Cisco ASA Integration

From Swivel Knowledgebase Wiki

Jump to: navigation, search


Image:logo.gif


Contents

Introduction

This document describes steps to configure a Cisco ASA with PINsafe as the authentication server. The solution is tested with ASA 8.0.3. AnyConnect works with PINsafe if started in the portal. However, AnyConnect standalone does not work with PINsafe currently.

PINsafe support is made through login page customization and RADIUS authentication protocol. Depending on your needs, you can modify the default customization object or create a new customization object. There are many ways to configure it to work with PINsafe. This document will use the following steps:

  • Configuring the PINsafe server
  • Create a customization object to hold the attached Javascript.
  • Create an authentication server group with RADIUS protocol.
  • Create a connection profile (tunnel group) to link login URL, authentication server and custom login page together.

To use the Single Channel Image such as the TURing Image, the PINsafe server must be made accessible. The client requests the images from the PINsafe server, and is usually configured using a NAT (Network Address Translation), often with a proxy server. The PINsafe appliance is configured with a proxy port to allow an additional layer of protection.

For the Cisco IPSEC client PINsafe integration see Cisco IPSEC Client Integration


Prerequisites

Cisco ASA 8.03 or higher

Cisco documentation

PINsafe 3.x, 3.5 for RADIUS groups

Cisco ASA 8 customisation Script. The customisation script can be downloaded from here: [1]

A customisation script that has a button to refresh the TURing image can be downloaded from here [2]

A customisation script that includes an SMS request is available here: [3]

PINsafe server must be accessible by client when using Single Channel Images, such as the Turing Image, and security string number, for external access this is usually through a NAT.


Baseline

Cisco ASA 8.03, Also tested with 8.21

PINsafe 3.5


Architecture

The Cisco ASA makes authentication requests against the PINsafe server by RADIUS.

The client makes TURing requests against the PINsafe server using HTTP/HTTPS


PINsafe Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In this example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.

Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances


Image:PINsafe36RADIUSserver.JPG


Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.


Image:PINsafe 36 generic RADIUS NAS.JPG


You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.


Enabling Session creation with username

The PINsafe server can be configured to return an image stream containing a TURing image by presenting the username via the XML API or the SCImage servlet. The mechanism used with the ASA to return the TURing image to the VPN sign in page is via the SCImage servlet.

Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.

To test your configuration you can use the following URL using a valid PINsafe username:

Appliance

https://PINsafe_server_IP:8443/proxy/SCImage?username=testuser

Software install

http://PINsafe_server_IP:8080/pinsafe/SCImage?username=testuser


Cisco ASA Configuration

Login Page Customisation

If the PINsafe Single Channel Image is to be used, then the login page needs to be customised. If single channel authentication is not required, or other page modifications such as for SMS on Demand buttons, then this section can be skipped. The login page customization is used to insert necessary Javascript to retrieve PINsafe Turing image. In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal -> Customization. Click on Add to add a new customization object.


Image:Cisco ASA 803 Add Customisation.JPG


Enter a name for the object, click on OK then Apply.


Image:Cisco ASA 803 Add Customisation selecting PINsafe.JPG


With the new object selected, click on Edit to enter the Customization Editor. Click on the Information Panel menu item. Note: If the information panel has been moved to a different location then the script can be added to the Copyright panel instead.


Image:Cisco ASA 803 Customisation Editor.JPG


Image:Cisco ASA 803 Customisation Editor Information Panel.JPG


Change Mode to “Enable”. Modify the pinsafeurl variable in the Cisco ASA 8 customisation Script to reflect your PINsafe server’s URL. Paste the modified content into the Text box. Click on Save on the top right corner of the Customization Editor to save the object.

WARNING: the Panel Position must be set to Right for the script to work. This is so that the customisation script is rendered after the logon form. If you particularly need the information panel to be on the left, put the PINsafe customisation script in the Copyright Panel instead, as that is always rendered at the bottom.

The line below should be modified to connect to the PINsafe server.

For an Appliance

var pinsafeurl='https://192.168.8.88:8443/proxy/SCImage?username=';

For a Software Install

var pinsafeurl='https://192.168.8.88:8080/pinsafe/SCImage?username=';

To use multiple security strings in an SMS message, this can be modified to show the next security string which should be entered.

For an Appliance

var pinsafeurl='https://192.168.8.88:8443/proxy/DCIndexImage?username=';

For a Software Install

var pinsafeurl='https://192.168.8.88:8080/pinsafe/DCIndexImage?username=';

The text can also be changed to reflect the request for a security string index number. See also Multiple Security Strings How To Guide 

 "Please enter your user name and click on Get OTP Index";

The Button to request the Security String Index can also be edited 

 obj[0].value="Get OTP Index";

The Logon Form can be edited to suit the language and secondary authentication password message. Select the Logon Form to display the fields available.

