digipass authentication for [solution partner] · pdf file3 digipass authentication for cisco...
TRANSCRIPT
1 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright © 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO®, Vacman®, IDENTIKEY Authentication Server®, aXsGUARD™™,
DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security,
Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO
Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed
under all title, rights and interest in VASCO Products, updates and upgrades thereof, including
copyrights, patent rights, trade secret rights, mask work rights, database rights and all other
intellectual and industrial property rights in the U.S. and other countries. Microsoft and
Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may
be trademarks of their respective owners.
2 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Table of Contents
Reference guide ............................................................................................................. 4
1 Overview................................................................................................................... 5
2 Technical Concepts ................................................................................................... 6
2.1 Cisco ................................................................................................................... 6
2.1.1 ASA 5505 ....................................................................................................... 6
2.1.2 Adaptive Security Device Manager ..................................................................... 6
2.1.3 Internet Protocol Security ................................................................................ 6
2.1.4 Secure Socket Layer ........................................................................................ 6
2.2 VASCO ................................................................................................................. 6
2.2.1 IDENTIKEY Authentication Server ...................................................................... 6
3 Cisco ASA 5505 setup ............................................................................................... 7
3.1 Architecture .......................................................................................................... 7
3.2 Prerequisites ......................................................................................................... 7
3.3 Cisco ASA5505...................................................................................................... 8
3.3.1 Active Directory Back-end implementation ......................................................... 8
3.3.2 IPsec tunnel configuration .............................................................................. 11
3.3.3 SSL VPN configuration ................................................................................... 13
3.4 Test the setup .................................................................................................... 15
3.4.1 Testing IPsec VPN connection ......................................................................... 15
3.4.1.1 Microsoft Windows 7 ................................................................................ 15
3.4.2 Testing SSL VPN connection ........................................................................... 16
4 Solution .................................................................................................................. 18
4.1 Architecture ........................................................................................................ 18
4.2 Cisco ASA 5505 ................................................................................................... 18
4.2.1 Creating IDENTIKEY server back-end ............................................................... 18
4.2.2 Attaching the new back-end to the IPsec VPN ................................................... 20
3 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
4.2.3 Attaching the new back-end to the SSL VPN ..................................................... 21
4.3 IDENTIKEY Authentication Server .......................................................................... 21
4.3.1 Policies ........................................................................................................ 21
4.3.2 Client .......................................................................................................... 22
4.3.3 User ............................................................................................................ 23
4.3.4 DIGIPASS .................................................................................................... 23
4.4 Test the Solution ................................................................................................. 26
4.4.1 Testing IPsec VPN ......................................................................................... 26
4.4.2 Testing SSL VPN ........................................................................................... 26
5 Challenge/Response ............................................................................................... 28
5.1 Architecture ........................................................................................................ 28
5.2 Cisco ASA 5505 ................................................................................................... 29
5.3 IDENTIKEY Authentication Server .......................................................................... 29
5.3.1 Policy .......................................................................................................... 29
5.3.2 User ............................................................................................................ 29
5.4 Test the Solution ................................................................................................. 31
5.4.1 Testing IPsec ................................................................................................ 31
5.4.2 Testing SSL VPN ........................................................................................... 31
4 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Reference guide
ID Title Author Publisher Date ISBN
5 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
1 Overview
Cisco ASA 5505Internal network
VPN connection
LDAP RADIUS
6 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
2 Technical Concepts 2.1 Cisco
2.1.1 ASA 5505
The Cisco ASA 5505 is a small all-in-one firewall that provides a wide range of additional services.
These services include: VPN, intrusion prevention, content security, unified communications and
remote access.
2.1.2 Adaptive Security Device Manager
Adaptive Security Device Manager, or ASDM, is a simple GUI based firewall appliance
management tool. It provides an easy way to configure, monitor and troubleshoot Cisco firewall
devices.
2.1.3 Internet Protocol Security
Internet Protocol Security, or IPsec, is a protocol suite for securing the Internet Protocol. This
suite contains protocols for authentication and encryption of each packet as well as mutual
authentications between agents and the negotiation of cryptographic keys per session. IPsec VPN
solutions are end to end setups.
2.1.4 Secure Socket Layer
Secure Socket Layer, or SSL, is a security implemented mainly on application level (any HTTPS
request makes use of SSL). This provides with a secure way of transporting packets between the
application and the server.
2.2 VASCO
2.2.1 IDENTIKEY Authentication Server
IDENTIKEY Authentication Server is an off-the-shelf centralized authentication server that
supports the deployment, use and administration of DIGIPASS strong user authentication. It
offers complete functionality and management features without the need for significant budgetary
or personnel investments.
