Upload
doanhuong
View
236
Download
3
Embed Size (px)
Citation preview
Copyright © 2010 CRYPTOCard Inc. http://www.cryptocard.com
Implementation Guide for protecting
Cisco ASA 5500 Series
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) i
Copyright
Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission of CRYPTOCard.
Trademarks
BlackShield ID and BlackShield ID Pro are either registered trademarks or trademarks of
CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their
owners.
Additional Information, Assistance, or Comments
CRYPTOCard’s technical support specialists can provide assistance when planning and
implementing CRYPTOCard in your network. In addition to aiding in the selection of the
appropriate authentication products, CRYPTOCard can suggest deployment procedures that
provide a smooth, simple transition from existing access control systems and a satisfying
experience for network users. We can also help you leverage your existing network
equipment and systems to maximize your return on investment.
CRYPTOCard works closely with channel partners to offer worldwide Technical Support
services. If you purchased this product through a CRYPTOCard channel partner, please
contact your partner directly for support needs.
To contact CRYPTOCard directly:
International Voice: +1-613-599-2441
North America Toll Free: 1-800-307-7042
For information about obtaining a support contract, see our Support Web page at
http://www.cryptocard.com.
Related Documentation
Refer to the Support & Downloads section of the CRYPTOCard website for additional
documentation and interoperability guides: http://www.cryptocard.com.
Publication History
Date Changes Version
January 26, 2009 Document created 1.0
July 9, 2009 Copyright year updated 1.1
Sept 15, 2010 Updated for GrIDsure, MP and different auth methods 1.2
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) ii
Table of Contents
Overview................................................................................................................ 1
Applicability ........................................................................................................... 1
Preparation and Prerequisites................................................................................ 1
Configuration ......................................................................................................... 2 Configure Cisco ASA for Two Factor Authentication.....................................................2 Define a RADIUS enabled AAA Server group ..............................................................2 Assigning a RADIUS AAA Server to the AAA Server group ...........................................3 Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection Profile...........4 Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile ......................5 Assigning CRYPTOCard Authentication to a AnyConnect Connection Profile ....................6
Clientless SSL VPN and GrIDsure authentication.................................................... 7
Clientless SSL VPN and MP Token detection ......................................................... 10 Uploading custom CRYPTOCard login pages .............................................................10 Creating an SSL VPN Portal Page Customization Object.............................................11 Verifying the Connection and Group profile..............................................................11
Cisco AnyConnect Client and Software Token Detection....................................... 12
Troubleshooting ................................................................................................... 18 RADIUS Authentication issues................................................................................18 GrIDsure Authentication issues ..............................................................................19
Further Information ............................................................................................. 19
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 1
Overview
By default Cisco ASA user authentication requires that a user provide a correct user name
and password to successfully logon. This document describes the steps necessary to
augment this logon mechanism with strong authentication by adding a requirement to
provide a one-time password generated by a CRYPTOCard token by using the instructions
below.
Applicability
This integration guide is applicable to:
Security Partner Information
Security Partner Cisco
Product Name Cisco ASA 5500 series
ASA Version 8.3
ADSM Version 6.3(1)
CRYPTOCard Server
Authentication Server BlackShield ID Server 2.4 or higher
BlackShield ID Server 2.7 or higher (GrIDsure support)
RADIUS Server Microsoft Internet Authentication Service (IAS)
Microsoft Network Policy Server (NPS)
Juniper Steel Belted RADIUS server
Preparation and Prerequisites
• Ensure end users can authenticate through the Cisco ASA with a static password before
configuring the Cisco Secure ASA to use RADIUS authentication.
• BlackShield Pro server installed and a user account assigned with a CRYPTOCard token.
• BlackShield Agent for Internet Authentication Service (IAS), Network Policy Server
(NPS) or Juniper Steel Belted RADIUS is installed.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 2
Configuration
Configure Cisco ASA for Two Factor Authentication
Configuring the Cisco ASA consists of 4 steps:
• Step 1: Define a RADIUS enabled AAA Server group.
