Table of Contents ....................................................................................................................................................... 2
Note: Using Cisco double authentication (an LDAP password plus a one-time password) is also
1.0 Introduction
The Cisco® Adaptive Security Appliances (ASA) enable remote and mobile employees, customers, and partners
to gain secure access to corporate Virtual Private Network resources and applications. Providing secure access
via a VPN over existing Internet connections requires strong, two-factor authentication to protect resources. The
ActivIdentity solutions that work with Cisco incorporate SSL VPN solutions with versatile, strong authentication
that is flexible, scalable, and simple to manage. ActivIdentity offers two solutions:
•ActivIdentity® 4TRESS™ AAA Server for Remote Access—Addresses the security risks associated
with a mobile workforce remotely accessing systems and data.
•ActivIdentity 4TRESS™ Authentication Server (AS)—Offers support for multiple authentication
methods that are useful for diverse audiences across a variety of service channels (SAML, Radius,
etc.), including user name and password, mobile and PC soft tokens, one-time passwords, and
transparent Web soft tokens.
1.1 Scope of Document
This document explains how to set up ActivIdentity 4TRESS AAA Web soft token authentication with Cisco
Adaptive Security Appliances. Use this handbook to enable authentication via a Web soft token for use with an
SSL-protected Cisco VPN.
1.2 Prerequisites
•The ActivIdentity 4TRESS AAA Server is up-to-date (v6.7) with LDAP users and groups already
configured.
• Cisco ASA version 8.x installed and configured.
• The Web soft token is configured to work with or without a PIN.
• Users have static LDAP passwords for access to the Self Help Desk to enroll web tokens.
• The Cisco login page has been customized (illustrated in this handbook).
possible. You can configure the sign-in page so that users can use a static LDAP password instead of
the web soft token PIN.
Page 4
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
This chapter describes how to manage a Cisco ASA. When a user signs into a Cisco ASA appliance, the Cisco
ASA forwards the user’s credentials to this authentication server to verify the user’s identity. You will create one
authentication server (an ActivIdentity 4TRESS AAA RADIUS Server) to validate the user’s one-time password
generated by a Web soft token.
2.1 Procedure 1: Create New Radius Server Instance
When using an external RADIUS server to authenticate Cisco ASA users, you must configure the server to
recognize the Cisco ASA as a client and specify a shared secret for the RADIUS server to use to authenticate the
client request.
To configure a connection to the RADIUS server on a Cisco ASA SSL VPN appliance and to define the RADIUS
Server instance, perform the following steps.
1. In the ASDM console, navigate to Configuration-> Remote Access VPN -> AAA/Local User, and then click AAA Server Groups.
2. Click Add at the far right of the page displayed.
The nearby dialog is displayed.
3. Enter a Server Group name, and then select RADIUS for the
Protocol.
4. Click OK.
Repeat the process to add a backup RADIUS server.
Page 5
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5. In the AAA Server Groups section, select the RADIUS server group you just created.
6. In the Servers in the Selected Group section, click Add next to the Server Name or IP Address line.
7. Enter the appropriate information for your configuration.
• Server Name or IP Address—Specify the name or IP address.
• Server Authentication Port—Enter the authentication port value for the RADIUS server.
Typically, this port is 1812.
•Server Shared Secret—Enter a string. You will also enter this string when configuring the
RADIUS server to recognize the SA Series SSL VPN appliance as a client.
•Accept the other default settings.
8. Click OK. The RADIUS server is displayed in the Servers in the Selected Group section, as illustrated next.
Page 6
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
PIN usage is dependent on the custom page deployed. It is possible to hide the Web soft token, and in this case,
it’s necessary to apply a Web soft token without use of a PIN. In this case, the PIN is replaced by the user’s LDAP
password. Please contact your ActivIdentity technical representative to obtain a sample page and to discuss the
following possible combinations of PIN usage:
•Username plus LDAP Password plus visible Web soft token plus PIN plus OTP generated by the
Web soft token.
•Username plus LDAP Password plus visible Web soft token without PIN plus OTP generated by the
Web soft token.
•Username plus LDAP Password plus hidden Web soft token without PIN plus OTP generated by the
Web soft token hidden in the page.
•Username plus visible Web soft token plus PIN plus OTP generated by the Web soft token.
