Cisco Systems, Inc.: Rsa Securid Ready Implementation Guide

Cisco Systems, Inc.
ASA 5500 Series Adaptive Security Appliance
RSA SecurID Ready Implementation Guide

Last Modified: April 13, 2012
Partner Information
Product Information
Partner Name Web Site Product Name Version & Platform Product Description Cisco Systems, Inc. www.cisco.com ASA 5500 Series Adaptive Security Appliance 8.4 Cisco ASA 5500 Series adaptive security appliances are purpose-built solutions that combine best-of-breed security and VPN services with the innovative Cisco Adaptive Identification and Mitigation (AIM) architecture. Designed as a key component of the Cisco Self-Defending Network, the Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexible VPN connectivity. The result is a powerful multifunction network security appliance family that provides the security breadth and depth for protecting small and medium-sized business and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.
Cisco Systems, Inc.

Solution Summary
The ASA 5500 Series Adaptive Security Appliances supports RSA SecurID Authentication through the use of AAA Server Groups. AAA Server Groups can be configured to communicate with RSA Authentication Manager server via either RADIUS or native RSA SecurID protocol. Services able to implement RSA SecurID-configured AAA Server Groups include: IPsec VPN, SSL VPN, Firewall AAA Rules and ASDM access. RSA SecurID supported features Cisco ASA 5500 Series Adaptive Security Appliance 8.4
RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes Yes Yes Yes Yes Yes Yes
-2-
Cisco Systems, Inc.

Authentication Agent Configuration

Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent:
Hostname IP Addresses for network interfaces
Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Cisco ASA 5500 Series Adaptive Security Appliance will occur. A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication Manager in order for Cisco ASA 5500 Series Adaptive Security Appliance to communicate with RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client:
Hostname IP Addresses for network interfaces RADIUS Secret Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.
Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients.
RSA SecurID files

RSA SecurID Authentication Files
Files sdconf.rec Node Secret sdstatus.12 sdopts.rec Location Not implemented In memory In memory Not implemented
Note: The appendix of this document contains more detailed information regarding these files.
-3-
Cisco Systems, Inc.

Partner Product Configuration

Before You Begin
This section provides instructions for configuring the Cisco ASA 5500 Series Adaptive Security Appliance with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Cisco ASA 5500 Series Adaptive Security Appliance components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.
Overview
Configure AAA Server Groups
Server Group for Native RSA SecurID Authentication
Create an AAA Server Group for implementing RSA SecurID Authentication via Native RSA SecurID protocol.
Server Group for RADIUS Authentication

Create an AAA Server Group for implementing RSA SecurID Authentication via RADIUS protocol.
Note: An AAA Server Group for the RSA Authentication Manager(s) must be configured prior to enabling SecurID authentication for VPN and/or firewall components.
Configure ASA 5500 services for RSA SecurID Authentication

Network (Client) Access using IPsec (IKEv1)
Configure remote access IPsec VPN utilizing RSA SecurID Authentication for use with Cisco VPN Client.
Network (Client) Access using AnyConnect

Configure remote access SSL or IKEv2 VPN utilizing RSA SecurID Authentication for use with Cisco AnyConnect Secure Mobility Client
Clientless SSL VPN

Configure clientless remote access SSL VPN utilizing RSA SecurID Authentication.
Firewall
Configure a firewall AAA rule to challenge users accessing protected network services with RSA SecurID Authentication.
ASDM
Configure RSA SecurID Authentication for Administrative Access to ASDM
-4-
Cisco Systems, Inc.

Configure Server Group for Native RSA SecurID Authentication

1. Browse to Configuration > Device Management > Users/AAA > AAA Server Groups and click Add.
2.
Enter Server Group name, select SDI from the Protocol drop-down menu and click OK.
3.
Select the AAA Server Group and click Add to add a server to the group.
-5-
Cisco Systems, Inc.

4.
Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the primary RSA Authentication Manager server and click OK.
Important: The Cisco ASA 5500 will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. 5. Click Apply to complete the configuration.
Configure Server Group for RADIUS Authentication

1. Browse to Configuration > Device Management > Users/AAA > AAA Server Groups and click Add.
-6-
Cisco Systems, Inc.

2.
Enter Server Group name, select RADIUS from the Protocol drop-down menu and click OK.
3.
Select the AAA Server Group and click Add to add a server to the group.
-7-
Cisco Systems, Inc.

4.
Select the appropriate interface from the Interface Name drop-down menu, enter the Server Name or IP Address of the RSA Authentication Manager server, enter the Server Secret Key and click Message Table under SDI Messages.
-8-
Cisco Systems, Inc.