Image:Cisco ASA 821 AAA SSL VPN Customization Logon Form.JPG


Create a Radius Authentication Server Group

Authentication Server Group is used to hold necessary information about the PINsafe server. Go to Remote Access VPN -> AAA/Local users -> AAA Server. Click on Add to add an AAA Server Group.


Image:Cisco ASA 803 AAA Server Screen.JPG


Enter a name for Server Group, select RADIUS for Protocol and click OK. With the newly created server group name selected, click on Add on the right bottom to add a PINsafe server.


Image:Cisco ASA 803 AAA Server Configuration Screen.JPG


Enter PINsafe server’s IP, authentication port and server secret key as indicated. Click on OK then Apply to save the AAA server group.


Optional: Create a Secondary Authentication Server

The login page can be configured to display PINsafe as a primary or authentication server. To use multiple authentication servers, they must be configured under Remote Access VPN -> AAA/Local users -> AAA Server. This example shows an AD Server being added.

Go to Remote Access VPN -> AAA/Local users -> AAA Server. Click on Add to add an AAA Server Group.

Image:Cisco ASA 821 AAA Local Users AAA Server Groups AD.JPG


Enter a name for Server Group, select NT Domain or Kerberos for Protocol and click OK. With the newly created server group name selected, click on Add on the right bottom to add a NT Domain Server.


Image:Cisco ASA 821 AAA Local Users AAA Server Groups Add AD.JPG


Enter the AD server’s IP, Server port and Domain Controller hostname. Click on OK then Apply to save the AAA server group.


Image:Cisco ASA 821 AAA Local Users AAA Server Groups AD Edit AAA Server.JPG


This secondary authentication server then needs to be linked to the Connection Profile (see below).


Create a Connection Profile (Tunnel Group)

Connection Profile is used to link authentication server group, URL used to access the ASA, and login page customization together. Go to Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles. Click on Add to add a connection profile.


Image:Cisco_ASA_821_Connection_Profiles.JPG


In Basic panel, enter a name, alias and select the AAA Server Group created.


Image:Cisco ASA 821 Connection Profiles New Profile.JPG


Click on Advanced then Clientless SSL VPN. Select the customization object created and add a Group URL used to access the ASA with PINsafe authentication.


Image:Cisco ASA 803 Selecting the Customisation.JPG


Click on OK then Apply to save the Connection Profile.


Optional: Create a Secondary Authentication for the Connection Profile (Tunnel Group)

This option has been configured using the Secondary Authentication server option available in ASA 8.21

Go to Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles, select the connection profile created above then select Edit. Expand the Advanced option list and select Secondary Authentication. Enter the Secondary server group required and if the username should be reused, ensure the box use Primary Username is ticked. Click on OK to save the settings.


Image:Cisco ASA 821 AAA Connection Profile Secondary Authentication.JPG


Testing

Now the configuration is complete. You can use the configured Group URL to access the ASA with PINsafe authentication.


Image:Cisco ASA 821 OTP login.JPG


If configured, a Domain Password prompt will appear.


Image:Cisco ASA 803 Customised login form.JPG


Before the user name is entered, the OTP (One Time Password) field is grayed out. Enter a user name and click on Get OTP.


Image:Cisco ASA 821 OTP Turing login.JPG


OTP login with Domain Password


Image:Cisco ASA 803 Customised login form with Turing.JPG


Use your PIN to extract the OTP and enter it in the OTP field. If everything is configured correctly, you will see the portal page after clicking on Login. Please note that the Javascript to retrieve the Turing image is executed at the user’s browser. Therefore, the user’s PC must have access to the PINsafe URL. It is highly recommended that you configure your PINsafe server to use SSL/https to protect the session. Also if you are using a PINsafe appliance, the image can be requested via the built-in image proxy.

The below screen shot shows the use of the Security String Index to tell the user which of their multiple security Strings to use.

Image:Cisco ASA 821 login multi sms OTP and Password.JPG

The below security screen shows a login screen with Turing and SMS on Demand login options.

Image:Cisco ASA 821 login request sms OTP and Password blank.JPG

Image:Cisco ASA 821 login request sms turing OTP and Password.JPG

Image:Cisco ASA 821 login request sms or swivlet OTP and Password.JPG


Additional Configuration Options

The Cisco server can be configured to use multiple authentication servers such as Active Directory.

Two Stage and Challenge/Response authentication can also be configured.


Troubleshooting

Check the PINsafe logs for Turing images and RADIUS requests.

Image from PINsafe server absent


Known Issues and Limitations

None


Additional Information

For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com

Retrieved from "http://kb.swivelsecure.com/wiki/index.php/Cisco_ASA_Integration"
Personal tools