external authentication with cisco asa authenticating ... asa.pdf · external authentication with...
Post on 07-Mar-2018
238 Views
Preview:
TRANSCRIPT
-
External Authentication with Cisco ASA
Authenticating Users Using SecurAccess Server by SecurEnvoy
Contact information
SecurEnvoy www.securenvoy.com 0845 2600010
Merlin House Brunel Road Theale Reading RG7 4AB
Phil Underwood Punderwood@securenvoy.com
Tony Davis tdavis@securenvoy.com
axonex hello@axonex.com 01242 535700
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 2
Cisco ASA Integration Guide
This document describes how to integrate a Cisco ASA with SecurEnvoy two-factor
Authentication solution called SecurAccess.
Cisco ASA provides Secure Remote Access and Firewalling to the internal corporate
network.
SecurAccess provides two-factor, strong authentication for remote Access solutions
(such as Cisco), without the complication of deploying hardware tokens or smartcards.
Two-Factor authentication is provided by the use of (your PIN and your Phone to
receive the one time passcode)
SecurAccess is designed as an easy to deploy and use technology. It integrates directly into any LDAP server and negates the need for additional User Security
databases. SecurAccess consists of two core elements: a Radius Server and
Authentication server. The Authentication server is directly integrated with LDAP in real time.
SecurEnvoy Security Server can be configured in such a way that it can use the
existing LDAP password. Utilising the LDAP password as the PIN, allows the User to enter their UserID, Domain password and One Time Passcode received upon their
mobile phone. This authentication request is passed via the Radius protocol to the
SecurEnvoy Radius server where it carries out a Two-Factor authentication. It provides a seemless login into the Windows Server environment by entering three
pieces of information. SecurEnvoy utilises a web GUI for configuration, as does the Cisco ASA (ASDM). All notes within this integration guide refer to this type of
approach.
The equipment used for the integration process is listed below:
Cisco
Cisco Adaptive Security Appliance Software Version 9.1(3)
Device Manager Version 7.1(4) Cisco Anyconnect Mobile Client 3.1.03103
SecurEnvoy
Windows 2012 R2 Server IIS installed with SSL certificate (required for management and remote administration)
Active Directory installed or connection to Active Directory via LDAP protocol.
SecurAccess software release v7.2.505
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 3
Index
1.0 Prerequisites ................................................................................................... 3 1.1 Configuration of Cisco AAA server .................................................................. 4 1.2 Configuration of Cisco ASA VPN configuration ............................................... 5 2.0 Configuration of SecurEnvoy - PIN configuration ........................................... 5 2.1 Configuration of SecurEnvoy - RADIUS configuration .................................... 5 3.0 Cisco AnyConnect VPN Client Configuration ................................................... 7 4.0 Test logon SSL ................................................................................................. 7 4.1 Test logon AnyConnect Client ......................................................................... 8 4.2 Configuration of OneSwipe(Optional)............................................................. 9 4.3 User Experience - OneSwipe ......................................................................... 10 5.0 Troubleshooting RADIUS connection ............................................................ 11
1.0 Prerequisites
It is assumed that the Cisco ASA has been installed and is authenticating VPN users with a username and password. Securenvoy Security Server has been installed with the Radius service and has a suitable account that has read and write privileges to the Active Directory. If firewalls are between the SecurEnvoy Security server, Active Directory servers, and the Routing and Remote Access server(s), additional open ports will be required. NOTE: Add radius profiles for each Cisco ASA that requires Two-Factor Authentication.
The following table shows what token types are supported.
Token Type Supported
Real Time SMS or Email
Preload SMS or Email
Soft Token Code
Soft Token Next Code
Voice Call
One Swipe
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 4
1.1 Configuration of Cisco AAA server
Launch the Cisco Adaptive Security Device Manager
(ASDM), select Configuration in top toolbar, navigate to AAA setup, go to AAA server Groups and click
ADD.
Enter name details and select the Radius protocol,
set max failed attempts to 3.
Click Ok when completed.
Navigate to AAA setup, go to AAA server and click
ADD.
Enter details for interface, IP address of SecurEnvoy
server. Set port to 1812 (this is the default port of SecurEnvoy Radius)
Enter Server Secret Key.
Make sure that Microsoft CHAPv2 is unticked.
Click OK when completed.
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 5
1.2 Configuration of Cisco ASA VPN configuration
Within the ASDM, navigate to the Remote Access VPN. Then select the existing profile you wish to change. In this example the AnyConnect Connection profile was selected.
Within the AnyConnect profile, change the AA server
group to be the AA group that was configured earlier.
Click OK when complete.
Apply all changes to make the configuration active.
2.0 Configuration of SecurEnvoy - PIN configuration
To help facilitate an easy to use environment, SecurEnvoy can utilise the existing LDAP
password as the PIN. This allows the users to only remember their Domain password.
SecurEnvoy supplies the second factor of authentication, which is the dynamic one time passcode (OTP) which is sent to the users mobile phone via SMS, email or use a Soft Token.
Launch the SecurEnvoy admin interface, by executing the Local Security Server
Administration link on the SecurEnvoy Security Server.
Click Config
Select Windows Microsoft Password is the PIN under PIN Management
This will now use the users existing password as the PIN.
