Cisco IPSEC Client Integration

From Swivel Knowledgebase Wiki

Contents 1 Introduction 2 Prerequisites 3 Baseline 4 Architecture 5 PINsafe Configuration 6 PINsafe Server Configuration 6.1 Configuring the RADIUS mode and Host IP 6.2 Setting up the NAS 6.3 Enabling Session creation with username 6.4 Setting up PINsafe Dual Channel Transports 7 PINsafe Client Configration 7.1 PINsafe Dual Channel Configuration 7.2 PINsafe Single Channel Configuration 8 Cisco VPN Server Configuration 9 Cisco IPSEC Client Configuration 9.1 Cisco IPSEC Client with Dual Channel Authentication 9.2 Cisco IPSEC Client with Single Channel Authentication 10 Additional Configuration Options 11 Troubleshooting 12 Known Issues and Limitations 13 Additional Information

Introduction

This document outlines how to integrate PINsafe Turing image using the PINsafe Taskbar for Microsoft Windows, with the Cisco IPSEC VPN Client. If SMS use is only required then the below Taskbar steps are not required.

For the Cisco ASA PINsafe integration see Cisco ASA Integration

Prerequisites

PINsafe 3.x, 3.5 for RADIUS groups

Turing image available to user from across internet

Cisco IPSEC VPN Client

A Cisco Authentication device using PINsafe as a RADIUS server

PINsafe Taskbar for Microsoft Windows

Cisco IPSEC Client

Cisco documentation

Baseline

PINsafe 3.5

Cisco IPSEC VPN Client 5.0.02

PINsafe Taskbar 1.3.01

Architecture

The user starts the Cisco IPSEC VPN client which starts up the PINsafe Taskbar utility and generates a Turing image for the user to use for the authentication.

PINsafe Configuration

PINsafe Server Configuration

Configuring the RADIUS mode and Host IP

Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In our example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.

Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances

Setting up the NAS

Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for rthe Checkpoint VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.

You can specify an EAP protocol if required, others CHAP, PAP and MSCHAP will be supported. All users will be able to authenticate via this NAS unless to restrict authentication to a specific repository group.

Enabling Session creation with username

The PINsafe server can be configured so that it returns an image stream containing a TURing image by presenting the username via the XML API or the SCIMage servlet. It is this mechanism that is used to return the TURing image to the VPN sign in page.

Go to the ‘Single Channel’ Admin page and set ‘Allow Session creation with Username:’ to YES.

To test your configuration you can use the following URL using a valid PINsafe username:

Appliance

https://PINsafe_server_IP:8443/proxy/SCImage?username=testuser

Software install

https://PINsafe_server_IP:8080/pinsafe/SCImage?username=testuser

For further information see Single Channel How To Guide

Setting up PINsafe Dual Channel Transports

See Transport Configuration

PINsafe Client Configration

PINsafe Dual Channel Configuration

No specific client requirements for Dual Channel integration.

PINsafe Single Channel Configuration

Follow the installation notes to install the PINsafe Taskbar utility. Ensure that a Single Channel image can be generated. See Taskbar How to Guide. Note the intehgration has only been tested with the Turing Single Channel Image.

Cisco VPN Server Configuration

Configure the VPN server according to the Cisco Documentation, configuring the Cisco VPN server to use PINsafe as a RADIUS authentication server.

Cisco IPSEC Client Configuration

Cisco IPSEC Client with Dual Channel Authentication

No further configuration is required for the Cisco IPSEC client

Cisco IPSEC Client with Single Channel Authentication

Follow the Cisco installation notes. Then open the VPN Client Options menu and choose Application Launcher. The VPN Client displays a dialog, click on Enable and then enter the PINsafe Taskbar utility path and the required syntax:

Example: C:\Program Files\Swivel Secure Ltd\PINsafe Taskbar\PINsafeTaskbar.exe show

Click Apply to activate the application.

Note: The Cisco IPSEC VPN Client may need to be restarted.

Additional Configuration Options

Troubleshooting

Start the Cisco IPSEC VPN client, and click on connect. A Turing window should appear. A One Time Code can be obtained for authentication.

Check the PINsafe logs for Turing images and RADIUS requests.

Known Issues and Limitations

None

Additional Information

For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com