Implementation Guide for protecting Cisco ASA 5500 Series (ASDM v6.

1) with BlackShield ID

Copyright 2008 CRYPTOCard Inc. www.cryptocard.com

http://

Copyright

Copyright 2008, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard.
Trademarks

BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners.
Additional Information, Assistance, or Comments

CRYPTOCards technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.
Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

Publication History

Date January 9, 2009

Changes Heterogeneous formatting completed - Version 1.0 created.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

ii

Table of Contents

Overview ................................................................................................................ 1 Applicability ........................................................................................................... 1 Preparation and Prerequisites................................................................................ 1 Configuration ......................................................................................................... 2 Configure Cisco ASA Web VPN for Two Factor Authentication .......................................2 Define a RADIUS enabled AAA Server group ..............................................................2 Assigning a RADIUS AAA Server to the AAA Server group ...........................................3 Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection Profile...........4 Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile ......................5 Troubleshooting ..................................................................................................... 7 Further Information ............................................................................................... 8

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

iii

Overview
By default Cisco ASA user authentication requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token by using the instructions below.

Applicability
This integration guide is applicable to: Security Partner Information Security Partner Product Name and Version Protection Category Cisco Cisco ASA 5500 series with ASDM v6.1 Remote Access

CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+

Preparation and Prerequisites

1. Ensure end users can authenticate through the Cisco ASA with a static password before configuring the Cisco Secure ASA to use RADIUS authentication. 2. BlackShield Pro server installed and a user account assigned with a CRYPTOCard token. 3. BlackShield Agent for Internet Authentication Service (IAS) or Network Policy Server (NPS). 4. Cisco ASA Server must be configured as a RADIUS client in Internet Authentication Service (IAS) or Network Policy Server (NPS).

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

Configuration
Configure Cisco ASA Web VPN for Two Factor Authentication
Configuring the Cisco Secure ASA consists of 4 steps: Step 1: Define a RADIUS enabled AAA Server group. Step 2: Assign a RADIUS AAA Server to the AAA Server group. Step 3: Assign RADIUS Authentication to a Clientless SSL VPN Connection Profile Step 4: Assign RADIUS Authentication to a IPSec VPN Connection Profile

Define a RADIUS enabled AAA Server group

1. In the Cisco ASDM client select Configuration. Select Remote Access VPN.

2.

3.

Under Remote Access VPN expand AAA/Local Users then select AAA Server Group.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

4.

Select Add in the AAA Server Group section. Enter the Server Group name and RADIUS as the Protocol.

Assigning a RADIUS AAA Server to the AAA Server group

1. Under Remote Access VPN expand AAA/Local Users, AAA Server Group then on the right highlight the CRYPTOCard Group. In the Servers in the Selected Group section select Add. Enter the following information o o Choose the interface IP address of the BlackShield ID Pro enabled IAS/NPS agent. RADIUS authentication port (1812) RADIUS accounting port (1813) Server Secret Key (Shared Secret)

2.

3.

o o o

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

4.

After adding the AAA Server to the AAA Server group, you will see it appear in the AAA Servers in the selected group section.

Assigning CRYPTOCard Authentication to a Clientless SSL VPN Connection Profile

The Clientless SSL VPN Connection Profiles include the type of authentication method used during the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS enabled profile must be created. 1. In the Cisco ASDM client select Configuration, Remote Access VPN. Expand Clientless SSL VPN Access and highlight Connection Profiles.

2.

3.

In Connection Profiles select Add.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

4. 5.

Enter a name for the profile. Under Authentication select AAA. In the AAA Server Group dropdown select CRYPTOCard. Complete the additional entries with the settings required by your organization.

6.

7.

8.

Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles.

Assigning CRYPTOCard Authentication to a IPSec VPN Connection Profile

The IPSec VPN Connection Profiles include the type of authentication method used during the negotiation of a VPN connection. To allow CRYPTOCard authentication a RADIUS enabled profile must be created. 1. In the Cisco ASDM client select Configuration, Remote Access VPN. Expand Network (Client) Access and highlight Connection Profiles.

2.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

3.

In Connection Profiles select Add.

4. 5.

Enter a name for the profile. Under Authentication select AAA. In the AAA Server Group dropdown select CRYPTOCard. Complete the additional entries with the settings required by your organization.

6.

7.

8.

Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles.

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

Troubleshooting
When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA device. All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can be found in the Event Viewer. All logging information for the BlackShield IAS\NPS agent can be found in the \Program Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory. The following is an explanation of the logging messages that may appear in the event viewer for the Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server.

Error Message: Solution:

Packet DROPPED: A RADIUS message was received from an invalid RADIUS client. Verify a RADIUS client entry exists on the RADIUS server.

Error Message: Solution:

Authentication Rejected: Unspecified

This will occur when one or more of the following conditions occur: The username does not correspond to a user on the BlackShield Server. The CRYPTOCard password does not match any tokens for that user. The shared secret entered in Cisco Secure ACS does not match the shared secret on the RADIUS server

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)

Error Message: Solution:

Authentication Rejected: The request was rejected by a third-party extension DLL file. This will occur when one or more of the following conditions occur: The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server. The Pre-Authentication Rules on the BlackShield server do not allow incoming requests from the BlackShield Agent for IAS\NPS. The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on the BlackShield Server. The username does not correspond to a user on the BlackShield Server The CRYPTOCard password does not match any tokens for that user.

Further Information
For further information, please visit http://www.cryptocard.com

BlackShield ID Implementation guide for Cisco ASA (ASDM v6.1)