Escolar Documentos
Profissional Documentos
Cultura Documentos
Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Cisco Systems, Inc. www.cisco.com ASA 5500 Series Adaptive Security Appliance 8.4 Cisco ASA 5500 Series adaptive security appliances are purpose-built solutions that combine best-of-breed security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network, the Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.
Solution Summary
The ASA 5500 Series Adaptive Security Appliances supports RSA SecurID Authentication through the use of AAA Server Groups. AAA Server Groups can be configured to communicate with RSA Authentication Manager server via either RADIUS or native RSA SecurID protocol. Services able to implement RSA SecurID-configured AAA Server Groups include: IPsec VPN, SSL VPN, Firewall AAA Rules and ASDM access. RSA SecurID supported features Cisco ASA 5500 Series Adaptive Security Appliance 8.4
RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes Yes Yes Yes Yes Yes Yes
-2-
Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Cisco ASA 5500 Series Adaptive Security Appliance will occur. A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication Manager in order for Cisco ASA 5500 Series Adaptive Security Appliance to communicate with RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client:
Hostname IP Addresses for network interfaces RADIUS Secret Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients.
Note: The appendix of this document contains more detailed information regarding these files.
-3-
Overview
Configure AAA Server Groups
Server Group for Native RSA SecurID Authentication
Create an AAA Server Group for implementing RSA SecurID Authentication via Native RSA SecurID protocol.
Firewall
Configure a firewall AAA rule to challenge users accessing protected network services with RSA SecurID Authentication.
ASDM
Configure RSA SecurID Authentication for Administrative Access to ASDM
-4-
2.
Enter Server Group name, select SDI from the Protocol drop-down menu and click OK.
3.
Select the AAA Server Group and click Add to add a server to the group.
-5-
4.
Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the primary RSA Authentication Manager server and click OK.
Important: The Cisco ASA 5500 will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. 5. Click Apply to complete the configuration.
-6-
2.
Enter Server Group name, select RADIUS from the Protocol drop-down menu and click OK.
3.
Select the AAA Server Group and click Add to add a server to the group.
-7-
4.
Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the RSA Authentication Manager server, enter the Server Secret Key and click Message Table under SDI Messages.
-8-
5.
Set the Message Text in the Message table as shown in the following image and click OK.
Note: Repeat steps 3-5 to add RSA Authentication Manager replica servers. 6. Click Apply to complete the configuration.
-9-
2.
Enter the Name, Starting IP Address, Ending IP Address and Subnet Mask for your IP Pool and click OK.
3.
Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEV1) Connection Profiles and mark the Allow Access checkboxes for the interfaces on which you are enabling IPSec access.
4.
Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEV1) Connection Profiles and click Add under Connection Profiles.
- 10 -
5.
Choose a Name, Pre-shared Key, User Authentication Server Group, Client Access Pool and Group Policy for this connection profile. Click OK.
6.
- 11 -
2.
Enter the Name, Starting IP Address, Ending IP Address, Subnet Mask for your IP Pool and click OK.
3.
Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Mark the checkboxes for the following items: Interface(s) on which you are enabling AnyConnect VPN Client. Allow user to select connection profile Enable Cisco AnyConnect VPN Client access to the interfaces selected in the table below
- 12 -
4.
5.
6.
Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and click Add under Connection Profiles.
- 13 -
7.
Enter Name, Alias, AAA Server Group, Client Address Pool, DNS Servers and click Manage next to Group Policy.
8.
- 14 -
9.
10. Select the Group Policy created in the previous step and click OK.
11. If enabling SecurID Authentication via RADIUS, browse to Advanced > Group Alias/Group URL, mark the checkbox next to Enable the display of SecurId messages on the login screen and click OK.
- 15 -
2.
Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and click Add under Connection Profiles.
- 16 -
3.
Choose a Name, Alias, AAA Server Group, Group Policy and then browse to Advanced > Clientless SSL VPN.
4.
Mark the checkbox for Enable the display of SecurID messages on the login screen and click OK.
5.
- 17 -
2.
3.
Important: Although the ASA can be configured to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported.
- 18 -
3.
- 19 -
Screens (ASDM)
Login screen:
- 20 -
Next Tokencode:
- 21 -
Operating System
Windows Server 2003 Windows Server 2008 Windows Server 2008 Proprietary Windows Server 2008
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 22 -
RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol
PINless Mode 16-Digit Passcode New PIN Mode Next Tokencode Mode
PEW
PINless Mode 16-Digit Passcode New PIN Mode Next Tokencode Mode
= Pass = Fail N/A = Not Applicable to Integration
- 23 -
Operating System
Windows Server 2003 Windows Server 2008 Windows Server 2008 Proprietary Windows Server 2008
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 24 -
RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol
PINless Mode 16-Digit Passcode New PIN Mode Next Tokencode Mode
PEW
PINless Mode 16-Digit Passcode New PIN Mode Next Tokencode Mode
= Pass = Fail N/A = Not Applicable to Integration
- 25 -
Operating System
Windows Server 2003 Proprietary Android 4.0.2
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 26 -
Operating System
Windows Server 2003 Proprietary
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 27 -
Operating System
Windows Server 2003 Proprietary
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 28 -
Operating System
Windows Server 2003 Proprietary Windows XP Professional
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 29 -
Known Issues
Firewall AAA rule Although you can configure the ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported. Potential Replica issue when using Native SecurID Authentication The Cisco ASA 5500 will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is stored in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. RSA SecurID Protection of ASDM SecurID Authentication for ASDM functions for the versions certified in this guide. During testing, incompatibility was discovered with different combinations of ASA and ASDM. ASA 8.3(1) and ASA 8.2(1) with ASDM 6.3(1) did not integrate with SecurID using native SDI or RADIUS protocols.
- 30 -
Appendix
Partner Integration Details
RSA SecurID API RSA Authentication Agent Type RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Custom Build Standard Agent Designated Users No Yes Yes
API Details:
Cisco ASA 5500 implements a modified version of the RSA Authentication API. Important modifications include:
sdconf.rec not utilized sdopts.rec not utilized server list stored in memory rather than file system
Node Secret:
The Node Secret file is stored in flash memory on the Cisco ASA. The node secret file has its name based on the hexadecimal value of the Authentication Manager server IP address with .sdi appended. (e.g. 10-10-10-2.sdi.) Delete this file to remove the node secret.
sdconf.rec:
Not implemented.
sdopts.rec:
Not implemented.
sdstatus.12:
Not implemented. The SDI Server List can be viewed by entering the following command from the console:
# show aaa-server
Agent Tracing:
Agent Tracing info can be enabled by entering the following command from the console:
# debug sdi
- 31 -