Cisco Systems ASA 5500 User Manual

Installation Guide

Strong authentication for Cisco ASA 5500 Clientless SSL VPN and Cisco VPN Client

Solutions with

One Time Password Server

The complete installation guide for securing the authentication to your Cisco ASA 5500 solution with Nordic Edge One Time Password Server, delivering two-factor authentication via SMS to your mobile phone. For both clientless SSL VPN and Cisco VPN Client.

Strong Authentication for Cisco ASA 5500 Solutions with Nordic Edge™ One Time Password Server Page 1 of 49

Installation Guide

Content

1 SUMMARY ...................................................................................................................................... 4

2 PREREQUISITES ........................................................................................................................... 4

3 IMPORTANT INFORMATION REGARDING COMMUNICATION ................................................. 4

4 GETTING STARTED ....................................................................................................................... 5

4.1 1.1 Download the software ....................................................................................................... 5

4.2 Register and download the software ....................................................................................... 6

5 INSTALLATION .............................................................................................................................. 9

5.1 Start the installation .................................................................................................................. 9

5.2 Installing license ...................................................................................................................... 11

6 CONFIGURING THE ONE TIME PASSWORD SERVER ............................................................ 15

6.1 Start the OTP Configuration ................................................................................................... 15

6.2 Server page .............................................................................................................................. 16

6.3 Plugin manager page .............................................................................................................. 17

6.3.1 Nordic Edge SMS Plugin ................................................................................................... 18

6.4 Nordic Edge SMS Page ........................................................................................................... 19

6.5 Radius & Client page ............................................................................................................... 20

6.5.1 Enable Radius ................................................................................................................... 21

6.6 Add client ................................................................................................................................. 22

6.7 Configure LDAP ....................................................................................................................... 23

6.7.1 Test LDAP Connection ...................................................................................................... 23

6.7.2 Selecting Search Base DN ................................................................................................ 25

6.7.3 Select Search filter ............................................................................................................ 27

6.7.4 Test LDAP Authentication ................................................................................................. 29

7 START THE ONE TIME PASSWORD SERVER .......................................................................... 31

8 ADD MOBILE PHONE NUMBER WITH MICROSOFT MANAGEMENT CONSOLE .................. 32

9 CONFIGURING ASA5500 FOR SSL VPN AUTHENTICATION WITH NORDIC EDGE ONE TIME

PASSWORD SERVER .......................................................................................................................... 33

9.1 Start ASA device manager ...................................................................................................... 33

www.nordicedge.se Copyright, 2008, Nordic Edge AB Page 2 of 49

Installation Guide

9.2 Browse to Configuration, Remote Access VPN, AAA/Local Users, AAA Server Groups

and click Add. ...................................................................................................................................... 33

9.3 Name Server Group OTPserver, choose protocol RADIUS ................................................ 34

9.4 Add new radius server to the RADIUS group ....................................................................... 35

9.5 Configure Radius Server : Interface name, IP address to OTPserver and the pre-shared

key between the One Time Password server and Cisco ASA5500. ............................................... 35

9.6 Create a ”test” connection profile (in case you want to test this for certain users only). 37

9.6.1 Browse to Configuration/Remote Access/Clientless SSL VPN Access/Connection Profiles

and click Add ..................................................................................................................................... 37

9.6.2 Specify Connection Profile Name ...................................................................................... 38

9.6.3 Specify AAA Server Group = OTPserver ......................................................................... 38

9.6.4 Edit Connection Profile Clientless SSL VPN Settings ....................................................... 40

9.6.5 Add Alias if user should be able to select authentication method by drop-down-list ........ 40

9.6.6 Edit Connection Profile Clientless SSL VPN Settings ....................................................... 41

9.6.7 Add Group URL if user should be able to select authentication by specifying URL ......... 41

9.6.8 If user should be allowed to select authentication method by drop-down-list, .................. 41

9.6.9 select this item. .................................................................................................................. 41

10 CONFIGURING ASA5500 FOR CISCO VPN CLIENT AUTHENTICATION WITH NORDIC

EDGE OTP SERVER ............................................................................................................................ 45

10.1 Add a new ( or Edit an existing) Cisco VPN Client Connection Profile to use the

OTPserver............................................................................................................................................. 45