• Step 2: Assign a RADIUS AAA Server to the AAA Server group.
• Step 3: Assign RADIUS Authentication to a Clientless SSL VPN Connection Profile
• Step 4: Assign RADIUS Authentication to a IPSec VPN Connection Profile
• Step 5: Assign RADIUS Authentication to an AnyConnect VPN Connection Profile
Define a RADIUS enabled AAA Server group
1. In the Cisco ASDM client select
Configuration.
2. Select Remote Access VPN.
3. Under Remote Access VPN expand
AAA/Local Users then select AAA Server
Group.
4. Select Add in the AAA Server Group
section. Enter the Server Group name
(ex. CRYPTOCard) and RADIUS as the
Protocol.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 3
Assigning a RADIUS AAA Server to the AAA Server group
1. Under Remote Access VPN expand
AAA/Local Users, AAA Server Group
then on the right highlight the
CRYPTOCard Group.
2. In the “Servers in the Selected
Group” section select Add.
3. Enter the following information
• Choose the interface
• IP address of the supported RADIUS
server.
• RADIUS authentication port (1812)
• RADIUS accounting port (1813)
• Server Secret Key (Shared Secret)
4. After adding the AAA Server to the
AAA Server group, you will see it
appear in the AAA Servers in the
selected group section.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 4
Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection
Profile
The Clientless SSL VPN Connection Profiles include the type of authentication method used
during the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS
enabled profile must be created.
1. In the Cisco ASDM client select
Configuration, Remote Access
VPN.
2. Expand Clientless SSL VPN
Access and highlight Connection
Profiles.
3. In Connection Profiles select
Add.
4. Enter a name for the profile.
5. Under Authentication select
AAA.
6. In the AAA Server Group
dropdown select CRYPTOCard.
7. Complete the additional entries
with the settings required by
your organization.
8. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection
Profiles.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 5
Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile
The IPSec VPN Connection Profiles include the type of authentication method used during
the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS
enabled profile must be created.
1. In the Cisco ASDM client select
Configuration, Remote Access
VPN.
2. Expand Network (Client) Access
and highlight IPsec Connection
Profiles.
3. In Connection Profiles select
Add.
4. Enter a name for the profile.
5. Under Authentication select
AAA.
6. In the AAA Server Group
dropdown select CRYPTOCard.
7. Complete the additional entries
with the settings required by
your organization.
8. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection
Profiles.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 6
Assigning CRYPTOCard Authentication to a AnyConnect Connection Profile
The IPSec VPN Connection Profiles include the type of authentication method used during
the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS
enabled profile must be created.
1. In the Cisco ASDM client select
Configuration, Remote Access
VPN.
2. Expand Network (Client) Access
and highlight AnyConnect
Connection Profiles.
3. In Connection Profiles select
Add.
4. Enter a name for the profile.
5. Under Authentication select
AAA.
6. In the AAA Server Group
dropdown select CRYPTOCard.
7. Complete the additional entries
with the settings required by
your organization.
8. Verify the CRYPTOCard profile is enabled. If required, disable the other Connection
Profiles.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 7
Clientless SSL VPN and GrIDsure authentication
The Cisco SSL VPN login page can be configured to authenticate hardware and GrIDsure
token users.
1. The user enters the Cisco SSL VPN URL into their web browser.
2. The Cisco SSL VPN login page displays a Username and OTP field as well as a Login
and Get GrID button.
3. The user enters their username into the Username field then selects Get Grid. The
request is submitted from the user’s web browser to the BlackShield Self Service site.
4. The BlackShield Self Service site displays the user’s GrIDsure Grid within the Cisco SSL
VPN login page.
5. The user enters their GrIDsure password into the OTP field then submits the request.
6. The Cisco ASA device performs a RADIUS authentication request against the
BlackShield server. If the CRYPTOCard credentials entered are valid, the user is
presented with their Cisco ASA portal otherwise, the attempt is rejected.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 8
The following steps will enable a hardware and GrIDsure aware logon page.
