Cisco SA 520

From Swivel Knowledgebase Wiki

Contents 1 Introduction 2 Prerequisites 3 Baseline 4 Architecture 5 PINsafe Configuration 5.1 Configuring the RADIUS server 5.2 Setting up the RADIUS NAS 6 Setting up PINsafe Dual Channel Transports 7 Cisco SA 520 Configuration 8 Testing 9 Additional Configuration Options 10 Troubleshooting 11 Known Issues and Limitations 12 Additional Information

Introduction

This document describes steps to configure a Cisco SA 520 with PINsafe as the authentication server for authentication using SMS, Mobile Phone Client or the PINsafe Taskbar utility.

For the Cisco IPSEC client PINsafe integration see Cisco IPSEC Client Integration

Many Thanks to Brian Norrie of NCI Systems in contributing to this article.

Prerequisites

Cisco SA 520

Cisco documentation

PINsafe 3.x, 3.5 for RADIUS groups

Baseline

Cisco SA 520 firmware version 2.1.51

PINsafe 3.8

PAP Authentication was tested in this setup

Architecture

The Cisco 520 makes authentication requests against the PINsafe server by RADIUS.

PINsafe Configuration

Configuring the RADIUS server

Configure the RADIUS settings using the RADIUS configuration page in the PINsafe Administration console. In this example (see diagram below) the RADIUS Mode is set to ‘Enabled’ and the HOST IP (the PINsafe server) is set to 0.0.0.0. (leaving the field empty has the same result). This means that the server will answer all RADIUS requests received by the server regardless of the IP address that they were sent to.

Note: for appliances, the PINsafe VIP should not be used as the server IP address, see VIP on PINsafe Appliances

Setting up the RADIUS NAS

Set up the NAS using the Network Access Servers page in the PINsafe Administration console. Enter a name for the Cisco VPN server. The IP address has been set to the IP of the VPN appliance, and the secret ‘secret’ assigned that will be used on both the PINsafe server and VPN RADIUS configuration.

Setting up PINsafe Dual Channel Transports

See Transport Configuration

Cisco SA 520 Configuration

On the Cisco SA 520 Administration console select the Administration tab then users and domains. Click on Add, and enter the PINsafe RADIUS server authentication details for the portal.

Testing

Test authentication using a dual channel Security String or an image from the PINsafe Taskbar utility. You will need to enter your password followed immediately by the one time code into the Password field.

Additional Configuration Options

Troubleshooting

Check the PINsafe logs for RADIUS requests.

Known Issues and Limitations

Dual Channel authentication and Taskbar only

Additional Information

For assistance in the PINsafe installation and configuration please firstly contact your reseller and then email Swivel Secure support at support@swivelsecure.com