Trang 3Technical Support Information
SafeNet works closely with our reseller partners to offer the best worldwide Technical Support services Your reseller is the first line of support when you have questions about products and
services; however, if you require additional assistance, contact us directly
About SafeNet and Aladdin Knowledge Systems
In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the technology sector
Vector Capital acquired Aladdin in March of 2009, and placed it under common management with SafeNet Together, these global leading companies are the third largest information security company
in the world, which brings to market integrated solutions required to solve customers’ increasing security challenges SafeNet’s encryption technology solutions protect communications, intellectual property and digital identities for enterprises and government organizations Aladdin’s software protection, licensing and authentication solutions protect companies’ information, assets and
employees from piracy and fraud Together, SafeNet and Aladdin have a combined history of more than 50 years of security expertise in more than 100 countries around the globe Aladdin is expected
to be fully integrated into SafeNet in the future
For more information, visit www.safenet-inc.com or www.aladdin.com
Trang 4Table of Contents
Solution Summary 3
Product Requirements 4
RADIUS and Virtual Private Network Background 5
Integrating Cisco ASA with SafeWord 6
Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication requests 7
Configuring the ASA appliance for RADIUS authentication 8
Creating and configuring a RADIUS authentication server 8
Creating a VPN tunnel that requires strong authentication 12
Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two factor authentication 17
Trang 5The Cisco ASA appliance integrates full support for SafeWord authentication through the standards-based RADIUS AAA protocol directly with the platform The Cisco ASA
appliance’s Java-based administration interface provides a “point and browse” capability to configure the RADIUS client for SafeWord authentication This approach means that Cisco ASA appliance users can quickly and easily leverage SafeWord two-factor authentication solutions from any location, providing the highest level of protection over critical network resources
Trang 6Product Requirements
For the instructions in this guide to be successful, the following must be installed
and configured:
• Cisco ASA Appliance
• SafeWord Server with RADIUS Server Agent
For the purpose of this guide, the following network layout was used:
• SafeWord RADIUS Server IP: 10.52.41.123/24
• Cisco ASA Internal IP Address: 10.52.41.252/24
• Cisco ASA External IP Address: 66.162.147.204/248
• Windows XP Workstation with Cisco VPN client installed: 66.162.147.203/248
Trang 7RADIUS and Virtual Private Network Background
As networks grow and branch out to remote locations, network security increases in
importance and administration complexity Customers need to protect networks and network services from unauthorized access by remote users RADIUS is one of the protocols
commonly used to provide these solutions in today's inter-networks
RADIUS protocol
Authentication is the process of identifying and verifying a user Several methods can be used to authenticate a user, but the most common includes a combination of user name and password Once a user is authenticated,authorization to various network resources and
services can be granted Authorization determines what a user can do, and accounting is the action of recording what a user is doing or has done
The RADIUS protocols define the exchange of information between these components in order to provide authentication, authorization, and accounting functionality The RADIUS protocol, as published by Livingston, is a method of managing the exchange of
authentication, authorization, and accounting information in the network RADIUS draft was submitted to the Internet Engineering Task Force (IETF) as a draft standard in June, 1996 RADIUS is a fully open protocol
The RADIUS Server
The RADIUS Server is an authentication protocol server daemon that has been interfaced with SafeWord through the EASSP protocol It supports all of the RADIUS functionality documented in Internet RFC 2138, and all functionality as documented in SafeWord
publications, with minor restrictions on multiple simultaneous dynamic password
authenticators The RADIUS Server can be located on a separate computer, distinct from any computer that houses the SafeWord AAA Server It can also be located on the same
computer as the AAA Server
RADIUS Server features
• Fully RFC 2138 compliant The RADIUS Server is fully RFC 2138 compliant
• Supports group authorization
• User-specific attributes support
• CHAP support
• Vendor-Specific Attributes support
• RADIUS Proxy support
• RADIUS accounting support
• Extensive diagnostics level
Please refer to the SafeWord 2008 Administration Guide chapter: “Managing the RADIUS Servers”
Trang 8The RADIUS Server and the RADIUS Client (in this case a VPN device) should know about each other The RADIUS Server will know the client’s IP address and the RADIUS Client will know about the RADIUS Server IP address Both should know one specific and unique piece of information, a secret phrase The RADIUS Server validates the client’s
authentication request by verifying that it is it is a known IP client and that the secret shared between them matches
VPN (Virtual Private Network)
VPN is defined as a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their
organization's network A virtual private network can be contrasted with an expensive system
of owned or leased lines that can only be used by one organization The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost
A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP) In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses
Integrating Cisco ASA with SafeWord
This section provides instructions for integrating the partners’ product with SafeWord factor authentication This document is not intended to suggest optimum installations or configurations
two-It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section Administrators should have access to the product documentation for all products in order to install the required components
All vendor products and components must be installed and working prior to the integration Perform the necessary tests to confirm that this is true before proceeding
All the administrative tasks to be performed on the Cisco ASA appliance are accomplished through the Cisco ASDM Console v5.2 or higher
Trang 9Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication requests
To ensure the SafeWord RADIUS Server accepts the RADIUS authentication of the VPN device, follow the instructions below:
1 On the server hosting the SafeWord RADIUS Server, click on Start > Programs >
Aladdin > SafeWord > Configuration > RADIUS Server Configuration The
configuration wizard opens using Internet Explorer
2 Right click on the ActiveX pop-up that displays at the top of your browser under the address bar to accept the warning and allow blocked content
3 Click Yes
4 Click the RADIUS Client button The RADIUS Client Wizard window opens
5 Add the internal IP address of the Cisco ASA device and choose a secret phrase:
a IP: 10.52.41.252 (ASA)
b Secret: 123456 (Please note that it is imperative the shared secret match on the ASA and the RADIUS configuration)
6 Click OK
Trang 10Configuring the ASA appliance for RADIUS
• Create and configure an Authentication Server Group
• Add RADIUS Servers to the newly created group
• Test the configuration
Creating and configuring a RADIUS authentication server
To create a RADIUS authentication server for use with SafeWord, do the following:
1 Log into the Cisco ASA administration console
2 Click the Configuration icon at the top to expand the AAA Setup option, and then select AAA Server Groups
Trang 113 Click Add The Add AAA Server Group wizard appears Enter a name in the Server Group field, and then click OK
4 Add RADIUS Servers to the SafeWord AAA Server Group by selecting SafeWord
AAA Server Group, and then clicking Add in the Servers in the Selected Group
Trang 125 The Add AAA Server Wizard opens
a Select the Interface Name: Inside
b Enter the Server Name or IP address: 10.52.41.123
c Set the Timeout: The default is 10 seconds
d Enter the Server Authentication Port: 1812
e Enter the Server Accounting Port: (If using the SafeWord Accounting
Server, use port 1813)
f Enter the Retry Interval: The default is 10 seconds
g Enter the Server Secret: 123456
6 Click OK Apply all changes
Testing the authentication server using Cisco ASA test utility
1 Using the Administration Console, select AAA Setup > AAA Server Groups, and then highlight the SafeWord Server Group
2 Select the RADIUS server in the selected group, and then click Test
Trang 133 The Test Wizard window opens Select the Authentication radio button, and then
enter a valid SafeWord user and a one time passcode
Cisco ASA and SafeWord RADIUS are configured properly, and authentication requests sent from the Cisco ASA appliance are passing
Trang 14Creating a VPN tunnel that requires strong authentication
The following are general instructions for creating a VPN tunnel:
1 Open the Cisco ASA administration console
2 Click on the VPN icon on the left column The VPN wizard appears
3 Select the VPN Tunnel Type and the VPN Tunnel Interface as follows:
Trang 154 Select the Client Type: Cisco VPN client, Release 3.x or higher
5 Enter the Pre-Shared Key and the Tunnel Group Name This is the key that will
be shared with all VPN clients connecting to this appliance To keep it simple, in
this example, we will use the following phrase: myciscovpn
6 In the Client Authentication window, click the Authenticate using an AAA
server group, and then click on the drop down menu and select the SafeWord
server group
Trang 167 All the VPN clients will need an IP address assigned You can either use a
preconfigured IP pool or click New to create a new IP pool We will create a new pool as follows: Network 192.168.10.0/24 IP Ranges 192.168.10.100 – 200
8 Click OK
Trang 179 Fill in all the attributes provided to push DNS, Wins, domain name, etc to
connecting clients
10 Select IKE Policy If you do not understand this option, leave the default values
11 IPSec Rule: This is another configuration window that if unclear, should be left
set to the default
Trang 1812 Address Translation Exceptions To expose the entire private network without
using NAT, leave the Selected Hosts/Networks list blank
13 Click Finish
Trang 19Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two factor authentication
Installing and configuring the Cisco VPN Client will be the last step to deploy a Remote Access system using two factor authtentication To configure the client and succesfully logon using SafeWord One Time Passwords, follow the steps below
1 At the Windows workstation, launch the Cisco VPN Client The Cisco VPN
Client opens
2 Click New The Create a New VPN Client opens
3 Use the values entered before to create the VPN tunnel at the Cisco ASA
appliance as shown below
Trang 204 Click Save
5 Cisco VPN Shows a New Connection Entry
6 Click Connect The User Authentication Window opens
7 Enter the user name and SafeWord passcode as shown below, and then click OK
Trang 218 Cisco ASA succesfully authenticates the user using a one-time passcode against our SafeWord RADIUS Server, and the tunnel is created