1. In the BlackShield distribution package browse to the html, agents, Cisco, GrIDsure
directory.
2. Copy the ciscogridsure.js file to a temporary folder then open the file with a text editor.
3. Modify the gridMakerURL value to reflect the location of the BlackShield Self Service site.
Example
var gridMakerURL = "https://mycompany.com/blackshieldss/index.aspx?getChallengeImage=true&userName=";
Note: If gridMakerURL references https, you must have a certificate installed on the
BlackShield Self Service IIS server.
4. In the Cisco ASDM client
select Configuration, Remote
Access VPN.
5. Expand Clientless SSL VPN
Access, Portal and highlight
Customization.
6. In Customization objects
select Add.
7. In General, Customization
Object Name enter CCGrid as
the title. Select the
Connection Profile and Group
Policy for which the
customization will be applied.
8. Expand Logon page and
select Logon Form. In the
Password Prompt section
replace Password with OTP.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 9
9. Expand Logon page and
select Informational Panel.
Place a checkmark in Display
informational panel.
In Panel Position select Right.
Copy the contents of the
ciscogridsure.js into the Text
box.
Leave the Logo Image blank.
Set the Image Position to
Below Text.
10. In Clientless SSL VPN
Access, Connection Profiles
highlight the GrIDsure enabled
profile and select Edit.
11. Expand Advanced then
select Clientless SSL VPN.
Verify Portal Page
Customization references the
newly created GrIDsure enabled
portal.
12. In Clientless SSL VPN
Access, Group Profiles highlight
the GrIDsure enabled profile
and select Edit.
13. Expand More Options then
select Customization. Verify
Portal Customization references
the newly created GrIDsure
enabled portal.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 10
Clientless SSL VPN and MP Token detection
The default Cisco ASA login page is unable to detect the presence of BlackShield software
tokens. The following section allows a Cisco Administrator to enable software token
detection for a Cisco Clientless SSL VPN site.
The Cisco ASA Login page can be configured to display primary authentication credential
fields (i.e. one username and password field) or primary and secondary authentication
credential fields (i.e. multiple username and password fields).
• If the Clientless SSL VPN site is configured to use primary authentication credentials (i.e.
CRYPTOCard only), the CCMPPri.inc and CRYPTOCardScript.js file must be added to Web
Contents then referenced in the custom configuration.
• If the Clientless SSL VPN site is configured to use primary and secondary authentication
credentials (i.e. Microsoft and CRYPTOCard credentials), the CCMPPriSec.inc and
CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom
configuration.
Note: All three files (CCMPPri.inc, CCMPPriSec.inc and CRYPTOCardScript.js) may be added
to Web Contents but only one .inc file can be assigned to a WebVPN site.
Perform the following steps to enabled software token detection.
Uploading custom CRYPTOCard login pages
All files referenced in this section can be found in the BlackShield distribution package under
the html, agents, Cisco, MP Clientless SSL VPN.
1. In ASDM, select Configuration, Remote Access VPN.
2. Expand Clientless SSL VPN Access then Portal.
3. Highlight Web Contents then select Import.
4. In Destination select No. For example, use this option to make the content
available only to the portal page.
5. In the Source - Local Computer select Browse Local Files.
6. Select CRYPTOCardScript.js then click Import Now.
7. In Web Contents select Import.
8. In Destination select No. For example, use this option to make the content
available only to the portal page.
9. In the Source - Local Computer select Browse Local Files.
10. Select CCMPPri.inc or CCMPPriSec.inc then click Import Now.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 11
Creating an SSL VPN Portal Page Customization Object
1. In ASDM, select Configuration, Remote Access VPN.
2. Expand Clientless SSL VPN Access then Portal.
3. Highlight Customization then select Add.
4. In Customization Object Name enter CRYPTOCard MP Detection select OK then apply
the settings.
5. Select the Connection Profile and Group Policy for which the customization will be
applied.
6. Highlight Logon Page then select Replace pre-defined logon page with a custom
page (full customization). In the Custom Page dropdown select
/+CSCOU+/CCMPPri.inc or /+CSCOU+/CCMPPriSec.inc.