10.2 At the Cisco VPN Client, create an entry with correct name and password ..................... 46

 Name must match the connection profile name at previous slide. ........................................ 46

 Password must match the pre-shared key in ASA5500. ......................................................... 46

(Note : This can be distributed via MSI installation) ........................................................................ 46

11 START TESTING ...................................................................................................................... 47

11.1 Enter your Userid and password as usual ............................................................................ 47

11.2 You will receive a one-time password to your mobile phone within a couple of seconds. 47

11.3 Enter your one time password and click on “OK”. .............................................................. 48

12 PURCHASE ............................................................................................................................... 49

13 TECHNICAL QUESTIONS ........................................................................................................ 49

www.nordicedge.se Copyright, 2008, Nordic Edge AB Page 3 of 49

Installation Guide

1 Summary

This is the complete installation guide for securing the authentication to your Cisco ASA 5500 solution with Nordic Edge One Time Password Server, delivering two-factor authentication via SMS to your mobile phone. For both clientless SSL VPN and Cisco VPN Client. You will be able to test the product with your existing Cisco ASA 500 and LDAP user database, without making any changes that affect existing users. The guide will also allow you to make the complete installation effeciently, using a maximum of 1 hour. Nordic Edge provides several methods for delivering one time passwords, like email, tokens, mobile clients, prefetch etc. - however in this test we are only going to use SMS.

This is a step-by-step guide that covers the entire installation from A to Z. It is based on the scenario that you are running your Cisco 5500 solution against Active Directory, and that you install the One Time Password Server on a Windows Server. The One Time Password Server is platform independent and works with all other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not running Active Directory or Windows and if you have any questions regarding the slight differences in the installation process, you are most welcome to contact us at

support@nordicedge.se and we will take you through the entire proces s.

2 Prerequisites

You will need to have a server available, for example a VMware virtual machine with Windows Server 2003 installed with Ethernet in bridge mode. The server needs to have an ip-address configured and must also be able to reach your DNS-servers, your Cisco 5500 ASA solution and the Active Directory. Since the software is quite small and easy to remove, you can also use any existing server in your network.

3 Important information regarding communication

The One Time Password Server is a software that you can place on any server in your internal network or DMZ.

- The One Time Password Server needs to be able to communicate (Outbound traffic) with your

LDAP or JDBC User Database. Default port for LDAP and Secure LDAP is TCP port 389 / 636.

- The Integration Module needs to be able to communicate (Outbound traffic) with the One Time Password Server on TCP port 3100. Or Radius with UDP port 1812 or 1645 (Outbound traffic)

- If you want to use the able to communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.

In this test-scenario you will want to communicate with RADIUS port 1812 or 1645 and use our Nordic Edge SMS Gateway.

Nordic Edge SMS Gateway, the One Time Password Server needs to be

www.nordicedge.se Copyright, 2008, Nordic Edge AB Page 4 of 49

Installation Guide

4 Getting started

4.1 1.1 Download the software

Go to www.nordicedge.se and click on Download

www.nordicedge.se Copyright, 2008, Nordic Edge AB Page 5 of 49

Installation Guide

4.2 Register and download the software

Installation Guide

You will receive a link for downloading the software.

when you download the software.

Download the version with JAVA included.

A 30 days evaluation license will be sent via e-mail

Installation Guide

5 Installation

5.1 Start the installation

Start the installation on the server where you want to install the One Time Password Server

Installation Guide

5.2 Installing license

Choose the license.dat that you have received via e-mail. This is important, since if you want to request a demo SMS account at Nordic Edge later in the installation, you need to install the license at this moment.

Installation Guide

Note, if you are in a test-phase, we recommend that you do not install the OTP-Server as a Windows Service.

.

Installation Guide

6 Configuring the One Time Password Server

6.1 Start the OTP Configuration

Start the OTP Configurator by clicking on Programs / NordicEdge / OTP Configurator

Cisco Systems ASA 5500 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

1 Summary

2 Prerequisites

3 Important information regarding communication

4 Getting started

4.1 1.1 Download the software

4.2 Register and download the software

5 Installation

5.1 Start the installation

5.2 Installing license

6 Configuring the One Time Password Server

6.1 Start the OTP Configuration