HID ASA, 4TRESS AAA User Manual

ActivIdentity® 4TRESS™

AAA Web Tokens and Cisco

(Clientless SSL VPN Access) Integration Handbook

Document Version 1.2 | Released | June 8, 2012

ASA

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 2

Table of Contents ....................................................................................................................................................... 2

1.0 Introduction ....................................................................................................................................................... 3

1.1 Scope of Document .................................................................................................................................... 3

1.2 Prerequisites .............................................................................................................................................. 3

2.0 Cisco ASA Configuration .................................................................................................................................. 4

2.1 Procedure 1: Create New Radius Server Instance .................................................................................... 4

2.2 Procedure 2: Configure Connection Profiles .............................................................................................. 6

2.3 Procedure 3: Configure Group Policies ...................................................................................................... 8

2.4 Procedure 4: Configure New Cisco Portal ............................................................................................... 12

2.5 Procedure 5: Web contents ...................................................................................................................... 13

2.6 Procedure 6: Customization ..................................................................................................................... 15

2.7 Procedure 7: Assign the New Portal ........................................................................................................ 18

3.0 ActivIdentity 4TRESS AAA Configuration ....................................................................................................... 20

3.1 Procedure 1: Configure Cisco Gate ......................................................................................................... 20

3.2 Procedure 2: Assigning Group(s) to the Cisco Gate ................................................................................ 22

4.0 Configure for Soft Token Activation ................................................................................................................ 24

4.1 Procedure 1: Enable Soft Token Activation ............................................................................................. 24

4.2 Procedure 2: Configure Soft Token Activation Portal .............................................................................. 25

5.0 Sample Authentication Using Web Soft Token Authentication ....................................................................... 28

5.1 Prerequisite: User Enrolls Web Token and Computer ............................................................................. 28

5.2 Notes About Authenticating with Web Soft Token Launched in the Sign-In Page .................................. 30

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 3

Note: Using Cisco double authentication (an LDAP password plus a one-time password) is also

1.0 Introduction

The Cisco® Adaptive Security Appliances (ASA) enable remote and mobile employees, customers, and partners to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The ActivIdentity solutions that work with Cisco incorporate SSL VPN solutions with versatile, strong authentication that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:

• ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated with a mobile workforce remotely accessing systems and data.

• ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication methods that are useful for diverse audiences across a variety of service channels (SAML, Radius, etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and transparent Web soft tokens.

1.1 Scope of Document

This document explains how to set up ActivIdentity 4TRESS AAA Web soft token authentication with Cisco Adaptive Security Appliances. Use this handbook to enable authentication via a Web soft token for use with an SSL-protected Cisco VPN.

1.2 Prerequisites

• The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already configured.

• Cisco ASA version 8.x installed and configured.

• The Web soft token is configured to work with or without a PIN.

• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.

• The Cisco login page has been customized (illustrated in this handbook).

possible. You can configure the sign-in page so that users can use a static LDAP password instead of the web soft token PIN.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 4

Getting Started

2.0 Cisco ASA Configuration

This chapter describes how to manage a Cisco ASA. When a user signs into a Cisco ASA appliance, the Cisco ASA forwards the user’s credentials to this authentication server to verify the user’s identity. You will create one authentication server (an ActivIdentity 4TRESS AAA RADIUS Server) to validate the user’s one-time password generated by a Web soft token.

2.1 Procedure 1: Create New Radius Server Instance

When using an external RADIUS server to authenticate Cisco ASA users, you must configure the server to recognize the Cisco ASA as a client and specify a shared secret for the RADIUS server to use to authenticate the client request.

To configure a connection to the RADIUS server on a Cisco ASA SSL VPN appliance and to define the RADIUS Server instance, perform the following steps.

1. In the ASDM console, navigate to Configuration-> Remote Access VPN -> AAA/Local User, and then click AAA Server Groups.

2. Click Add at the far right of the page displayed.

The nearby dialog is displayed.

3. Enter a Server Group name, and then select RADIUS for the Protocol.

4. Click OK.

Repeat the process to add a backup RADIUS server.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 5

5. In the AAA Server Groups section, select the RADIUS server group you just created.

6. In the Servers in the Selected Group section, click Add next to the Server Name or IP Address line.

7. Enter the appropriate information for your configuration.

• Server Name or IP Address—Specify the name or IP address.

• Server Authentication Port—Enter the authentication port value for the RADIUS server.

Typically, this port is 1812.

• Server Shared Secret—Enter a string. You will also enter this string when configuring the RADIUS server to recognize the SA Series SSL VPN appliance as a client.

• Accept the other default settings.

8. Click OK. The RADIUS server is displayed in the Servers in the Selected Group section, as illustrated next.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 6

2.2 Procedure 2: Configure Connection Profiles

1. From the top menu, select Clientless SSL VPN Access, and then select Connection Profiles from the features menu on the left.

2. In the Access Interfaces section of the page displayed to the right, enable access to the appropriate interface. Select the outside option.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 7

3. In the Connection Profiles section at the bottom of the page, under the Name column, select DefaultWEBVPNGroup, and then click Edit.

4. Configure the following attributes.

• From the AAA Server Group drop-down list, select RADIUS.

• Select the Use LOCAL if Server Group fails option.

• In the DNS section, from the Server Group drop-down list, select DefaultDNS, and then in

the Servers box, specify a DNS server. Specifiy a Domain Name.

• In the Default Group Policy secion, from the Group Policy drop-down list, select DftGrpPolicy.

• Select the Enable clientless SSL VPN protocol option.

5. Click OK.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 8

2.3 Procedure 3: Configure Group Policies

1. From the top menu, select Clientless SSL VPN Access, and then select Group Policies from the features menu on the left.

2. Under the Name column select DftGrpPolicy (System Default), and then click Edit.

Now, you will choose the application that you want to publish in the Cisco ASA.

3. In the pane displayed to the left, select Portal, and then on the Bookmark List line, click Manage.

4. Click Add.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 9

5. In the Bookmark List Name box, specify a title for your bookmark, and then click Add.

6. Specify the URL of the resource that you want to publish on the Cisco ASA, and then click OK.

ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook

P 10

7. Click OK. The main dialog is displayed again, as illustrated next.

+ 21 hidden pages