ActivIdentity 4TRESS AAA Web Tokens, Cisco ASA Integration Handbook
Below you will find brief information for Web Tokens 4TRESS AAA, Cisco ASA. The document explains how to set up ActivIdentity 4TRESS AAA Web soft token authentication with Cisco Adaptive Security Appliances. This handbook provides instructions to enable authentication via a Web soft token for use with an SSL-protected Cisco VPN. This product is used for secure access to corporate Virtual Private Network resources and applications by remote and mobile employees.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
ActivIdentity
®
4TRESS
AAA Web Tokens and Cisco
®
™
ASA
(Clientless SSL VPN Access) Integration Handbook
Document Version 1.2 | Released | June 8, 2012
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 2
Table of Contents
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 3
1.0 Introduction
The Cisco® Adaptive Security Appliances (ASA) enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The
ActivIdentity solutions that work with Cisco incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
• ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.
• ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS AAA Web soft token authentication with Cisco
Adaptive Security Appliances. Use this handbook to enable authentication via a Web soft token for use with an
SSL-protected Cisco VPN.
1.2 Prerequisites
• The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.
• Cisco ASA version 8.x installed and configured.
• The Web soft token is configured to work with or without a PIN.
• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.
• The Cisco login page has been customized (illustrated in this handbook).
Note: Using Cisco double authentication (an LDAP password plus a one-time password) is also possible. You can configure the sign-in page so that users can use a static LDAP password instead of the web soft token PIN.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 4
2.0 Cisco ASA Configuration
This chapter describes how to manage a Cisco ASA. When a user signs into a Cisco ASA appliance, the Cisco
ASA forwards the user’s credentials to this authentication server to verify the user’s identity. You will create one authentication server (an ActivIdentity 4TRESS AAA RADIUS Server) to validate the user’s one-time password generated by a Web soft token.
2.1 Procedure 1: Create New Radius Server Instance
When using an external RADIUS server to authenticate Cisco ASA users, you must configure the server to recognize the Cisco ASA as a client and specify a shared secret for the RADIUS server to use to authenticate the client request.
To configure a connection to the RADIUS server on a Cisco ASA SSL VPN appliance and to define the RADIUS
Server instance, perform the following steps.
Getting Started
1. In the ASDM console, navigate to
Configuration-> Remote Access
VPN -> AAA/Local User, and then click AAA Server Groups.
2. Click Add at the far right of the page displayed.
The nearby dialog is displayed.
3. Enter a Server Group name, and then select RADIUS for the
Protocol.
4. Click OK.
Repeat the process to add a backup RADIUS server.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5. In the AAA Server Groups section, select the RADIUS server group you just created.
6. In the Servers in the Selected Group section, click Add next to the Server Name or IP Address line.
P 5
7. Enter the appropriate information for your configuration.
• Server Name or IP Address—Specify the name or IP address.
• Server Authentication Port—Enter the authentication port value for the RADIUS server.
Typically, this port is 1812.
• Server Shared Secret—Enter a string. You will also enter this string when configuring the
RADIUS server to recognize the SA Series SSL VPN appliance as a client.
• Accept the other default settings.
8. Click OK. The RADIUS server is displayed in the Servers in the Selected Group section, as illustrated next.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
2.2 Procedure 2: Configure Connection Profiles
1. From the top menu, select
Clientless SSL VPN Access, and then select Connection Profiles from the features menu on the left.
P 6
2. In the Access Interfaces section of the page displayed to the right, enable access to the appropriate interface. Select the outside option.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
3. In the Connection Profiles section at the bottom of the page, under the Name column, select
DefaultWEBVPNGroup, and then click Edit.
P 7
4. Configure the following attributes.
• From the AAA Server Group drop-down list, select RADIUS.
• Select the Use LOCAL if Server Group fails option.
• In the DNS section, from the Server Group drop-down list, select DefaultDNS, and then in the Servers box, specify a DNS server. Specifiy a Domain Name.
• In the
Default Group Policy secion, from the Group Policy drop-down list, select
DftGrpPolicy.
• Select the Enable clientless SSL VPN protocol option.
5. Click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
2.3 Procedure 3: Configure Group Policies
1. From the top menu, select Clientless SSL VPN Access, and then select Group Policies from the features menu on the left.
2. Under the Name column select DftGrpPolicy (System Default), and then click Edit.
Now, you will choose the application that you want to publish in the Cisco ASA.
3. In the pane displayed to the left, select Portal, and then on the Bookmark List line, click Manage.
P 8
4. Click Add.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 9
5. In the Bookmark List Name box, specify a title for your bookmark, and then click Add.
6. Specify the URL of the resource that you want to publish on the Cisco ASA, and then click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 10
7. Click OK. The main dialog is displayed again, as illustrated next.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 11
8. Click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 12
2.4 Procedure 4: Configure New Cisco Portal
PIN usage is dependent on the custom page deployed. It is possible to hide the Web soft token, and in this case, it’s necessary to apply a Web soft token without use of a PIN. In this case, the PIN is replaced by the user’s LDAP password. Please contact your ActivIdentity technical representative to obtain a sample page and to discuss the following possible combinations of PIN usage:
• Username plus LDAP Password plus visible Web soft token plus PIN plus OTP generated by the
Web soft token.
