Integrating Cisco ASA VPN Clients with SafeWord Strong Authentication

Version 1.0
Publication Date: June 2010

Information provided is confidential and proprietary to SafeNet, Inc. (SafeNet) SafeNet assumes no responsibility or liability for the accuracy of the information contained in this presentation.

2010 SafeNet Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate. SafeNet is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications in this document are subject to change without notice.

Date of Publication: June, 2010 Last update: Wednesday, June 02, 2010

2010 SafeNet Inc. All rights reserved.

Technical Support Information

SafeNet works closely with our reseller partners to offer the best worldwide Technical Support services. Your reseller is the first line of support when you have questions about products and services; however, if you require additional assistance, contact us directly. Region USA International Web-based ticketing and reporting E-mail Contact +1 (800) 545-6608 +1 (410) 931-7520
http://c3.safenet-inc.com/secure.asp

support@safenet-inc.com

About SafeNet and Aladdin Knowledge Systems

In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the technology sector. Vector Capital acquired Aladdin in March of 2009, and placed it under common management with SafeNet. Together, these global leading companies are the third largest information security company in the world, which brings to market integrated solutions required to solve customers increasing security challenges. SafeNets encryption technology solutions protect communications, intellectual property and digital identities for enterprises and government organizations. Aladdins software protection, licensing and authentication solutions protect companies information, assets and employees from piracy and fraud. Together, SafeNet and Aladdin have a combined history of more than 50 years of security expertise in more than 100 countries around the globe. Aladdin is expected to be fully integrated into SafeNet in the future. For more information, visit www.safenet-inc.com or www.aladdin.com.

2010 SafeNet Inc. All rights reserved.

Table of Contents
Solution Summary ......................................................................................... 3
Product Requirements ............................................................................................................... 4 RADIUS and Virtual Private Network Background ............................................................ 5

Integrating Cisco ASA with SafeWord ........................................................ 6

Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication requests ....................................................................................................................................... 7 Configuring the ASA appliance for RADIUS authentication ............................................. 8 Creating and configuring a RADIUS authentication server............................................ 8 Creating a VPN tunnel that requires strong authentication ............................................... 12 Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two factor authentication................................................................................................................ 17

2010 SafeNet Inc. All rights reserved.

Solution Summary
Todays decentralized business environments demand open, flexible access into the corporate network for a wide range of users. In this environment, simple username/password approaches are insufficient. By combining Cisco ASA or ACS appliances with SafeWord strong, two-factor authentication, enterprises can meet strict security requirements with an elegant solution that ensures utmost network protection. This solution allows companies to extend their application infrastructure with high confidence and surprising ease. The Cisco ASA appliance integrates full support for SafeWord authentication through the standards-based RADIUS AAA protocol directly with the platform. The Cisco ASA appliances Java-based administration interface provides a point and browse capability to configure the RADIUS client for SafeWord authentication. This approach means that Cisco ASA appliance users can quickly and easily leverage SafeWord two-factor authentication solutions from any location, providing the highest level of protection over critical network resources.

2010 SafeNet Inc. All rights reserved.

Product Requirements
For the instructions in this guide to be successful, the following must be installed and configured: Cisco ASA Appliance SafeWord Server with RADIUS Server Agent.

For the purpose of this guide, the following network layout was used: SafeWord RADIUS Server IP: 10.52.41.123/24 Cisco ASA Internal IP Address: 10.52.41.252/24 Cisco ASA External IP Address: 66.162.147.204/248 Windows XP Workstation with Cisco VPN client installed: 66.162.147.203/248

2010 SafeNet Inc. All rights reserved.

RADIUS and Virtual Private Network Background

As networks grow and branch out to remote locations, network security increases in importance and administration complexity. Customers need to protect networks and network services from unauthorized access by remote users. RADIUS is one of the protocols commonly used to provide these solutions in today's inter-networks. RADIUS protocol Authentication is the process of identifying and verifying a user. Several methods can be used to authenticate a user, but the most common includes a combination of user name and password. Once a user is authenticated,authorization to various network resources and services can be granted. Authorization determines what a user can do, and accounting is the action of recording what a user is doing or has done. The RADIUS protocols define the exchange of information between these components in order to provide authentication, authorization, and accounting functionality. The RADIUS protocol, as published by Livingston, is a method of managing the exchange of authentication, authorization, and accounting information in the network. RADIUS draft was submitted to the Internet Engineering Task Force (IETF) as a draft standard in June, 1996. RADIUS is a fully open protocol. The RADIUS Server The RADIUS Server is an authentication protocol server daemon that has been interfaced with SafeWord through the EASSP protocol. It supports all of the RADIUS functionality documented in Internet RFC 2138, and all functionality as documented in SafeWord publications, with minor restrictions on multiple simultaneous dynamic password authenticators. The RADIUS Server can be located on a separate computer, distinct from any computer that houses the SafeWord AAA Server. It can also be located on the same computer as the AAA Server. RADIUS Server features Fully RFC 2138 compliant -- The RADIUS Server is fully RFC 2138 compliant. Supports group authorization User-specific attributes support CHAP support Vendor-Specific Attributes support RADIUS Proxy support RADIUS accounting support Extensive diagnostics level Please refer to the SafeWord 2008 Administration Guide chapter: Managing the RADIUS Servers.

2010 SafeNet Inc. All rights reserved.

The RADIUS Server and the RADIUS Client (in this case a VPN device) should know about each other. The RADIUS Server will know the clients IP address and the RADIUS Client will know about the RADIUS Server IP address. Both should know one specific and unique piece of information, a secret phrase. The RADIUS Server validates the clients authentication request by verifying that it is it is a known IP client and that the secret shared between them matches. VPN (Virtual Private Network) VPN is defined as a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.