Verifying the Connection and Group profile
1. In Clientless SSL VPN Access, Connection Profiles highlight the MP detection enabled
profile and select Edit.
2. Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization
references the newly created MP detection enabled portal.
3. In Clientless SSL VPN Access, Group Profiles highlight the MP detection enabled profile
and select Edit.
4. Expand More Options then select Customization. Verify Portal Customization references
the newly created MP detection enabled portal.
Open your web browser and proceed to the Clientless SSL VPN site. If this is the first time
accessing the page you will be prompted to install a CRYPTOCard ActiveX Web API.
If a software token exists, the page will detect and display all software tokens otherwise a
hardware login mode will appear.
When primary authentication credential mode is enabled with software tokens the login
fields appear in the following order: Token name, PIN.
When primary and secondary authentication credential mode is enabled with software
tokens, the login fields appear in the following order: token name, PIN, password
(Microsoft).
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 12
Cisco ASA AnyConnect Client
The Cisco AnyConnect SSL VPN client is very different from the IPSec VPN client. The Cisco
ASA device can dynamically display login field names and login field based on the settings
defined in each Group Profile.
The Cisco ASA device may also restrict users from selecting the Group Profile and it can
place additional customizable options within the Preferences button.
Here are a couple of examples on how the Cisco AnyConnect will show depending on the
group selected.
Username and Password (MS Password) Field Username, Password (MS Password),
and Second Password (OTP) Field
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 13
CRYPTOCard Cisco AnyConnect Client
Organizations may wish to integrate software based two factor authentication tokens with
the Cisco AnyConnect client to simplify the login process for users, thus eliminating the
need to copy and paste a One Time Password from one application to another.
With the BlackShield ID Cisco AnyConnect agent, the ability to integrate software based
two factor authentication tokens with the Cisco AnyConnect becomes a reality.
The two versions of the Cisco AnyConnect client that CRYPTOCard works with are Cisco
AnyConnect client 2.4.1012 or 2.5.0217.
Here are a couple of examples on how the BlackShield ID Cisco AnyConnect agent will
look like depending on which group is selected and which field the agent has been
configured to display the software token detection.
MP Token detection on Primary
Password field
MP Token detection on Secondary
Password field
MP Token detection in both Primary
and Secondary Password fields
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 14
Cisco AnyConnect Client and MP Token Detection
!!IMPORTANT!!: The Cisco AnyConnect client must be already installed prior to the installation of the CRYPTOCard
Cisco AnyConnect package.
CRYPTOCard provides a Cisco AnyConnect client capable of detecting the presence of
BlackShield software tokens. The following steps must be performed:
1. Install the BlackShield ID Software Tools.
NOTE: If you are on a 64bit Operating System, install the “BlackShield ID Software Tools for AnyConnect”. The
installer can be found in html, agents, x64 directory within the BlackShield download package.
2. Install the MP Token into the BlackShield ID Software Tools
3. Install the BlackShield ID Cisco AnyConnect package.
4. After installing the BlackShield ID Cisco AnyConnect, Click on:
• Start
• All Programs
• CRYPTOCard
• BlackShield ID Cisco AnyConnect
• Version 2.x (2.4 or 2.5)
• Cisco AnyConnect VPN Client 2.x (2.4 or
2.5)
Once connected to the Cisco ASA the following will be
displayed. This is the default configuration for the
BlackShield ID Cisco AnyConnect agent.
If the default configuration is incorrect, and the MP
Token detection are being detected in the incorrect
fields then please go to the section below to change the
MP Token detection.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 15
BlackShield Cisco AnyConnect Agent registry key
The registry entry allows specifying where the MP token dropdown will appear and what
password field(s) will be used when the one-time password is submitted to the server.
