Version 1.0
Publication Date: June 2010
Information provided is confidential and proprietary to SafeNet, Inc. (SafeNet) SafeNet assumes no responsibility or liability for the accuracy of the information contained in this presentation.
All attempts have been made to make the information in this document complete and accurate. SafeNet is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications in this document are subject to change without notice.
Date of Publication: June, 2010 Last update: Wednesday, June 02, 2010
support@safenet-inc.com
Table of Contents
Solution Summary ......................................................................................... 3
Product Requirements ............................................................................................................... 4 RADIUS and Virtual Private Network Background ............................................................ 5
Solution Summary
Todays decentralized business environments demand open, flexible access into the corporate network for a wide range of users. In this environment, simple username/password approaches are insufficient. By combining Cisco ASA or ACS appliances with SafeWord strong, two-factor authentication, enterprises can meet strict security requirements with an elegant solution that ensures utmost network protection. This solution allows companies to extend their application infrastructure with high confidence and surprising ease. The Cisco ASA appliance integrates full support for SafeWord authentication through the standards-based RADIUS AAA protocol directly with the platform. The Cisco ASA appliances Java-based administration interface provides a point and browse capability to configure the RADIUS client for SafeWord authentication. This approach means that Cisco ASA appliance users can quickly and easily leverage SafeWord two-factor authentication solutions from any location, providing the highest level of protection over critical network resources.
Product Requirements
For the instructions in this guide to be successful, the following must be installed and configured: Cisco ASA Appliance SafeWord Server with RADIUS Server Agent.
For the purpose of this guide, the following network layout was used: SafeWord RADIUS Server IP: 10.52.41.123/24 Cisco ASA Internal IP Address: 10.52.41.252/24 Cisco ASA External IP Address: 66.162.147.204/248 Windows XP Workstation with Cisco VPN client installed: 66.162.147.203/248
The RADIUS Server and the RADIUS Client (in this case a VPN device) should know about each other. The RADIUS Server will know the clients IP address and the RADIUS Client will know about the RADIUS Server IP address. Both should know one specific and unique piece of information, a secret phrase. The RADIUS Server validates the clients authentication request by verifying that it is it is a known IP client and that the secret shared between them matches. VPN (Virtual Private Network) VPN is defined as a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization's network. A virtual private network can be contrasted with an expensive system of owned or leased lines that can only be used by one organization. The goal of a VPN is to provide the organization with the same capabilities, but at a much lower cost. A VPN works by using the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols such as the Layer Two Tunneling Protocol (L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not properly encrypted. An additional level of security involves encrypting not only the data, but also the originating and receiving network addresses.
Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication requests
To ensure the SafeWord RADIUS Server accepts the RADIUS authentication of the VPN device, follow the instructions below: 1. On the server hosting the SafeWord RADIUS Server, click on Start > Programs > Aladdin > SafeWord > Configuration > RADIUS Server Configuration. The configuration wizard opens using Internet Explorer. 2. Right click on the ActiveX pop-up that displays at the top of your browser under the address bar to accept the warning and allow blocked content. 3. Click Yes. 4. Click the RADIUS Client button. The RADIUS Client Wizard window opens. 5. Add the internal IP address of the Cisco ASA device and choose a secret phrase: a. IP: 10.52.41.252 (ASA) b. Secret: 123456 (Please note that it is imperative the shared secret match on the ASA and the RADIUS configuration).
6. Click OK.
3. Click Add. The Add AAA Server Group wizard appears. Enter a name in the Server Group field, and then click OK.
4. Add RADIUS Servers to the SafeWord AAA Server Group by selecting SafeWord AAA Server Group, and then clicking Add in the Servers in the Selected Group .
10
5. The Add AAA Server Wizard opens. a. Select the Interface Name: Inside b. Enter the Server Name or IP address: 10.52.41.123 c. Set the Timeout: The default is 10 seconds d. Enter the Server Authentication Port: 1812 e. Enter the Server Accounting Port: (If using the SafeWord Accounting Server, use port 1813) f. Enter the Retry Interval: The default is 10 seconds g. Enter the Server Secret: 123456
11
3. The Test Wizard window opens. Select the Authentication radio button, and then enter a valid SafeWord user and a one time passcode.
Cisco ASA and SafeWord RADIUS are configured properly, and authentication requests sent from the Cisco ASA appliance are passing.
12
3. Select the VPN Tunnel Type and the VPN Tunnel Interface as follows:
13
4. Select the Client Type: Cisco VPN client, Release 3.x or higher. 5. Enter the Pre-Shared Key and the Tunnel Group Name. This is the key that will be shared with all VPN clients connecting to this appliance. To keep it simple, in this example, we will use the following phrase: myciscovpn.
6. In the Client Authentication window, click the Authenticate using an AAA server group, and then click on the drop down menu and select the SafeWord server group.
14
7. All the VPN clients will need an IP address assigned. You can either use a preconfigured IP pool or click New to create a new IP pool. We will create a new pool as follows: Network 192.168.10.0/24 IP Ranges 192.168.10.100 200.
8. Click OK.
15
9. Fill in all the attributes provided to push DNS, Wins, domain name, etc. to connecting clients.
10. Select IKE Policy. If you do not understand this option, leave the default values.
11. IPSec Rule: This is another configuration window that if unclear, should be left set to the default.
16
12. Address Translation Exceptions. To expose the entire private network without using NAT, leave the Selected Hosts/Networks list blank.
17
Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two factor authentication
Installing and configuring the Cisco VPN Client will be the last step to deploy a Remote Access system using two factor authtentication. To configure the client and succesfully logon using SafeWord One Time Passwords, follow the steps below. 1. At the Windows workstation, launch the Cisco VPN Client. The Cisco VPN Client opens.
2. Click New. The Create a New VPN Client opens. 3. Use the values entered before to create the VPN tunnel at the Cisco ASA appliance as shown below.
18
6. Click Connect. The User Authentication Window opens. 7. Enter the user name and SafeWord passcode as shown below, and then click OK.
19
8. Cisco ASA succesfully authenticates the user using a one-time passcode against our SafeWord RADIUS Server, and the tunnel is created.