IDENTIKEY Authentication Server is supported on 32bit systems as well as on 64bit systems.
IDENTIKEY Appliance is a standalone authentication appliance that secures remote access to
corporate networks and web-based applications.
The use and configuration of an IDENTIKEY Authentication Server and an IDENTIKEY
Appliance is similar.
7 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
3 Cisco ASA 5505 setup Before adding 2 factor authentication it is important to validate a standard configuration without
One Time Password (OTP).
3.1 Architecture
A user creates a VPN connection with the ASA5505. The ASA will send the credentials to the
Windows Active Directory back-end to see if the user exists. If so, the VPN connection is
successful and the user is allowed to the internal network.
3.2 Prerequisites
For this setup we are going to make use of Cisco’s ASDM. To run the ASDM you need to have a
Java Runtime Environment on your pc.
Make sure that you have enabled WEB access to your ASA5505 firewall. If you have not enabled
this you will need to connect to your device using SSH or the console port and enable this by
using the following commands:
enable
configure terminal
int vlan 1
ip address x.x.x.x y.y.y.y (IP address and subnet mask of the management
VLAN)
http server enable
If you now use a browser and navigate to the address you gave to the management VLAN you
will see the homepage that will allow you to install the ASDM.
10.4.0.226 Cisco ASA 550510.4.0.165
10.4.0.10
Internal network10.4.0.x
VPN connection
LDAP
8 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
3.3 Cisco ASA5505
3.3.1 Active Directory Back-end implementation
To setup a VPN connection we need to have a database with users to authenticate to. We can use
the internal database but it is more likely to use the Active Directory database for these
authentications.
Log into the ASA5505 with the ASDM.
Go to the tab Configurations.
At the bottom left click Remote Access VPN.
Click open AAA/Local Users.
Select AAA Server Group.
9 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Create a new server group by clicking the Add button.
Server Group: Demo-Backend
Protocol: LDAP
Reactivation Mode: Depletion
Dead Time: 10
Max failed Attempts: 3
In the window below it click Add to add a server.
10 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Interface Name: inside
IP Address: 10.4.0.10
Timeout: 10
Enable LDAP over SSL: unchecked
Server Port: 389
Server Type: Microsoft
Base DN: DC=labs,DC=vasco,DC=com
Scope: All levels beneath the base DN
Naming Attributes: leave blank
Login DN: CN=Administrator,CN=Users,DC=labs,DC=vasco,DC=com
Password: your_password (This password is bound to the user defined in login DN)
LDAP attribute map: –None—
SASL MD5 authentication: unchecked
SASL Kerberos authentication: unchecked
Group Base DN: empty
Group Search Timeout: 10
Click on OK and the server is added to the group.
Click on Apply.
Click on Test.
Select Authentication
Enter demo
Set Test12345 as password
11 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Replace the credentials by any user and matching password in your Active Directory.
Click OK.
When configured correctly you will receive:
3.3.2 IPsec tunnel configuration
At the top: click Wizards.
Click IPsec VPN Wizard…
Select Remote Access.
Set the correct interface (for this test Inside)
Leave the checkbox checked.
Click Next.
Select Microsoft Windows client using L2TP over IPsec
Check PAP
Leave Client will send tunnel group name as username@tunnelgroup unchecked.
We will use PAP as authentication protocol, this way we can enjoy additional features of
the IDENTIKEY Authentication Server.
Click Next.
Select Pre-Shared key and use Test1234 as the pre-shared key.
Click Next.
12 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Select Authenticate using AAA server group and select Demo-Backend.
Click Next.
Click New.
Name: Demo-Pool
Starting IP Address: 10.4.0.81
Ending IP Address: 10.4.0.89
Subnet Mask: 255.255.255.0
Select the pool you just made.
Normally the Tunnel Group Name is default: DefaultRAGroup. We need this group later
when upgrading to use IDENTIKEY Authentication Server.
Click Next.
Leave everything default and click Next.
13 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Leave everything default and click Next.
Uncheck enable perfect forwarding secrecy.
Click Next.
Click Finish.
Click Apply.
3.3.3 SSL VPN configuration
At the top: click Wizards.
Click SSL VPN Wizard…
Check Clientless SSL VPN.
Click Next.
14 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Connection Name: SSL-Demo
SSL VPN Interface: Inside
Certificate: --None—
Remember the Information, it is needed to access the SSL portal of the Cisco ASA
5505.
