Professional Documents
Culture Documents
Disclaimer
Disclaimer of Warranties and Limitation of Liabilities
All information contained in this document is provided 'as is'; VASCO Data Security assumes no
responsibility for its accuracy and/or completeness.
In no event will VASCO Data Security be liable for damages arising directly or indirectly from any
use of the information contained in this document.
Copyright
Copyright 2012 VASCO Data Security, Inc, VASCO Data Security International GmbH. All
rights reserved. VASCO , Vacman , IDENTIKEY Authentication Server, aXsGUARD,
DIGIPASS and
logo are registered or unregistered trademarks of VASCO Data Security,
Inc. and/or VASCO Data Security International GmbH in the U.S. and other countries. VASCO
Data Security, Inc. and/or VASCO Data Security International GmbH own or are licensed
under all title, rights and interest in VASCO Products, updates and upgrades thereof, including
copyrights, patent rights, trade secret rights, mask work rights, database rights and all other
intellectual and industrial property rights in the U.S. and other countries. Microsoft and
Windows are trademarks or registered trademarks of Microsoft Corporation. Other names may
be trademarks of their respective owners.
Table of Contents
Reference guide ............................................................................................................. 4
1
Overview................................................................................................................... 5
Cisco ................................................................................................................... 6
2.1.1
2.1.2
2.1.3
2.1.4
2.2
VASCO ................................................................................................................. 6
2.2.1
3
Architecture .......................................................................................................... 7
3.2
Prerequisites......................................................................................................... 7
3.3
Cisco ASA5505...................................................................................................... 8
3.3.1
3.3.2
3.3.3
3.4
3.4.1
3.4.1.1
3.4.2
4
Solution .................................................................................................................. 18
4.1
Architecture ........................................................................................................ 18
4.2
4.2.1
4.2.2
4.3.1
Policies ........................................................................................................ 21
4.3.2
Client .......................................................................................................... 22
4.3.3
User ............................................................................................................ 23
4.3.4
DIGIPASS .................................................................................................... 23
4.4
4.4.1
4.4.2
Challenge/Response ............................................................................................... 28
5.1
Architecture ........................................................................................................ 28
5.2
5.3
5.3.1
Policy .......................................................................................................... 29
5.3.2
User ............................................................................................................ 29
5.4
5.4.1
5.4.2
Reference guide
ID
Title
Author
Publisher
Date
ISBN
Overview
LDAP
RADIUS
VPN connection
Internal network
Technical Concepts
2.1
Cisco
2.1.1
ASA 5505
The Cisco ASA 5505 is a small all-in-one firewall that provides a wide range of additional services.
These services include: VPN, intrusion prevention, content security, unified communications and
remote access.
2.1.2
Adaptive Security Device Manager, or ASDM, is a simple GUI based firewall appliance
management tool. It provides an easy way to configure, monitor and troubleshoot Cisco firewall
devices.
2.1.3
Internet Protocol Security, or IPsec, is a protocol suite for securing the Internet Protocol. This
suite contains protocols for authentication and encryption of each packet as well as mutual
authentications between agents and the negotiation of cryptographic keys per session. IPsec VPN
solutions are end to end setups.
2.1.4
Secure Socket Layer, or SSL, is a security implemented mainly on application level (any HTTPS
request makes use of SSL). This provides with a secure way of transporting packets between the
application and the server.
2.2
VASCO
2.2.1
3.1
Architecture
10.4.0.10
LDAP
VPN connection
10.4.0.226
Internal network
10.4.0.x
A user creates a VPN connection with the ASA5505. The ASA will send the credentials to the
Windows Active Directory back-end to see if the user exists. If so, the VPN connection is
successful and the user is allowed to the internal network.
3.2
Prerequisites
For this setup we are going to make use of Ciscos ASDM. To run the ASDM you need to have a
Java Runtime Environment on your pc.
Make sure that you have enabled WEB access to your ASA5505 firewall. If you have not enabled
this you will need to connect to your device using SSH or the console port and enable this by
using the following commands:
enable
configure terminal
int vlan 1
ip address x.x.x.x y.y.y.y
VLAN)
http server enable
If you now use a browser and navigate to the address you gave to the management VLAN you
will see the homepage that will allow you to install the ASDM.
3.3
Cisco ASA5505
3.3.1
To setup a VPN connection we need to have a database with users to authenticate to. We can use
the internal database but it is more likely to use the Active Directory database for these
authentications.
Log into the ASA5505 with the ASDM.
Go to the tab Configurations.
At the bottom left click Remote Access VPN.
Click open AAA/Local Users.
Select AAA Server Group.
Server Group:
Protocol:
Reactivation Mode:
Dead Time:
Max failed Attempts:
Demo-Backend
LDAP
Depletion
10
3
10
Select Authentication
Enter demo
Set Test12345 as password
3.3.2
Click Next.
Select Pre-Shared key and use Test1234 as the pre-shared key.
Click Next.
11
Name: Demo-Pool
Starting IP Address: 10.4.0.81
Ending IP Address: 10.4.0.89
Subnet Mask: 255.255.255.0
12
3.3.3
13
Click Next.
Select your Active Directory back-end. (Demo-Backend, for more information please view 3.3.1
Active Directory Back-end implementation)
Click Next.
Select Create new group policy and fill in DemoSSLgrppolicy.
