Scribd
Upload
71 views54 pages

Step by Step Guide To Implement SMS Authentication To Cisco ASA 5500

This document provides a step-by-step guide to implement two-factor authentication via SMS for Cisco ASA 5500 Clientless SSL VPN and Cisco VPN using the Nordic Edge One Time Password Server. The guide covers installing and configuring the Nordic Edge software, configuring the Cisco devices to integrate with the OTP server for RADIUS authentication, and testing the SMS authentication process.

Uploaded by

Hai Pham Van
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
71 views54 pages

Step by Step Guide To Implement SMS Authentication To Cisco ASA 5500

This document provides a step-by-step guide to implement two-factor authentication via SMS for Cisco ASA 5500 Clientless SSL VPN and Cisco VPN using the Nordic Edge One Time Password Server. The guide covers installing and configuring the Nordic Edge software, configuring the Cisco devices to integrate with the OTP server for RADIUS authentication, and testing the SMS authentication process.

Uploaded by

Hai Pham Van
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Installation guide for securing the authentication to yourCisco ASA 5500 Clientless SSL
VPN and Cisco VPN Client Solutionswith the Nordic Edge One Time Password Server,
delivering strong authentication via SMS to your mobile phone.

1Summary
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

This is a complete installation guide for securing the authentication to yourCisco ASA 5500 Clientless
SSL VPN and Cisco VPN ClientSolutionswith the Nordic Edge One Time Password Server, delivering two-
factor authentication via SMS to your mobile phone. You will be able to test the product, with your
current CISCO ASA 5500 and LDAP user database, without making any changes affecting existing users.
The guide will also allow you to perform the installation efficiently, it should not take more than one
hour. Nordic Edge One Time Password Server provides several methods to deliver one time passwords,
like e-mail, tokens, mobile clients, Pledge, prefetch, Yubikey etc. However, in this guide, only SMS will
be configured.
This is a step-by-step guide covering the entire installation from A to Z. It is based on the scenario
that you are running your Cisco ASA 5500 against Active Directory, and that you install the One Time
Password Server on a Windows Server. The One Time Password Server is platform independent and
works with all other LDAP user databases, like eDirectory, Sun One, Open LDAP etc. If you are not
running Active Directory or Windows and if you have any questions regarding the slight differences in
the installation process, you are most welcome to contact us [email protected] we will
take you through the entire process.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Table of Contents

1 Summary
Table of Contents
2 Prerequisites
Important information regarding communication
3 Getting started
3.1 Register and download the software
4 Installation
4.1 Start the installation
4.2 Installing license
5 Configuring the One Time Password Server
5.1 Start the OTP Configurator
Start the OTP Configurator by clicking on the left button - Configuration
5.2 Configure the One Time Password Server
5.3 Configure RADIUS
5.4 Configure databases
5.5 Configure LDAP Host Settings
5.6 Configure the LDAP database settings
5.7 Configure search filter
5.8 Test LDAP Authentication
6 Configure the SSL-VPN client settings.
7 Configure Delivery Method
8 Restart the One Time Password Server as Windows Service
9 Add mobile phone number with Microsoft Management Console
10 Configuring Cisco ASA 5500
10.1 Start ASA device manager
10.2 Browse to Configuration, Remote Access VPN, AAA/Local Users, AAA Server Groups and click Add.
10.3 Name Server Group OTPserver, choose protocol RADIUS
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.4 Add new radius server to the RADIUS group


10.5 Configure Radius Server
10.6 Create a test connection profile (in case you want to test this for certain users only).
10.6.1 Browse to Configuration/Remote Access/Clientless SSL VPN Access/Connection Profiles and click
Add
10.6.2 Specify Connection Profile Name
10.6.3 Specify AAA Server Group = OTPserver
10.6.4 Edit Connection Profile Clientless SSL VPN Settings
10.6.5 Add Alias if user should be able to select authentication method by drop-down-list
10.6.6 Edit Connection Profile Clientless SSL VPN Settings
10.6.7 Add Group URL if user should be able to select authentication by specifying URL
10.6.8 If user should be allowed to select authentication method by drop-down-list,
10.6.9 select this item.
11 Configuring ASA5500 for Cisco VPN Client authentication
11.1 Add a new ( or Edit an existing) Cisco VPN Client Connection Profile to use the OTPserver
11.2 At the Cisco VPN Client, create an entry with correct name and password
12 Start testing
12.1 Enter your Userid and password as usual
12.2 You will receive a one-time password to your mobile phone within a couple of seconds.
12.3 Enter your one time password and click on OK.
13 Technical questions
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Definitions

