Configuration Guide - GoldKey Corporation | … of the Cisco ASA..... 3 Install the Active Directory Root Certificate..... 3 Generate an Identity Issuing a Router Certificate for the

1

Copyright © 2013 GoldKey Security Corporation. All Rights Reserved.

Two-Factor VPN Authentication using GoldKey and Cisco AnyConnect

Configuration Guide

GoldKey Security Corporation www.goldkey.com

2


Table of ContentsConfiguration of the Cisco ASA ........................................................................................................ 3

Install the Active Directory Root Certificate ................................................................................ 3

Generate an Identity Certificate .................................................................................................. 5

Issuing a Router Certificate for the ASA ................................................................................ 10

Configuring Cisco AnyConnect ...................................................................................................... 12

Implementing GoldKey Authentication ......................................................................................... 13

Customer Support ......................................................................................................................... 13

Acknowledgments and Disclosures ............................................................................................... 13

3


Configuration of the Cisco ASA

These instructions are intended to assist IT administrators in configuring their ASA to trust certificates issued by their Active Directory Certificate Authority, and apply to Cisco AnyConnect version 2.5.

Install the Active Directory Root Certificate

The first step in configuring the Cisco ASA to add two-factor authentication using GoldKey tokens and Active Directory certificates is to install the Active Directory root certificate on the ASA. To do this, log into the ASDM and click the Configuration button. Then choose Device Management, expand Certificate Management, and select CA Certificates.

Next, click Add in the pane on the right. This will open the Install Certificate wizard.

4


From here, click on Browse, select the root certificate, and click install. Then click on Install Certificate. Finally, click Send to finish installing the Active Directory root certificate on the ASA. A message will be displayed letting you know if the certificate has been installed correctly.

5


Generate an Identity Certificate

After the root certificate has been successfully installed, you will need to create an identity certificate on the ASA. To begin, select Identity Certificates from within Certificate Management and click Add.

6


Select “Add a new identity certificate” from within the Add Identity Certificate dialog and click on the New button to generate a key pair.

Enter the name for the key pair as well as the size of the key, and then click Generate Now.

7


You will be given an opportunity to preview the CLI commands. Click on Send to finish generating the key pair. Next, you will be brought back to the ASDM Identity Certificates screen. Click on Add to continue creating an identity certificate.

Select the “Add a new identity certificate” option and choose the new key pair from the drop-down list provided. Then, click on Select for the Certificate Subject DN.

8


Next, select the Common Name (CN) attribute and set the Internet-reachable name of the ASA, such as its fully qualified domain name, as the value. Then, click Add. If there are other attributes required in your environment, please add them at this time. Then, click OK. Click on the Advanced button from the Add Identity Certificate screen.

From the Certificate Parameters tab in the Advanced Options screen, make sure that the FQDN field matches the CN entered in the Certificate Subject DN and click OK.

9


On the Add Identity Certificate screen, click Add Certificate. You will be given another opportunity to preview the CLI commands to be sent to the ASA. Then, click on Send. You will be prompted to save the certificate-signing request (CSR) to a file. Click on Browse and select the name and location for the CSR. Then, click OK. The ASDM will now display your certificate as pending, as shown below.

10


Issuing a Router Certificate for the ASA You will need to generate an Active Directory certificate based on the request created by the ASA. In order to accomplish this, you will need to enable the Router (Offline request) certificate template on your Certificate Authority. From your Microsoft CA, open Certification Authority under Start – Administrative Tools. Then, select Certificate Templates from the pane on the left, and make sure that the “Router (Offline request)” template is listed. If it is not, select the “New Certificate Template to Issue” option under New in the Action menu, select Router (Offline request), and click OK to enable it. Next, copy the CSR file onto the desktop of the CA server. Then, hold down Shift and right-click to open a command prompt window from the Desktop. Run the following command to issue a certificate for the CSR that you generated through the ASDM: CertReq -submit -attrib "CertificateTemplate:OfflineRouter" newASA-2.csr newASAOutput2.cer

For this command to work properly, you will need to replace “newASA-2.csr” with the name of the CSR file you created through the ASDM. You may also select a different name for the output file. Next, right-click on the output certificate file and open it with Notepad. Select and copy the certificate information, and then return to the ASDM. From the Identity Certificates screen, click on the Install button in the pane on the right.

11


Select the option to paste the certificate data in base-64 format, and paste the data you copied using Notepad, above. Finally, click on Install Certificate.

You will notice that your certificate is no longer listed as pending. The Identity Certificates screen should now show only one entry, as shown below.

12


Configuring Cisco AnyConnect Once the ASA has been configured with the Active Directory root certificate and an identity certificate of its own, Cisco AnyConnect clients must be configured to use certificates for authentication. The following is an example AnyConnect configuration that requires certificates for authentication. Please note that some values have been modified to remove identifying information.

ssl trust-point ASDM_TrustPoint3 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy xxxx-ssl internal

group-policy xxxx-ssl attributes

banner value Welcome to XXXX SSL VPN

wins-server none

dns-server value XXX.XXX.X.XXX

vpn-idle-timeout 14400

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value acl-clientvpn

default-domain value XXXX.XXXXX

address-pools value vpnippool

13


webvpn

svc dtls enable

svc keep-installer installed

svc ask none default svc

tunnel-group xxxx-ssl-cert type remote-access

tunnel-group xxxx-ssl-cert general-attributes

address-pool vpnippool

default-group-policy xxxx-ssl

tunnel-group xxxx-ssl-cert webvpn-attributes

authentication certificate

group-alias ssl-cert enable

group-url https://XXXXX.XXXXXXX.XXX/cert enable

tunnel-group-map DefaultCertificateMap 10 xxxxvpntest

!

Implementing GoldKey Authentication

The final step in implementing two-factor VPN authentication using GoldKey is to load certificates from Active Directory onto your tokens. For more information on loading certificates onto your GoldKey tokens, please refer to our online support resources. http://www.goldkey.com/support/ Once the certificates are loaded properly and the AnyConnect configuration above has been completed, you will be prompted for your GoldKey PIN to authenticate connections to your VPN.

Customer Support

If you have questions or comments, please feel free to contact GoldKey Customer Support. General product information can be obtained from our website. Telephone: 888-220-4020

Email: [email protected]

Website: http://www.goldkey.com/

Acknowledgments and Disclosures

Cisco and AnyConnect are registered trademarks of Cisco Systems, Inc. GoldKey and the GoldKey logo are registered trademarks of GoldKey Security Corporation. Active Directory and Microsoft are registered trademarks of Microsoft Corporation.

http://www.goldkey.com/support/

mailto:[email protected]

http://www.gkeysecurity.com/

Documents

Configuration Guide - GoldKey Corporation | … of the Cisco ASA..... 3 Install the Active Directory Root Certificate..... 3 Generate an Identity Issuing a Router Certificate for the