5.
Set the Message Text in the Message table as shown in the following image and click OK.
Note: Repeat steps 3-5 to add RSA Authentication Manager replica servers. 6. Click Apply to complete the configuration.
Configure IPsec Connection Profile for RSA SecurID Authentication

1. Browse to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools and click Add.
-9-
Cisco Systems, Inc.

2.
Enter the Name, Starting IP Address, Ending IP Address and Subnet Mask for your IP Pool and click OK.
3.
Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEV1) Connection Profiles and mark the Allow Access checkboxes for the interfaces on which you are enabling IPSec access.
4.
Browse to Configuration > Remote Access VPN > Network (Client) Access > IPsec(IKEV1) Connection Profiles and click Add under Connection Profiles.
- 10 -
Cisco Systems, Inc.

5.
Choose a Name, Pre-shared Key, User Authentication Server Group, Client Access Pool and Group Policy for this connection profile. Click OK.
6.
Click Apply to complete the configuration.
- 11 -
Cisco Systems, Inc.

Configure AnyConnect Connection Profile for RSA SecurID Authentication

1. Browse to Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools and click Add.
2.
Enter the Name, Starting IP Address, Ending IP Address, Subnet Mask for your IP Pool and click OK.
3.
Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles. Mark the checkboxes for the following items: Interface(s) on which you are enabling AnyConnect VPN Client. Allow user to select connection profile Enable Cisco AnyConnect VPN Client access to the interfaces selected in the table below
- 12 -
Cisco Systems, Inc.

4.
Click Yes to designate an AnyConnect image.
5.
Browse Flash or Upload the AnyConnect image and click OK.
6.
Browse to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Connection Profiles and click Add under Connection Profiles.
- 13 -
Cisco Systems, Inc.

7.
Enter Name, Alias, AAA Server Group, Client Address Pool, DNS Servers and click Manage next to Group Policy.
8.
Click Add to add a group policy.
- 14 -
Cisco Systems, Inc.

9.
Enter a Name for the Group Policy and click OK.
10. Select the Group Policy created in the previous step and click OK.
11. If enabling SecurID Authentication via RADIUS, browse to Advanced > Group Alias/Group URL, mark the checkbox next to Enable the display of SecurId messages on the login screen and click OK.
12. Click OK to close the VPN Connection Profile.
- 15 -
Cisco Systems, Inc.

13. Click Apply to complete the configuration.
Configure Clientless SSL VPN for RSA SecurID Authentication

1. Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and mark the Allow Access checkboxes for the interfaces on which you are enabling Clientless SSL VPN access.
2.
Browse to Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles and click Add under Connection Profiles.
- 16 -
Cisco Systems, Inc.

3.
Choose a Name, Alias, AAA Server Group, Group Policy and then browse to Advanced > Clientless SSL VPN.
4.
Mark the checkbox for Enable the display of SecurID messages on the login screen and click OK.
5.
- 17 -
Cisco Systems, Inc.

Configure Firewall AAA for with RSA SecurID Authentication

1. Browse to Configuration > Firewall > AAA Rules and click Add > Add Authentication Rule
2.
Make the appropriate selections and click OK.
3.
Important: Although the ASA can be configured to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported.
- 18 -
Cisco Systems, Inc.

Configure ASDM with RSA SecurID Authentication

1. 2. Browse to Device Management > Users/AAA > AAA Access. Mark the checkbox next to HTTP/ASDM and select the AAA Server Group from the drop-down menu.
3.
- 19 -
Cisco Systems, Inc.

Screens (ASDM)
Login screen:
User-defined New PIN:
- 20 -
Cisco Systems, Inc.

System-generated New PIN:
Next Tokencode:
- 21 -
Cisco Systems, Inc.

Certification Checklist for RSA Authentication Manager

Cisco VPN Client
Date Tested: June 9, 2011 Certification Environment Product Name Version Information 7.1 SP4 RSA Authentication Manager 4.1 RSA Software Token 3.5.3 RSA Remote Authentication Client 8.4(1) Cisco ASA 5500 Series 5.0.07.0440 Cisco VPN Client Mandatory Functionality RSA Native Protocol
New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode On-Demand Authentication On-Demand Authentication On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager
PEW
Operating System
Windows Server 2003 Windows Server 2008 Windows Server 2008 Proprietary Windows Server 2008
RADIUS Protocol
Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN Deny PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode On-Demand Authentication On-Demand New PIN Failover No RSA Authentication Manager
= Pass = Fail N/A = Not Applicable to Integration
- 22 -
Cisco Systems, Inc.


Cisco VPN Client
RSA Software Token Automation Functionality RSA Native Protocol RADIUS Protocol
PINless Token PINpad-style Token Fob-style Token 16-Digit Passcode Alphanumeric PIN New PIN Mode Next Tokencode Mode Password-Protected Token PINless Token PINpad-style Token Fob-style Token 16-Digit Passcode Alphanumeric PIN New PIN Mode Next Tokencode Mode Password-Protected Token
RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol
PINless Mode 16-Digit Passcode New PIN Mode Next Tokencode Mode
PEW
- 23 -
Cisco Systems, Inc.