In this Step by Step guide the Cisco ASA 5500 is referred as "SSL-VPN Solution"

2 Prerequisites

You will need a server, for example a VMware virtual machine, with Windows Server 2003 or higher
installed with Ethernet in bridge mode. The server must have a static ip-address configured and must
also be able to reach your DNS-servers, your SSL-VPN solution and Active Directory. Since the software
is quite small (315 mb) and easy to remove, you can also use any existing server from your network.

Important information regarding communication


The One Time Password Server is a software that can be installed on any existing server in your network or DMZ.

- The One Time Password Server must be able to communicate (Outbound traffic) with your LDAP or JDBC User
Database. Default port for LDAP and Secure LDAP are TCP port 389 / 636.

- The SSL-VPN solution must be able to communicate (Outbound traffic) with the One Time Password Server via
Radius, UDP port 1812 or 1645 (Outbound traffic).

- If you want to use the Nordic Edge SMS Gateway, the One Time Password Server must be able to
communicate (Outbound traffic) with otp.nordicedge.net and otp.nordicedge.se with HTTPS on TCP port 443.

In the following test-scenario you will need to communicate with RADIUS port 1812 or 1645 and use the
Nordic Edge SMS Gateway.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

3 Getting started

3.1 Register and download the software

Go to www.nordicedge.netand click "PRODUCTS" and then "Downloads"


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Type in your name and contact details to receive the software.


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

A link will be sent for downloading the software. A 30 days evaluation license will be sent via e-mail

when you download the software.


Download the 32 or 64 bit version depending on your platform.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

4 Installation

4.1 Start the installation


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Start the installation on the server where you want to install the One Time Password Server

Please note that if you are installing on a Windows 2008 Server you need to right click on the otp3install.exe using
explorer and select Run as Administrator.

Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next

4.2 Installing license


Choose the license.dat file you received via e-mail.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Install
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Next
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Leave default on Yes and click Done


Click Done
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

5 Configuring the One Time Password Server

5.1 Start the OTP Configurator

Start the OTP Configurator by clicking on the left button - Configuration

5.2 Configure the One Time Password Server


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

On the Server page you can set the length of the one time password and for how long it should be valid. Default is
5 minutes.
You can also set a default country prefix, which means you will not need to set it in the mobile attribute
For more information regarding the optional setting please see One Time Password Server 3 Administration
manual

For now, leave this page as default and go on to the next part Configure RADIUS.

5.3 Configure RADIUS


Change to the RADIUS tab and configure the RADIUS port you want to use to communicate with your SSL-VPN
server. In this example we are using RADIUS port No. 1645.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Click Save config.

5.4 Configure databases


In this setup we are going to use the Microsoft Active Directory LDAP database.
Change to the Databases tab and click on the LDAP Database button.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

5.5 Configure LDAP Host Settings


For this configuration we will use the active directory installed on the same server as the One Time
Password Server. We will use the internal IP-address (127.0.0.1) as host address.
We will use the standard LDAP port No. 389 to communicate with Active Directory.
Admin DN will be the Administrator user to search for user objects in the Active Directory database.
For now this user only need read rights to the user objects attributes but be aware that later you might
want to use options like disable accounts or the Pledge Enrollment concept from the Pledge Mobile
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Client. In this event the Admin DN need write rights to modify the disable account attribute and to
store oath-keys into an optional user attribute.
Configure your LDAP host settings and click test. You should now get a messages saying LDAP
connection success

Click OK and Save

Next step is to configure the LDAP database settings.

5.6 Configure the LDAP database settings


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

The BASE DN is the search base from where OTPServer will start looking for user objects.
Click on the button with three dots at the right side of the Base DN field to browse your LDAP
Database.
Select an Organization Unit or Organization in Active Directory and click OK.