Click Next.
From the drop down list Bookmark List: Google.
Click Next.
Click Finish.
Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access
and click on Connection Profiles.
14
3.4
3.4.1
3.4.1.1
Microsoft Windows 7
From the network and sharing center, click on Set Up a Connection or Network.
Select Connect to a workplace and click Next.
If you already have VPN networks set up, select No, create a new connection and click Next.
Click on Use my Internet connection (VPN).
Click Next.
Fill in the Active Directory credentials (for this test: username demo and password Test12345.)
Click Create.
Click Close.
In the taskbar, click on your network icon.
Right mouse click on Demo-ASA and click on Properties.
Go to Security.
15
3.4.2
16
17
Solution
4.1
Architecture
10.4.0.13
LDAP
RADIUS
VPN connection
10.4.0.226
4.2
Internal network
10.4.0.x
Starting from our VPN connection with Windows Active Directory as back-end, we only need to
create a new back-end and attach this to the default radius group.
4.2.1
18
Click OK.
Select Demo-IK and add a server by clicking Add in the box below.
19
Interface: Inside
Server IP Address: 10.4.0.13
Timeout: 10
Authentication Port: 1812
Accounting Port: 1813
Retry Interval: 10 seconds
Click OK.
Click Apply.
We can test this connection only if the basic setup was performed on the IDENTIKEY
Authentication Server. More detail can be found in 4.3 IDENTIKEY Authentication
Server.
Select the server group Demo-IK and the server 10.4.0.13.
Click Test.
Select Authentication.
Enter the username (demo) and the OTP.
Click OK.
If everything was configured correctly we get this message:
4.2.2
Navigate to Configuration, click on Remote Access VPN and open Network (Client) Access.
Click on IPsec Connection Profiles.
Select the DefaultRAGroup and click on Edit.
20
4.2.3
Navigate to Configuration, click on Remote Access VPN, open Clientless SSL VPN Access
and click on Connection Profiles.
4.3
There are lots of possibilities when using IDENTIKEY Authentication Server. We can authenticate
with:
4.3.1
Policies
In the Policy the behavior of the authentication is defined. It gives all the answers on: I have got
a user and a password, what now?
21
Policy ID : Test
Inherits From: Base Policy
Inherits means: The new policy will have the same behavior as the policy from which he
inherits, except when otherwise specified in the new policy.
Example:
Base
Policy
1
2
3
4
5
a
b
c
d
e
New
Policy
f
g
Behaviour
New policy will do a
New policy will do b
New policy will do f
New policy will do d
New policy will do g
Click edit
4.3.2
Client
In the clients we specify the location from which IDENTIKEY Authentication Server will accept
requests and which protocol they use.
We are going to add a new RADIUS client.
22
4.3.3
User
4.3.4
DIGIPASS
The purpose of using IDENTIKEY Authenticaction Server, is to be able to log in using One Time
Passwords (OTP). To make it possible to use OTP we need to assign a DIGIPASS to the user. The
Digipass is a device that generates the OTPs.
23
24
Click ASSIGN
Click Next
Grace period is the period that a user can log in with his static password. The first time
the user uses his DIGIPASS the grace period will expire.
Click ASSIGN
25
Click Finish
Connect to the Demo-ASA VPN and fill in the username (Demo) and the OTP.
You should be connected to the VPN and see the following in your network connections:
If the connection test from 4.2.1 works and the VPN connection fails with error 691,
please check in your ASDM if you applied the changes.
4.4.2
Navigate to https://10.4.0.165 and logon using your username (Demo) and OTP.
26
27
Challenge/Response
The easiest way to test challenge/response is to use (Back-Up) Virtual DIGIPASS. Virtual
DIGIPASS is a solution where an OTP is sent to your E-mail account or mobile phone, after it was
triggered in a user authentication. The trigger mechanism is configured in the policy (see later).
For test purposes a demo DPX file (named Demo_VDP.DPX) with Virtual Digipass is
delivered with every IDENTIKEY Authentication Server
5.1
Architecture
1:
User ID
Trigger
2:
Challenge
4:
OTP received by SMS
MDC
This solution makes use of an SMS-gateway (for SMS or text messages) or SMTP-server
(for mail). The first step is to configure one of the servers. This is done in the Message
Delivery Component (MDC) configuration. For more information see the IDENTIKEY
Authentication Server manuals.
28
5.2
5.3
5.3.1
Policy
Click Save
The request method is the trigger to send the message. The trigger can be:
Static password: as stored inside IDENTIKEY Authentication Server (different for
each individual user)
Keyword: a text message (the same for all users)
5.3.2
User
IDENTIKEY Authentication Server needs to know, where to send the mail or SMS. Therefor the
User should be added.
Select a user: Demo
Click User Info
Click Edit
29
30
Step 1:
Log in using your username and the keyword (Demo / IwantOTP)
Step 2:
The ASA server will return that the connection was unsuccessful.
Click Close.
Step 3:
Log in using your username and the received OTP (SMS).
Step 4:
When configured correctly, you are now connected to the VPN.
5.4.2
31
Step 1:
Log in using your username and the keyword (Demo / IwantOTP)
Step 2:
You will be asked for your OTP.
Step 3:
Use the received OTP (SMS) to logon.
Step 4:
When configured correctly, you will be redirected to the portal site.
32