• Username plus LDAP Password plus visible Web soft token without PIN plus OTP generated by the
Web soft token.
• Username plus LDAP Password plus hidden Web soft token without PIN plus OTP generated by the
Web soft token hidden in the page.
• Username plus visible Web soft token plus PIN plus OTP generated by the Web soft token.
Your ActivIdentity technical contact will send you images, the token applet, and the login portal page. The portal page will be similar to the following illustration.
FIGURE 1: Sample Cisco ASA Portal
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
2.5 Procedure 5: Web contents
1. From the top menu, select
Clientless SSL VPN Access, and then select Web Contents from the features menu on the left.
2. Click Import
P 13
3. Specify all the files obtained in the last section 2.4, one-by-one following the configuration illustrated above.
Click Browse Local Files to select your first file.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
4. Select the first file to import, and then click Import. You will be returned to the Import Web Content page.
5. Back on the Import Web Content page, click Import Now.
6. Repeat the imports until you have finished importing the required files. When you are finished, you will see them all listed, as illustrated next.
P 14
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
2.6 Procedure 6: Customization
1. From the top menu, select
Clientless SSL VPN Access, and then select Customization from the features menu on the left.
2. Click Add.
P 15
3. Specify a Customization Object Name, and then click OK.
4. Select your object, and then click Edit.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 16
5. In the Logon page menu, click Full Customization.
6. From the Mode drop-down list, select Enable.
7. From the HTML Content URL drop-down list, select login.inc.
8. In the Logon page menu, click
Title Panel.
9. From the
Mode drop-down list, select Disable.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 17
10. In the Logon page menu, click Logon Form.
11. Remove all the configuration settings, as illustrated. It is not necessary to remove the colors.
12. Click
Save.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 18
2.7 Procedure 7: Assign the New Portal
Task 1: Assign the new custom page object on the Connection Profile DefaultWEBVPNGroup as described in this section.
1. In the pane to the left of the Remote Access VPN dialog, select Connection Profiles.
2. In the Name column, select the DefaultWEBVPNGroup profile, and then click Edit.
3. In the pane to the left under Advanced, select Clientless SSL VPN.
4. From the Login and Logout Page Customization drop-down list, select custom_portal, and then click Add.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
Task 2: Assign the custom page object on the Group Policy DftGrpPolicy as described in this section.
P 19
1. In the pane to the left of the Remote Access VPN dialog, select Group Policies.
2. In the Name column, select the DftGrpPolicy, and then click Edit.
3. In the pane to the left under More Options, select Customization.
4. From the
Portal Customization drop-down list, select custom_portal.
5. Optionally, enter a
Homepage URL, and then click OK at the bottom of the page.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
3.0 ActivIdentity 4TRESS AAA Configuration
This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server.
3.1 Procedure 1: Configure Cisco Gate
A gate for the ActivIdentity 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to simplify administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical documentation.
1. In the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
P 20
3. Enter a
Gate name (can be any string).
4. Select the option,
RADIUS, corresponding to the protocol your Cisco uses.
5. Use the
Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click
Add, and then click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 21
7. The ActivIdentity 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Cisco and the AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your system.
8. Click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 22
3.2 Procedure 2: Assigning Group(s) to the Cisco Gate
Note: Remember that you must have user groups created and the corresponding LDAP configured. For details, refer to the ActivIdentity 4TRESS AAA Administration Guide.
1. To assign groups to the Cisco Gate, in the left pane of the Administration Console, select the group that you want to assign to the gate (for example
All Users).
2. Use the Group / Gate Assignments section of the page that is displayed to the right to specify gate(s) for the group’s users to utilize in order to access a protected resource.
3. Click Add.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 23
4. Select the Gate, the AZ profile, and the AC profile.
5. Click OK.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
4.0 Configure for Soft Token Activation
4.1 Procedure 1: Enable Soft Token Activation
1. Launch the ActivIdentity 4TRESS AAA Server Administration Console and log in.
P 24
2. In the left pane of the Administration Console, expand Groups, and then select your soft token users group
(for example, Groups -> All Users).
3. Select the option, Allow Soft Token activation option (for the corresponding group).
4. Click Save (not illustrated), and then export the changes to the AAA Server(s).
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
4.2 Procedure 2: Configure Soft Token Activation Portal
1. Launch the AAA Web Help Desk portal.
P 25
2. Select the
Login type option, static.
3. Enter your
Login and Password, and then click Login.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 26
4. Select the Configuration tab. The first half of the tab is explained next.
• Initial PIN—Set the PIN.
• In the User Search method policy section, select By Groups or queries.
• In the Device Management section, set the following options and parameters.