Integrating Cisco ASA with SafeWord

This section provides instructions for integrating the partners product with SafeWord twofactor authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products and components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. All the administrative tasks to be performed on the Cisco ASA appliance are accomplished through the Cisco ASDM Console v5.2 or higher.

2010 SafeNet Inc. All rights reserved.

Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication requests
To ensure the SafeWord RADIUS Server accepts the RADIUS authentication of the VPN device, follow the instructions below: 1. On the server hosting the SafeWord RADIUS Server, click on Start > Programs > Aladdin > SafeWord > Configuration > RADIUS Server Configuration. The configuration wizard opens using Internet Explorer. 2. Right click on the ActiveX pop-up that displays at the top of your browser under the address bar to accept the warning and allow blocked content. 3. Click Yes. 4. Click the RADIUS Client button. The RADIUS Client Wizard window opens. 5. Add the internal IP address of the Cisco ASA device and choose a secret phrase: a. IP: 10.52.41.252 (ASA) b. Secret: 123456 (Please note that it is imperative the shared secret match on the ASA and the RADIUS configuration).

6. Click OK.

2010 SafeNet Inc. All rights reserved.

Configuring the ASA appliance for RADIUS authentication

The following are the general, high-level steps required to activate SafeWord RADIUS authentication within the Secure Access appliance. Create and configure a RADIUS authentication server within the Cisco ASA ASDM administrator console. Create and configure an Authentication Server Group. Add RADIUS Servers to the newly created group. Test the configuration.

Creating and configuring a RADIUS authentication server

To create a RADIUS authentication server for use with SafeWord, do the following: 1. Log into the Cisco ASA administration console. 2. Click the Configuration icon at the top to expand the AAA Setup option, and then select AAA Server Groups.

2010 SafeNet Inc. All rights reserved.

3. Click Add. The Add AAA Server Group wizard appears. Enter a name in the Server Group field, and then click OK.

4. Add RADIUS Servers to the SafeWord AAA Server Group by selecting SafeWord AAA Server Group, and then clicking Add in the Servers in the Selected Group .

2010 SafeNet Inc. All rights reserved.

10

5. The Add AAA Server Wizard opens. a. Select the Interface Name: Inside b. Enter the Server Name or IP address: 10.52.41.123 c. Set the Timeout: The default is 10 seconds d. Enter the Server Authentication Port: 1812 e. Enter the Server Accounting Port: (If using the SafeWord Accounting Server, use port 1813) f. Enter the Retry Interval: The default is 10 seconds g. Enter the Server Secret: 123456

6. Click OK. Apply all changes.

Testing the authentication server using Cisco ASA test utility

1. Using the Administration Console, select AAA Setup > AAA Server Groups, and then highlight the SafeWord Server Group. 2. Select the RADIUS server in the selected group, and then click Test.

2010 SafeNet Inc. All rights reserved.

11

3. The Test Wizard window opens. Select the Authentication radio button, and then enter a valid SafeWord user and a one time passcode.

Cisco ASA and SafeWord RADIUS are configured properly, and authentication requests sent from the Cisco ASA appliance are passing.

2010 SafeNet Inc. All rights reserved.

12

Creating a VPN tunnel that requires strong authentication

The following are general instructions for creating a VPN tunnel: 1. Open the Cisco ASA administration console. 2. Click on the VPN icon on the left column. The VPN wizard appears.

3. Select the VPN Tunnel Type and the VPN Tunnel Interface as follows:

2010 SafeNet Inc. All rights reserved.

13

4. Select the Client Type: Cisco VPN client, Release 3.x or higher. 5. Enter the Pre-Shared Key and the Tunnel Group Name. This is the key that will be shared with all VPN clients connecting to this appliance. To keep it simple, in this example, we will use the following phrase: myciscovpn.

6. In the Client Authentication window, click the Authenticate using an AAA server group, and then click on the drop down menu and select the SafeWord server group.

2010 SafeNet Inc. All rights reserved.

14

7. All the VPN clients will need an IP address assigned. You can either use a preconfigured IP pool or click New to create a new IP pool. We will create a new pool as follows: Network 192.168.10.0/24 IP Ranges 192.168.10.100 200.

8. Click OK.

2010 SafeNet Inc. All rights reserved.

15

9. Fill in all the attributes provided to push DNS, Wins, domain name, etc. to connecting clients.

10. Select IKE Policy. If you do not understand this option, leave the default values.

11. IPSec Rule: This is another configuration window that if unclear, should be left set to the default.

2010 SafeNet Inc. All rights reserved.

16

12. Address Translation Exceptions. To expose the entire private network without using NAT, leave the Selected Hosts/Networks list blank.

13. Click Finish.

2010 SafeNet Inc. All rights reserved.

17

Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two factor authentication
Installing and configuring the Cisco VPN Client will be the last step to deploy a Remote Access system using two factor authtentication. To configure the client and succesfully logon using SafeWord One Time Passwords, follow the steps below. 1. At the Windows workstation, launch the Cisco VPN Client. The Cisco VPN Client opens.

2. Click New. The Create a New VPN Client opens. 3. Use the values entered before to create the VPN tunnel at the Cisco ASA appliance as shown below.

2010 SafeNet Inc. All rights reserved.

18

4. Click Save. 5. Cisco VPN Shows a New Connection Entry.

6. Click Connect. The User Authentication Window opens. 7. Enter the user name and SafeWord passcode as shown below, and then click OK.

2010 SafeNet Inc. All rights reserved.

19

8. Cisco ASA succesfully authenticates the user using a one-time passcode against our SafeWord RADIUS Server, and the tunnel is created.

2010 SafeNet Inc. All rights reserved.