Qs Cisco Asa5500 v1 2
Qs Cisco Asa5500 v1 2
Qs Cisco Asa5500 v1 2
for
Cisco ASA 5500 Series
with
North America
Fax:
Fax:
For information about obtaining a support contract, see our Support Web page at
http://www.cryptocard.com
Overview
Overview
By default Cisco ASA user authentication requires that a user provide a correct user name and
password to successfully logon. This document describes the steps necessary to augment this logon
mechanism with strong authentication by adding a requirement to provide a one-time password
generated by a CRYPTOCard token by using the instructions below.
Applicability
This integration guide is applicable to:
Security Partner Information
Security Partner
Cisco
Product Name
Cisco ASA 5500 series
ASA Version
8.3
ADSM Version
6.3(1)
Publication History
Date
January 26,
2009
July 9, 2009
Sept 15, 2010
Changes
Document created
Version
1.0
1.1
1.2
Ensure end users can authenticate through the Cisco ASA with a static password before
configuring the Cisco Secure ASA to use RADIUS authentication.
A RADIUS Client has been configured in BlackShield with a shared secret and port number
identical to that being programmed in the Cisco ASA.
Overview
Configuration
Configure Cisco ASA for Two Factor Authentication
Configuring the Cisco ASA consists of 4 steps:
2.
3.
4.
Configuration
2.
3.
4.
After adding the AAA Server to the AAA Server group, you will see it
appear in the AAA Servers in the selected group section.
Configuration
2.
3.
4.
5.
6.
7.
8.
Verify the CRYPTOCard profile is enabled. If required, disable the other Connection Profiles.
Configuration
2.
3.
4.
5.
6.
7.
Configuration
8.
2.
3.
Configuration
4.
5.
6.
7.
8.
Configuration
10
The user enters the Cisco SSL VPN URL into their web browser.
2.
The Cisco SSL VPN login page displays a Username and OTP field as well as a Login and Get GrID
button.
3.
The user enters their username into the Username field then selects Get Grid. The request is
submitted from the users web browser to the BlackShield.
4.
The BlackShield displays the users GrIDsure Grid within the Cisco SSL VPN login page.
5.
The user enters their GrIDsure password into the OTP field then submits the request.
6.
The Cisco ASA device performs a RADIUS authentication request against the BlackShield. If the
CRYPTOCard credentials entered are valid, the user is presented with their Cisco ASA portal
otherwise, the attempt is rejected.
The following steps will enable a hardware and GrIDsure aware logon page.
1.
2.
Copy the ciscogridsure.js file to a temporary folder then open the file
with a text editor.
3.
Configuration
11
5.
6.
7.
8.
Expand Logon page and select Logon Form. In the Password Prompt
section replace Password with OTP.
9.
Configuration
12
10. In Clientless SSL VPN Access, Connection Profiles highlight the GrIDsure
12. In Clientless SSL VPN Access, Group Profiles highlight the GrIDsure
Configuration
13
If the Clientless SSL VPN site is configured to use primary authentication credentials (i.e.
CRYPTOCard only), the CCMPPri.inc and CRYPTOCardScript.js file must be added to Web
Contents then referenced in the custom configuration.
If the Clientless SSL VPN site is configured to use primary and secondary authentication
credentials (i.e. Microsoft and CRYPTOCard credentials), the CCMPPriSec.inc and
CRYPTOCardScript.js file must be added to Web Contents then referenced in the custom
configuration.
Note: All three files (CCMPPri.inc, CCMPPriSec.inc and CRYPTOCardScript.js) may be added to Web
Contents but only one .inc file can be assigned to a WebVPN site.
Perform the following steps to enabled software token detection.
Configuration
14
2.
3.
4.
In Destination select No. For example, use this option to make the content available only to
the portal page.
5.
6.
7.
8.
In Destination select No. For example, use this option to make the content available only to
the portal page.
9.
2.
3.
4.
In Customization Object Name enter CRYPTOCard MP Detection select OK then apply the
settings.
5.
Select the Connection Profile and Group Policy for which the customization will be applied.
6.