Click Next.
Select your Active Directory back-end. (Demo-Backend, for more information please view “3.3.1
Active Directory Back-end implementation”)
Click Next.
Select Create new group policy and fill in DemoSSLgrppolicy.
Click Next.
From the drop down list Bookmark List: Google.
Click Next.
Click Finish.
Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access
and click on Connection Profiles.
15 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Select SSL-Demo and click Edit.
Aliases: SSL-Demo.
Click OK.
Check Allow user to select connection profile, identified by its alias, on the login page. Otherwise,
DefaultWebVPNGroup will be the connection profile.
Click Apply.
3.4 Test the setup
3.4.1 Testing IPsec VPN connection
3.4.1.1 Microsoft Windows 7
From the network and sharing center, click on Set Up a Connection or Network.
Select Connect to a workplace and click Next.
If you already have VPN networks set up, select No, create a new connection and click Next.
Click on Use my Internet connection (VPN).
Set the IP address to 10.4.0.165
Set the destination name to Demo-ASA
Check Don’t connect now; just set it up so I can connect later
Click Next.
Fill in the Active Directory credentials (for this test: username demo and password Test12345.)
Click Create.
Click Close.
In the taskbar, click on your network icon.
Right mouse click on Demo-ASA and click on Properties.
Go to Security.
16 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Set the type of VPN to Layer 2 tunneling protocol with IPsec
Set the data encryption to Optional encryption
Check PAP
Uncheck any other encryption
Since we have selected PAP as encryption on the Cisco ASA 5505, we need to allow our
client to connect using PAP as well.
Click on Advanced setting.
Select Use pre-shared key for authentication and type Test1234 in the textbox.
Click OK.
Click OK.
Click on your Network icon.
Click on Demo-ASA and click Connect.
Fill in the credentials, username demo and password Test12345.
Replace the credentials by any user and matching password in your Active Directory.
Click Connect.
You now have connected to the ASA using a Windows Active Directory system for user
authentication.
3.4.2 Testing SSL VPN connection
Open a browser and navigate to https://10.4.0.165/.
You will be redirected to a login page.
Fill in your Active Directory username and password (demo / Test12345).
17 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Click Logon.
When successful you will see the following page:
18 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
4 Solution 4.1 Architecture
10.4.0.226 Cisco ASA 550510.4.0.165
Internal network10.4.0.x
VPN connection
LDAP
10.4.0.13
RADIUS
4.2 Cisco ASA 5505
Starting from our VPN connection with Windows Active Directory as back-end, we only need to
create a new back-end and attach this to the default radius group.
4.2.1 Creating IDENTIKEY server back-end
Log into the ASA5505 using Cisco ASDM.
Navigate to Configuration.
Click on Remote Access VPN.
Open AAA/Local Users and click on AAA Server Groups.
19 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Create a new AAA server group by clicking on Add.
Server Group: Demo-IK
Protocol: RADIUS
Leave all other options on their Default values
Click OK.
Select Demo-IK and add a server by clicking Add in the box below.
Interface: Inside
Server IP Address: 10.4.0.13
Timeout: 10
Authentication Port: 1812
Accounting Port: 1813
Retry Interval: 10 seconds
20 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Server Secret Key: Test1234
ACL Network Convert: Standard
The server secret key needs to be the same as the RADIUS secret key set up on the
IDENTIKEY Authentication Server RADIUS client component.
Click OK.
Click Apply.
We can test this connection only if the basic setup was performed on the IDENTIKEY
Authentication Server. More detail can be found in “4.3 IDENTIKEY Authentication
Server”.
Select the server group Demo-IK and the server 10.4.0.13.
Click Test.
Select Authentication.
Enter the username (demo) and the OTP.
Click OK.
If everything was configured correctly we get this message:
4.2.2 Attaching the new back-end to the IPsec VPN
Navigate to Configuration, click on Remote Access VPN and open Network (Client) Access.
Click on IPsec Connection Profiles.
Select the DefaultRAGroup and click on Edit.
21 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Change the Server Group from Demo-Backend to Demo-IK.
Click OK.
4.2.3 Attaching the new back-end to the SSL VPN
Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access
and click on Connection Profiles.
Select SSL-Demo and click Edit.
Change AAA Server Group from Demo-Backend to Demo-IK.
4.3 IDENTIKEY Authentication Server
There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate
with:
Local users (Defined in IDENTIKEY Authentication Server)
Active Directory (Windows)
In this whitepaper we will use Local users to authenticate.