• To activate the device assignment and unassignment functions of the Web Help
Desk, select the option, Enable device assignment functions.
• Select the option,
Show initial PIN….
• To assign the same token to more than one user, select the option,
Allow assign
already assigned tokens.
• To assign soft tokens, enter the Engine Soft Token init String for each type of soft token required.
• Enter a string in the Engine Web Token init String field.
Note: For more information about the init strings, refer to the ActivIdentity 4TRESS
AAA Server Soft Token Solution Guide.
• For Max number of soft tokens per user, set the maximum number of soft tokens that each user can be assigned.
If you do not want to use PIN’s, then apply the following:
PIN = 1 (Enforced). Soft Token application PIN enforcement policy.
PIN = 0 (No PIN)
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 27
Notes: Depending on the activation code, a soft token forces the PIN. For details on PIN
usage, see section 2.4 Procedure 4: Configure New Cisco Portal on page 12 .
The second half of the
Configuration tab is explained next.
5. It’s important to select an authentication policy (LDAP password at a minimum). Select one or more. By default, none are selected.
6. In the Selfdesk portal self binding policy section, select the following options:
• To activate device self assignment functions, select Enable initial self binding.
• To activate additional device self assignment functions, select
Enable self binding on
additional device. For this setting to work, you must make sure that the LDAP attribute mapped to the device serial numbers is capable of storing multiple values.
7. When you are finished, click Add.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5.0 Sample Authentication Using Web Soft Token Authentication
5.1 Prerequisite: User Enrolls Web Token and Computer
1. The user launches the Self Help Desk to enroll a Web soft token and computer.
P 28
2. When prompted, the user selects the LDAP password option, and then enters a username.
3. The user clicks Activate an additional device.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 29
4. The user clicks Web Token.
5. The user enters and confirms a PIN, and then enters a Description (the user has to enter the PIN only if the system is configured to ask for it.) A confirmation is displayed.
Now the user can use the Web soft token to access a Cisco ASA.
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5.2 Notes About Authenticating with Web Soft Token Launched in the Sign-In Page
• You must have customized the Sign-In Page to launch the Web soft token as an HTML page. To receive a sample page, please contact your ActivIdentity technical representative.
• You can configure a Web soft token to be used with a PIN or without a PIN.
• You can configure so that an LDAP password either replaces the PIN or complements it (depending on Cisco configuration).
• A user must have activated a Web soft token on his/her computer.
For details on how authenticating with a Web soft token works, please refer to ActivIdentity 4TRESS AAA documentation.
P 30
External Use | June 8, 2012 | © 2012 ActivIdentity
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook P 31
Americas +1 510.574.0100
US Federal +1 571.522.1000
Europe +33 (0) 1.42.04.84.00
Asia Pacific +61 (0) 2.6208.4888
Web [email protected] www.actividentity.com
Legal Disclaimer
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced herein are either registered trademarks or trademarks of HID Global Corporation in the United
States and/or other countries. The absence of a mark, product, service name or logo from this list does not constitute a waiver of the trademark or other intellectual property rights concerning that name or logo. Cisco and the Cisco logo are registered trademarks of Cisco, Inc. in the
United States and other countries.The names of other third-party companies, trademarks, trade names, service marks, images and/or products that happened to be mentioned herein are trademarks of their respective owners. Any rights not expressly granted herein are reserved.
External Use | June 8, 2012 | © 2012 ActivIdentity
advertisement
Key Features
- Web soft token authentication
- SSL-protected Cisco VPN
- Secure access to corporate resources
- Remote and mobile employees
- Strong two-factor authentication
- ActivIdentity 4TRESS AAA
- Cisco Adaptive Security Appliances
Frequently Answers and Questions
What is Web soft token authentication?
How does ActivIdentity 4TRESS AAA work with Cisco ASA?
What are the benefits of using Web soft token authentication?
Related manuals
advertisement
Table of contents
- 2 Table of Contents
- 3 Introduction
- 3 Scope of Document
- 3 Prerequisites
- 4 Cisco ASA Configuration
- 4 Procedure 1: Create New Radius Server Instance
- 6 Procedure 2: Configure Connection Profiles
- 8 Procedure 3: Configure Group Policies
- 12 Procedure 4: Configure New Cisco Portal
- 13 Procedure 5: Web contents
- 15 Procedure 6: Customization
- 18 Procedure 7: Assign the New Portal
- 20 ActivIdentity 4TRESS AAA Configuration
- 20 Procedure 1: Configure Cisco Gate
- 22 Procedure 2: Assigning Group(s) to the Cisco Gate
- 24 Configure for Soft Token Activation
- 24 Procedure 1: Enable Soft Token Activation
- 25 Procedure 2: Configure Soft Token Activation Portal
- 28 Sample Authentication Using Web Soft Token Authentication
- 28 Prerequisite: User Enrolls Web Token and Computer
- 30 Notes About Authenticating with Web Soft Token Launched in the Sign-In Page