5.7 Configure search filter


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Next step is to configure the search filter for One Time Password to search users via selected object classes and
attributes according to the Microsoft Active Directory schema.

Click on the Sample Button and choose the filter template for MS Active Directory and click OK twice.

5.8 Test LDAP Authentication


Click on the Test LDAP Authentication button and type in the userid of a user you know exist in the directory.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Type in the password


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

If configuration is correct you will see the following success message.

6 Configure the SSL-VPN client settings.


Since One Time Password Server is also a RADIUS-server, the Cisco ASA 5500 is considered a client to the One Time
Password Server.
Next step is to configure the settings for this client.
In the left pane click on Clients
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Choose a name for your Cisco ASA 5500 and enter its ipaddress.
Type in the RADIUS shared secret.
Choose the Active Directory repository you configured earlier as User Database.
Click Save
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

7 Configure Delivery Method


The Delivery Methods category is meant for enabling and configuring one or more delivery methods
that can be used by the OTP Server to send one-time passwords.

One Time Password Server offers various methods like SMS, Oath Tokens, Instant Messaging, HTTP,
Yubikey.
In this example we will use SMS with the Nordic Edge SMS-service as the SMS-provider.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

During the evaluating phase we offer customers to use our Nordic Edge SMS-service free of charge for
30 days from the activation of the Demo Account.
In the left Pane, click Delivery Methods and then Nordic Edge SMS. In the right pane enable Nordic
Edge SMS Gateway.
To Request a demo account click Request a demo account.

Click Yes
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

You should get a success message and the Username and Password for the Nordic Edge SMS-gateway has
automatically been filled in. Click OK and Save Config.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

8Restart the One Time Password Server as Windows Service


In the server panel for click Shutdown
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

In Windows Control Panel, open Administrative Tools / Services


Find the NordicEdge OTPServer Service, right click on that service and click Start.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

9 Add mobile phone number with Microsoft Management Console


Add a mobile phone number to your test user mobile phone attribute by starting the Microsoft MMC,
select the test user and enter the mobile phone number into the Mobile attribute.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10 Configuring Cisco ASA 5500

10.1 Start ASA device manager

10.2 Browse to Configuration, Remote Access VPN, AAA/Local Users, AAA Server Groups and
click Add.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.3 Name Server Group OTPserver, choose protocol RADIUS


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.4 Add new radius server to the RADIUS group

10.5 Configure Radius Server


Configure Radius Server : Interface name, IP address to OTPserver and the pre-shared key (shared secret) between
the One Time Password server and Cisco ASA5500.

Ensure you use the same radius ports in both OTPserver ASA5500.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

You have now configured a group OTPserver and defined a Radius Server in this group.
This group can now be used as an authentication method.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.6 Create a test connection profile (in case you want to test this for certain users only).

10.6.1 Browse to Configuration/Remote Access/Clientless SSL VPN Access/Connection Profiles and


click Add
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.6.2 Specify Connection Profile Name

10.6.3 Specify AAA Server Group = OTPserver


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.6.4 Edit Connection Profile Clientless SSL VPN Settings

10.6.5 Add Alias if user should be able to select authentication method by drop-down-list

Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.6.6 Edit Connection Profile Clientless SSL VPN Settings

10.6.7 Add Group URL if user should be able to select authentication by specifying URL
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

10.6.8 If user should be allowed to select authentication method by drop-down-list,

10.6.9 select this item.


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

Login successful, the user will now get to his portal, which can
be customized depending on Active Directory membership, PC health status
( antivirus , hotfix etc ) and authentication method
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

11 Configuring ASA5500 for Cisco VPN Client authentication

11.1 Add a new ( or Edit an existing) Cisco VPN Client Connection Profile to use the OTPserver
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

11.2 At the Cisco VPN Client, create an entry with correct name and password

Name must match the connection profile name at previous slide.

Password must match the pre-shared key in ASA5500.

(Note : This can be distributed via MSI installation)


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

12 Start testing

12.1 Enter your Userid and password as usual

12.2You will receive a one-time password to your mobile phone within a couple of seconds.
Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

12.3 Enter your one time password and click on OK.


Step by step guide to implement SMS authentication to Cisco ASA 5500 -Clientless SSL VPN and Cisco VPN

You might also like