Highlight Logon Page then select Replace pre-defined logon page with a custom page (full
customization). In the Custom Page dropdown select /+CSCOU+/CCMPPri.inc or
/+CSCOU+/CCMPPriSec.inc.
Configuration
15
In Clientless SSL VPN Access, Connection Profiles highlight the MP detection enabled profile and
select Edit.
2.
Expand Advanced then select Clientless SSL VPN. Verify Portal Page Customization references
the newly created MP detection enabled portal.
3.
In Clientless SSL VPN Access, Group Profiles highlight the MP detection enabled profile and
select Edit.
4.
Expand More Options then select Customization. Verify Portal Customization references the
newly created MP detection enabled portal.
Open your web browser and proceed to the Clientless SSL VPN site. If this is the first time accessing
the page you will be prompted to install a CRYPTOCard ActiveX Web API.
If a software token exists, the page will detect and display all software tokens otherwise a hardware
login mode will appear.
When primary authentication credential mode is enabled with software tokens the login fields
appear in the following order: Token name, PIN.
When primary and secondary authentication credential mode is enabled with software tokens, the
login fields appear in the following order: token name, PIN, password (Microsoft).
16
17
18
NOTE: If you are on a 64bit Operating System, install the BlackShield ID Software Tools for
AnyConnect. The installer can be found in html, agents, x64 directory within the
BlackShield download package.
Start
All Programs
CRYPTOCard
19
The registry key is called SoftTokenInclusion, and the default value for the key is:
ALL+ALL+1;
ASA.cryptocard.com+CRYPTOCard Henry+1;
20
ALL+ALL+1
Display MPs in first username field and submit
one-time password to first password field.
This is the default setting after installing the
BlackShield ID Cisco AnyConnect, and the
BlackShield ID Software Tools
This option is used if the authentication is going
against the BlackShield ID Professional server.
ALL+ALL+2
Display MPs in second username field and
submit one-time password to second password
field.
This option is used if dual authentication is
required.
(e.g. Microsoft Password [Top], then
CRYPTOCard [Bottom].)
21
ALL+Corporate+1;ALL+CRYPTOCard Henry+2;ALL+CRYPTOCard+3;
22
Troubleshooting
RADIUS Authentication issues
When troubleshooting RADIUS authentication issues refer to the logs on the Cisco ASA device.
All logging information for Internet Authentication Service (IAS) or Network Policy Server (NPS) can
be found in the Event Viewer.
All logging information for the BlackShield IAS\NPS agent can be found in the \Program
Files\CRYPTOCard\BlackShield ID\IAS Agent\log directory.
The following is an explanation of the logging messages that may appear in the event viewer for the
Internet Authentication Service (IAS) or Network Policy Server (NPS) RADIUS Server.
Error Message:
Packet DROPPED: A RADIUS message was received from an invalid RADIUS client.
Solution:
Error Message:
Solution:
This will occur when one or more of the following conditions occur:
The CRYPTOCard password does not match any tokens for that user.
The shared secret entered in Cisco Secure ACS does not match the shared secret
on the RADIUS server
Error Message:
Solution:
This will occur when one or more of the following conditions occur:
The BlackShield Agent for IAS\NPS cannot contact the BlackShield Server.
The BlackShield Agent for IAS\NPS Keyfile does not match the Keyfile stored on
the BlackShield Server.
The CRYPTOCard password does not match any tokens for that user.
Troubleshooting
23
Issue:
Solution:
The GrIDsure enabled Clientless SSL VPN logon page does not appear.
Verify the Clientless SSL VPN Connection and Group profile reference the
customized GrIDsure enabled portal page.
Verify the Information Panel settings are configured exactly as described in Step
9 of the Clientless SSL VPN and GrIDsure authentication section.
The Get GrID button does not display the GrIDsure grid.
The user must have been assigned a GrIDsure token and have completed selfenrolment.
In a web browser enter the gridMakerURL and appended the username after the
equal sign.
Example
https://company.com/blackshieldss/index.aspx?getChallengeImage=true&userName
=bob
A webpage should appear with a GrIDsure grid for the user (ex. Bob).
Verify the client browser can access the URL of the BlackShield self service web
site.
Further Information
For further information, please visit http://www.cryptocard.com
Troubleshooting
24