Cisco AnyConnect Secure Mobility Client for Windows
Date Tested: June 10, 2011 Certification Environment Product Name Version Information 7.1 SP4 RSA Authentication Manager 4.1 RSA Software Token 3.5.3 RSA Remote Authentication Client 8.4(1) Cisco ASA 5500 Series 3.0.1047 Cisco AnyConnect VPN Client Mandatory Functionality RSA Native Protocol
PEW
Operating System
Windows Server 2003 Windows Server 2008 Windows Server 2008 Proprietary Windows Server 2008
RADIUS Protocol
- 24 -
Cisco Systems, Inc.


RSA Software Token Automation Functionality RSA Native Protocol RADIUS Protocol
PINless Token PINpad-style Token Fob-style Token 16-Digit Passcode Alphanumeric PIN New PIN Mode Next Tokencode Mode Password-Protected Token PINless Token PINpad-style Token Fob-style Token 16-Digit Passcode Alphanumeric PIN New PIN Mode Next Tokencode Mode Password-Protected Token
RSA SecurID 800 Token Automation Functionality RSA Native Protocol RADIUS Protocol
PEW
- 25 -
Cisco Systems, Inc.


Date Tested: April 9, 2012 Product Name RSA Authentication Manager Cisco ASA 5500 Series Cisco AnyConnect VPN Client Certification Environment Version Information
7.1 SP4 8.4(1) 2.5.5125
Operating System
Windows Server 2003 Proprietary Android 4.0.2
Mandatory Functionality RSA Native Protocol

PEW
RADIUS Protocol
- 26 -
Cisco Systems, Inc.


Cisco Clientless SSL VPN
Date Tested: July 10, 2011 Product Name RSA Authentication Manager Cisco ASA 5500 Series Certification Environment Version Information
7.1 SP4 8.4(1)
Operating System
Windows Server 2003 Proprietary

PEW
RADIUS Protocol
- 27 -
Cisco Systems, Inc.


Firewall
Date Tested: June 21, 2011 Product Name RSA Authentication Manager Cisco ASA 5500 Series Certification Environment Version Information
7.1 SP4 8.4(1)
Operating System
Windows Server 2003 Proprietary

PEW
RADIUS Protocol
- 28 -
Cisco Systems, Inc.


ASDM
Date Tested: May 17, 2011 Product Name RSA Authentication Manager Cisco ASA 5500 Series ASDM Certification Environment Version Information
7.1 SP4 8.4(1) 6.4(1)
Operating System
Windows Server 2003 Proprietary Windows XP Professional

PEW
RADIUS Protocol
- 29 -
Cisco Systems, Inc.

Known Issues
Firewall AAA rule Although you can configure the ASA to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the ASA allows other traffic requiring authentication. Telnet is the only service in which new PIN and Next Tokencode functions are supported. Potential Replica issue when using Native SecurID Authentication The Cisco ASA 5500 will learn about any RSA Authentication Manager replica servers, and prioritize them at the time of the first authentication. This SDI server list is stored in memory, and lost when the ASA is shut down. If the primary RSA Authentication Manager server is not available for authentication after the system boots, the ASA will not have knowledge of the RSA Authentication Manager replica servers. RSA SecurID Protection of ASDM SecurID Authentication for ASDM functions for the versions certified in this guide. During testing, incompatibility was discovered with different combinations of ASA and ASDM. ASA 8.3(1) and ASA 8.2(1) with ASDM 6.3(1) did not integrate with SecurID using native SDI or RADIUS protocols.
- 30 -
Cisco Systems, Inc.

Appendix
Partner Integration Details
RSA SecurID API RSA Authentication Agent Type RSA SecurID User Specification Display RSA Server Info Perform Test Authentication Agent Tracing Custom Build Standard Agent Designated Users No Yes Yes
API Details:
Cisco ASA 5500 implements a modified version of the RSA Authentication API. Important modifications include:
sdconf.rec not utilized sdopts.rec not utilized server list stored in memory rather than file system
Refer to Cisco documentation for additional information.
Node Secret:
The Node Secret file is stored in flash memory on the Cisco ASA. The node secret file has its name based on the hexadecimal value of the Authentication Manager server IP address with .sdi appended. (e.g. 10-10-10-2.sdi.) Delete this file to remove the node secret.
sdconf.rec:
Not implemented.
sdopts.rec:
Not implemented.
sdstatus.12:
Not implemented. The SDI Server List can be viewed by entering the following command from the console:
# show aaa-server
Agent Tracing:
Agent Tracing info can be enabled by entering the following command from the console:
# debug sdi
- 31 -

Cisco Systems, Inc.: Rsa Securid Ready Implementation Guide

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Cisco Systems, Inc.: Rsa Securid Ready Implementation Guide

Enviado por

Direitos autorais:

Formatos disponíveis

Cisco Systems, Inc.

ASA 5500 Series Adaptive Security Appliance

RSA SecurID Ready Implementation Guide