On a Windows XP/Vista/7 (32 bit) , the registry key is located in:
• \HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CiscoAnyClientPlugin
On a Windows XP/Vista/7 (64 bit) , the registry key is located in:
• \HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\CRYPTOCard\CiscoAnyClientPlugin
The registry key is called “SoftTokenInclusion”, and the default value for the key is:
• ALL+ALL+1;
The Definition is as follows:
• “Connect To”+”Group Profile”+”Field Position to display MP and submit one-time
password”;
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 16
So an example would be:
• ASA.cryptocard.com+CRYPTOCard Henry+1;
Here is the explanation of the example above:
• This will work when connecting to
ASA.cryptocard.com
• MP token detection will only show up using the
“CRYPTOCard Henry” Group profile.
• It will display the MP Token detection in the first
field
Here are examples of changing the MP Token detection to a different field:
ALL+ALL+1
Display MPs in first username field and submit one-time
password to first password field.
This is the default setting after installing the BlackShield
ID Cisco AnyConnect, and the BlackShield ID Software
Tools
This option is used if the authentication is going against the
BlackShield ID Professional server.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 17
ALL+ALL+2
Display MPs in second username field and submit one-time
password to second password field.
This option is used if dual authentication is required.
(e.g. Microsoft Password [Top], then CRYPTOCard
[Bottom].)
ALL+ALL+3
Display MPs in first and second username field and submit
one-time password to first and second password field.
This setting is used if there needs to be authentication
against 2 BlackShield ID Pro Server
This would be an odd case as this setting would rarely be
used.
Multiple options can be appended to the “SoftTokenInclusion” registry key.
Here is an example:
• “SoftTokenInclusion” registry key:
• “ALL+Corporate+1;ALL+CRYPTOCard Henry+2;ALL+CRYPTOCard+3;”
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 18
Troubleshooting
RADIUS Authentication issues
When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA
device.
All logging information for Internet Authentication Service (IAS) or Network Policy Server
(NPS) can be found in the Event Viewer.
All logging information for the BlackShield IAS\NPS agent can be found in the \Program
Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory.
The following is an explanation of the logging messages that may appear in the event
viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS
Server.
Error
Message:
Packet DROPPED: A RADIUS message was received from an invalid RADIUS
client.
Solution: • Verify a RADIUS client entry exists on the RADIUS server.
Error
Message:
Authentication Rejected: Unspecified
Solution: This will occur when one or more of the following conditions occur:
• The username does not correspond to a user on the BlackShield Server.
• The CRYPTOCard password does not match any tokens for that user.
• The shared secret entered in Cisco Secure ACS does not match the
shared secret on the RADIUS server
Error
Message:
Authentication Rejected: The request was rejected by a third-party extension
DLL file.
Solution: • This will occur when one or more of the following conditions occur:
• The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server.
• The Pre-Authentication Rules on the BlackShield server do not allow
incoming requests from the BlackShield Agent for IAS\NPS.
• The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile
stored on the BlackShield Server.
Implementation Guide for protecting Cisco ASA version 8.3 with ASDM v6.3(1) 19
• The username does not correspond to a user on the BlackShield Server
• The CRYPTOCard password does not match any tokens for that user.
GrIDsure Authentication issues
Issue: The GrIDsure enabled Clientless SSL VPN logon page does not appear.
Solution: • Verify the Clientless SSL VPN Connection and Group profile reference
the customized GrIDsure enabled portal page.
• Verify the Information Panel settings are configured exactly as
described in Step 9 of the Clientless SSL VPN and GrIDsure
authentication section.
Issue: The Get GrID button does not display the GrIDsure grid.
Solution: • A username must be supplied before a GrIDsure grid can be
generated.
• The user must have been assigned a GrIDsure token and have
completed self-enrolment.
• In a web browser enter the gridMakerURL and appended the
username after the equal sign.
Example
https://company.com/blackshieldss/index.aspx?getChallengeImage=true&userName=bob
A webpage should appear with a GrIDsure grid for the user (ex. Bob).
• Verify the client browser can access the URL of the BlackShield self
service web site.
• Verify the GrIDsure token is not in a suspended or locked state.
Further Information
For further information, please visit http://www.cryptocard.com