Upload
phamthuy
View
224
Download
0
Embed Size (px)
Citation preview
1
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Two-Factor VPN Authentication using GoldKey and Cisco AnyConnect
Configuration Guide
GoldKey Security Corporation www.goldkey.com
2
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Table of ContentsConfiguration of the Cisco ASA ........................................................................................................ 3
Install the Active Directory Root Certificate ................................................................................ 3
Generate an Identity Certificate .................................................................................................. 5
Issuing a Router Certificate for the ASA ................................................................................ 10
Configuring Cisco AnyConnect ...................................................................................................... 12
Implementing GoldKey Authentication ......................................................................................... 13
Customer Support ......................................................................................................................... 13
Acknowledgments and Disclosures ............................................................................................... 13
3
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Configuration of the Cisco ASA
These instructions are intended to assist IT administrators in configuring their ASA to trust certificates issued by their Active Directory Certificate Authority, and apply to Cisco AnyConnect version 2.5.
Install the Active Directory Root Certificate
The first step in configuring the Cisco ASA to add two-factor authentication using GoldKey tokens and Active Directory certificates is to install the Active Directory root certificate on the ASA. To do this, log into the ASDM and click the Configuration button. Then choose Device Management, expand Certificate Management, and select CA Certificates.
Next, click Add in the pane on the right. This will open the Install Certificate wizard.
4
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
From here, click on Browse, select the root certificate, and click install. Then click on Install Certificate. Finally, click Send to finish installing the Active Directory root certificate on the ASA. A message will be displayed letting you know if the certificate has been installed correctly.
5
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Generate an Identity Certificate
After the root certificate has been successfully installed, you will need to create an identity certificate on the ASA. To begin, select Identity Certificates from within Certificate Management and click Add.
6
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Select “Add a new identity certificate” from within the Add Identity Certificate dialog and click on the New button to generate a key pair.
Enter the name for the key pair as well as the size of the key, and then click Generate Now.
7
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
You will be given an opportunity to preview the CLI commands. Click on Send to finish generating the key pair. Next, you will be brought back to the ASDM Identity Certificates screen. Click on Add to continue creating an identity certificate.
Select the “Add a new identity certificate” option and choose the new key pair from the drop-down list provided. Then, click on Select for the Certificate Subject DN.
8
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Next, select the Common Name (CN) attribute and set the Internet-reachable name of the ASA, such as its fully qualified domain name, as the value. Then, click Add. If there are other attributes required in your environment, please add them at this time. Then, click OK. Click on the Advanced button from the Add Identity Certificate screen.
From the Certificate Parameters tab in the Advanced Options screen, make sure that the FQDN field matches the CN entered in the Certificate Subject DN and click OK.
9
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
On the Add Identity Certificate screen, click Add Certificate. You will be given another opportunity to preview the CLI commands to be sent to the ASA. Then, click on Send. You will be prompted to save the certificate-signing request (CSR) to a file. Click on Browse and select the name and location for the CSR. Then, click OK. The ASDM will now display your certificate as pending, as shown below.
10
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Issuing a Router Certificate for the ASA You will need to generate an Active Directory certificate based on the request created by the ASA. In order to accomplish this, you will need to enable the Router (Offline request) certificate template on your Certificate Authority. From your Microsoft CA, open Certification Authority under Start – Administrative Tools. Then, select Certificate Templates from the pane on the left, and make sure that the “Router (Offline request)” template is listed. If it is not, select the “New Certificate Template to Issue” option under New in the Action menu, select Router (Offline request), and click OK to enable it. Next, copy the CSR file onto the desktop of the CA server. Then, hold down Shift and right-click to open a command prompt window from the Desktop. Run the following command to issue a certificate for the CSR that you generated through the ASDM: CertReq -submit -attrib "CertificateTemplate:OfflineRouter" newASA-2.csr newASAOutput2.cer
For this command to work properly, you will need to replace “newASA-2.csr” with the name of the CSR file you created through the ASDM. You may also select a different name for the output file. Next, right-click on the output certificate file and open it with Notepad. Select and copy the certificate information, and then return to the ASDM. From the Identity Certificates screen, click on the Install button in the pane on the right.
11
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Select the option to paste the certificate data in base-64 format, and paste the data you copied using Notepad, above. Finally, click on Install Certificate.
You will notice that your certificate is no longer listed as pending. The Identity Certificates screen should now show only one entry, as shown below.
12
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
Configuring Cisco AnyConnect Once the ASA has been configured with the Active Directory root certificate and an identity certificate of its own, Cisco AnyConnect clients must be configured to use certificates for authentication. The following is an example AnyConnect configuration that requires certificates for authentication. Please note that some values have been modified to remove identifying information.
ssl trust-point ASDM_TrustPoint3 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc enable
tunnel-group-list enable
tunnel-group-preference group-url
group-policy xxxx-ssl internal
group-policy xxxx-ssl attributes
banner value Welcome to XXXX SSL VPN
wins-server none
dns-server value XXX.XXX.X.XXX
vpn-idle-timeout 14400
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value acl-clientvpn
default-domain value XXXX.XXXXX
address-pools value vpnippool
13
Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.
webvpn
svc dtls enable
svc keep-installer installed
svc ask none default svc
tunnel-group xxxx-ssl-cert type remote-access
tunnel-group xxxx-ssl-cert general-attributes
address-pool vpnippool
default-group-policy xxxx-ssl
tunnel-group xxxx-ssl-cert webvpn-attributes
authentication certificate
group-alias ssl-cert enable
group-url https://XXXXX.XXXXXXX.XXX/cert enable
tunnel-group-map DefaultCertificateMap 10 xxxxvpntest
!
Implementing GoldKey Authentication
The final step in implementing two-factor VPN authentication using GoldKey is to load certificates from Active Directory onto your tokens. For more information on loading certificates onto your GoldKey tokens, please refer to our online support resources. http://www.goldkey.com/support/ Once the certificates are loaded properly and the AnyConnect configuration above has been completed, you will be prompted for your GoldKey PIN to authenticate connections to your VPN.
Customer Support
If you have questions or comments, please feel free to contact GoldKey Customer Support. General product information can be obtained from our website. Telephone: 888-220-4020
Email: [email protected]
Website: http://www.goldkey.com/
Acknowledgments and Disclosures
Cisco and AnyConnect are registered trademarks of Cisco Systems, Inc. GoldKey and the GoldKey logo are registered trademarks of GoldKey Security Corporation. Active Directory and Microsoft are registered trademarks of Microsoft Corporation.