Your ActivIdentity technical contact will send you images, the token applet, and the login portal page. The portal
page will be similar to the following illustration.
FIGURE 1: Sample Cisco ASA Portal
Page 13
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
1. From the top menu, select Clientless SSL VPN Access, and then select Web Contents from the features
menu on the left.
2. Click Import
3. Specify all the files obtained in the last section 2.4, one-by-one following the configuration illustrated above.
Click Browse Local Files to select your first file.
Page 14
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
This chapter describes how to configure the ActivIdentity 4TRESS AAA Authentication Server.
3.1 Procedure 1: Configure Cisco Gate
A gate for the ActivIdentity 4TRESS AAA Server is a group of Network Access Servers (NAS) that is used to
simplify administration. For configuration details, refer to ActivIdentity 4TRESS AAA Server technical
documentation.
1. In the left pane of the Administration Console, expand the Servers line.
2. Right-click on the server to which you want to add a gate, and then click New Gate.
3. Enter a Gate name (can be any string).
4. Select the option, RADIUS, corresponding to the protocol your Cisco uses.
5. Use the Authorized IP addresses and host names section to specify filter(s) for the gate.
6. Click Add, and then click OK.
Page 21
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
7. The ActivIdentity 4TRESS AAA Server uses the RADIUS shared secret to encrypt data between Cisco and
the AAA authentication server. Click Shared Secret, and then modify the appropriate shared secret for your
system.
8. Click OK.
Page 22
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
3.2 Procedure 2: Assigning Group(s) to the Cisco Gate
Note: Remember that you must have user groups created and the corresponding LDAP configured. For details,
refer to the ActivIdentity 4TRESS AAA Administration Guide.
1. To assign groups to the Cisco Gate, in the left pane of the Administration Console, select the group that you
want to assign to the gate (for example All Users).
2. Use the Group / Gate Assignments section of the page that is displayed to the right to specify gate(s) for the
group’s users to utilize in order to access a protected resource.
3. Click Add.
Page 23
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
Notes: Depending on the activation code, a soft token forces the PIN. For details on PIN
usage, see section 2.4 Procedure 4: Configure New Cisco Portalon page 12.
The second half of the Configuration tab is explained next.
5. It’s important to select an authentication policy (LDAP password at a minimum). Select one or more. By
default, none are selected.
6. In the Selfdesk portal self binding policy section, select the following options:
• To activate additional device self assignment functions, select Enable self binding on
additional device. For this setting to work, you must make sure that the LDAP attribute
mapped to the device serial numbers is capable of storing multiple values.
7. When you are finished, click Add.
Page 28
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5. The user enters and confirms a PIN, and then enters a Description (the user has to enter the PIN only if the
system is configured to ask for it.) A confirmation is displayed.
Now the user can use the Web soft token to access a Cisco ASA.
Page 30
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
5.2 Notes About Authenticating with Web Soft Token Launched in the Sign- In Page
•You must have customized the Sign-In Page to launch the Web soft token as an HTML page. To
receive a sample page, please contact your ActivIdentity technical representative.
• You can configure a Web soft token to be used with a PIN or without a PIN.
• You can configure so that an LDAP password either replaces the PIN or complements it (depending
on Cisco configuration).
•A user must have activated a Web soft token on his/her computer.
For details on how authenticating with a Web soft token works, please refer to ActivIdentity 4TRESS AAA
documentation.
Page 31
ActivIdentity 4TRESS AAA Web Tokens and Cisco ASA | Integration Handbook
Americas +1 510.574.0100
US Federal +1 571.522.1000
Europe +33 (0) 1.42.04.84.00
Asia Pacific +61 (0) 2.6208.4888
Email info@actividentity.com
Web www.actividentity.com
ActivIdentity, the ActivIdentity (logo), and/or other ActivIdentity products or marks referenced
herein are either registered trademarks or trademarks of HID Global Corporation in the United
States and/or other countries. The absence of a mark, product, service name or logo from this
list does not constitute a waiver of the trademark or other intellectual property rights concerning
that name or logo. Cisco and the Cisco logo are registered trademarks of Cisco, Inc. in the
United States and other countries.The names of other third-party companies, trademarks, trade
names, service marks, images and/or products that happened to be mentioned herein are
trademarks of their respective owners. Any rights not expressly granted herein are reserved.
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.