4.3.1 Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got
a user and a password, what now?
Create a new Policy
22 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he
inherits, except when otherwise specified in the new policy.
Example:
Base Policy
New Policy Behaviour
1 a New policy will do a
2 b New policy will do b
3 c f New policy will do f
4 d New policy will do d
5 e g New policy will do g
The new policy is created, now we are going to edit it.
Click edit
Local Authentication : Digipass/Password
Click Save
4.3.2 Client
In the clients we specify the location from which IDENTIKEY Authentication Server will accept
requests and which protocol they use.
We are going to add a new RADIUS client.
23 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Client Type : select Radius Client from “select from list”
Location : 10.4.0.165
Policy ID : Select the Policy that was created in Policies
Protocol ID: RADIUS
Shared Secret: Test1234
Confirm Shared Secret: reenter the shared secret
Click Save
The shared secret has to be identical to the secret key we set in the Cisco ASA 5505
(view “4.2.1 Creating IDENTIKEY server back-end”)
4.3.3 User
We are going to create a user.
User ID: Demo
4.3.4 DIGIPASS
The purpose of using IDENTIKEY Authenticaction Server, is to be able to log in using One Time
Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The
Digipass is a device that generates the OTP’s.
Open the user by clicking on its name
Select Assigned Digipass
24 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Click ASSIGN
Click Next
Grace period: 0 Days
Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
25 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Click Finish
26 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
4.4 Test the Solution
4.4.1 Testing IPsec VPN
Connect to the Demo-ASA VPN and fill in the username (Demo) and the OTP.
You should be connected to the VPN and see the following in your network connections:
If the connection test from 4.2.1 works and the VPN connection fails with error 691,
please check in your ASDM if you applied the changes.
4.4.2 Testing SSL VPN
Navigate to https://10.4.0.165 and logon using your username (Demo) and OTP.
When successful you will see the following page:
28 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
5 Challenge/Response The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual
DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was
triggered in a user authentication. The trigger mechanism is configured in the policy (see later).
Virtual DIGIPASS is a DIGIPASS that needs to be ordered like a Hardware
DIGIPASS
Back-Up Virtual DIGIPASS is a feature that must be enabled while ordering other
DIGIPASS (Hardware, DIGIPASS for Mobile, DIGIPASS for Web or DIGIPASS for
Windows)
Availability of Back-Up virtual DIGIPASS can be checked in the IDENTIKEY web
administration.
Select a DIGIPASS > Click on the first application and scroll down.
For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is
delivered with every IDENTIKEY Authentication Server
5.1 Architecture
1: User IDTrigger
2:Challenge
3: SMS with OTP
4:OTP received by SMS
MDC
This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server
(for mail). The first step is to configure one of the servers. This is done in the Message
Delivery Component (MDC) configuration. For more information see the IDENTIKEY
Authentication Server manuals.
29 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Popular SMS-gateways:
http://www.clickatell.com
http://www.cm.nl
http://www.callfactory.com
5.2 Cisco ASA 5505
There are no additional steps on the Cisco ASA 5505.
5.3 IDENTIKEY Authentication Server
5.3.1 Policy
The configuration virtual Digipass can be used is done in the policy.
Select the policy created in Policies. This should be Test.
Select Test
Go to Virtual Digipass
Click Edit
Delivery Method: SMS
BVDP Mode: Yes – Permitted
Request Method: KeywordOnly
Request Keyword: IwantOTP
Click Save
The request method is the trigger to send the message. The trigger can be:
Static password: as stored inside IDENTIKEY Authentication Server (different for
each individual user)
Keyword: a text message (the same for all users)
5.3.2 User
IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the
User should be added.
Select a user: Demo
Click User Info
Click Edit
30 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Mobile: +32… (for the sms)
Email Address: [email protected] (for mail)
Click save
31 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
5.4 Test the Solution
5.4.1 Testing IPsec
Step 1:
Log in using your username and the keyword (Demo / IwantOTP)
Step 2:
The ASA server will return that the connection was unsuccessful.
Click Close.
Step 3:
Log in using your username and the received OTP (SMS).
Step 4:
When configured correctly, you are now connected to the VPN.
5.4.2 Testing SSL VPN
32 DIGIPASS Authentication for Cisco ASA 5505
DIGIPASS Authentication for Cisco ASA5505
Step 1:
Log in using your username and the keyword (Demo / IwantOTP)
Step 2:
You will be asked for your OTP.
Step 3:
Use the received OTP (SMS) to logon.
Step 4:
When configured correctly, you will be redirected to the portal site.