Click Update to confirm the changes
2.1 Configuration of SecurEnvoy - RADIUS configuration
Click the Radius Button
Click New then enter IP address and Shared secret for each Cisco ASA that wishes to use
SecurEnvoy Two-Factor authentication.
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 6
Make sure that Prompt all passcodes in the
same way as Real Time Codes is ticked.
If required Group membership can be
achieved
SecurEnvoy RADIUS can respond with LDAP group membership via Radius return
attribute 3076-223.
Click Update to confirm settings.
Click Logout when finished. This will log
out of the Administrative session.
NOTE SecurEnvoy RADIUS has the ability to send Privilege level access by returning
Radius Privilege-Level 220 attribute to an
ASA.
SecurEnvoy can search any LDAP attribute
and respond with the data that is contained in that attribute.
To set this up, first choose an LDAP attribute and populate with the correct data. This
example uses pager.
In this example the LDAP attribute Pager is used. It is then populated with 15 for level 15
access.
Please see Cisco ASA reference guide for more information.
Within the Radius set, provide a unique
number and then the VendorID, 3076-220. Then select LDAP and type in the name of the
LDAP attribute, this example uses pager.
Click Update when complete.
Cisco Attribute Name Attribute Syntax Value
Privilege-Level 220 Integer 0-15
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 7
3.0 Cisco AnyConnect VPN Client Configuration
The VPN client does not require any changes, if it was working by using a username and
password it will now work with SecurEnvoy Two Factor authentication.
4.0 Test logon SSL
Once the configuration has been saved, the
connection can be initiated by navigating to the configured URL.
In this example
Https://server.securenvoy.com
User then enters existing Domain User ID and Domain password.
User is then prompted to enter a 6 digit passcode. This can be obtained from SMS,
Email, Soft Token etc.
Click continue to complete the logon.
NOTE If a user is setup for Voice Call, the user enters User ID and password as described
previously, but will then the following prompt will be displayed. The users phone will then receive a voice call; user then follows the prompt and enters the
displayed passcode via the phone keypad.
Once entered the user clicks continue on
the logon prompt to complete the sequence.
https://server.securenvoy.com/
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 8
4.1 Test logon AnyConnect Client
User then enters existing Domain User ID
and Domain password. Click OK to continue.
User is then prompted to enter a 6 digit
passcode. This can be obtained from SMS, Email, Soft Token etc.
Click Continue to complete the logon.
NOTE If a user is setup for Voice Call, the user enters User ID and password as described
previously, but will then the following prompt will be displayed. The users phone will then receive a voice call; user then follows the prompt and
enters the displayed passcode via the
phone keypad.
Once entered the user clicks continue
on the logon prompt to complete the sequence.
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 9
4.2 Configuration of OneSwipe (Optional)
Customise the SSL WebVPN
portal with OneSwipe-specific
details: Configuration >>
Remote Access VPN >> Clientless SSL VPN Access >>
Portal >> Customization
Highlight DfltCustomization and
click Edit and select Title Panel from the Logon Page menu
In the Text box, enter the following HTML code:
SSL VPN Service
Click OK and then click Web
Contents from the Portal menu. Select Import and
import the oneswipe.gif and
oneswipe.js files from the link below into the default web
contents folder. For each file, select the option stating that
no authentication is required.
https://www.dropbox.com/s/6wt8npsa2aeb54y/oneswipe.zip
https://www.dropbox.com/s/6wt8npsa2aeb54y/oneswipe.zip
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 10
4.3 User Experience - OneSwipe
Select Swipe from the phone Soft Token
Enter your PIN /Password into the PIN / Password
field and click Done.
Browse to ASA Clientless SSL WebVPN portal
Click on the OneSwipe
button and scan the QR code using your webcam.
UserID, password and
passcode are passed to
the Cisco ASA authentication page and
user successfully logs in.
-
2014 SecurEnvoy Ltd. All rights reserved Confidential Page 11
User is presented with Cisco Web Portal
5.0 Troubleshooting RADIUS connection
Navigate to AAA setup, go to AAA server, select the
SecurEnvoy AAA server and Test authentication
Enter Domain UserID in username field and domain password; click OK to continue.
User is then prompted to enter a 6 digit passcode.
Click OK
Information window will show response.
External Authentication with Cisco ASAAuthenticating Users Using SecurAccess Server by SecurEnvoyIndex1.0 Prerequisites
1.1 Configuration of Cisco AAA server1.2 Configuration of Cisco ASA VPN configuration2.0 Configuration of SecurEnvoy - PIN configuration2.1 Configuration of SecurEnvoy - RADIUS configurationNOTE SecurEnvoy RADIUS has the ability to send Privilege level access by returning Radius Privilege-Level 220 attribute to an ASA.SecurEnvoy can search any LDAP attribute and respond with the data that is contained in that attribute.To set this up, first choose an LDAP attribute and populate with the correct data. This example uses pager.3.0 Cisco AnyConnect VPN Client Configuration4.0 Test logon SSL4.1 Test logon AnyConnect Client4.2 Configuration of OneSwipe (Optional)4.3 User Experience - OneSwipe5.0 Troubleshooting RADIUS connection
top related