Cisco Systems, Inc. IOS Router

Similar documents
Cisco Systems, Inc. Catalyst Switches

Cisco Systems, Inc. Wireless LAN Controller

Cisco Systems, Inc. Aironet Access Point

Barracuda Networks SSL VPN

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Dell SonicWALL NSA 3600 vpn v

RSA Ready Implementation Guide for

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Barracuda Networks NG Firewall 7.0.0

VMware Identity Manager vidm 2.7

RSA SecurID Ready Implementation Guide

Cyber Ark Software Ltd Sensitive Information Management Suite

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Citrix Systems, Inc. Web Interface

Vanguard Integrity Professionals ez/token

Apple Computer, Inc. ios

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

SecureW2 Enterprise Client

RSA SECURID ACCESS PAM Agent Implementation Guide

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

Rocket Software Strong Authentication Expert

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

SSH Communications Tectia 6.4.5

Barron McCann Technology X-Kryptor

Infosys Limited Finacle e-banking

Microsoft Forefront UAG 2010 SP1 DirectAccess

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Security Access Manager 7.0

Attachmate Reflection for Secure IT 8.2 Server for Windows

RSA SecurID Implementation

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

RSA SecurID Ready Implementation Guide

Pulse Secure Policy Secure

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Open System Consultants Radiator RADIUS Server

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

RSA SecurID Ready Implementation Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Microsoft Unified Access Gateway 2010

How to RSA SecureID with Clustered NATIVE

How to Configure the RSA Authentication Manager

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

RSA Ready Implementation Guide for

TalariaX sendquick Alert Plus

Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example

LAN-to-LAN IPsec VPNs

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

RSA Authentication Manager 8.2

Fischer International Identity Fischer Identity Suite 4.2

Configuring LAN-to-LAN IPsec VPNs

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Authentify SMS Gateway

1.1 Configuring HQ Router as Remote Access Group VPN Server

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

SailPoint IdentityIQ 6.4

RSA Ready Implementation Guide for

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

RSA Ready Implementation Guide for

Lawful Intercept Architecture

Hitachi ID Systems Inc Identity Manager 8.2.6

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Vendor: RSA. Exam Code: CASECURID01. Exam Name: RSA SecurID Certified Administrator 8.0 Exam. Version: Demo

RSA Two Factor Authentication. Feature Description

Internet Key Exchange

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Integration Guide. LoginTC

Configuring Secure Shell (SSH)

CCNA Security 1.0 Student Packet Tracer Manual

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

IOS Router : Easy VPN (EzVPN) in Network Extension Mode (NEM) with Split tunnelling Configuration Example

SOFTEL Communications Password Reset and Identity Management Suite

IPv6 over IPv4 GRE Tunnel Protection

Network Security CSN11111

clear ip access-list counters

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

CCNA Security PT Practice SBA

Configuring Security for the ML-Series Card

Cisco Virtual Office: Easy VPN Deployment Guide

Integration Guide. SafeNet Authentication Service (SAS)

RADIUS for Multiple UDP Ports

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Pass4sure CASECURID01.70 Questions

Data Structure Mapping

Transcription:

RSA SecurID Ready Implementation Guide Partner Information Last Modified: January 27, 2014 Product Information Partner Name Cisco Systems, Inc. Web Site www.cisco.com Product Name Version & Platform 15.4 Product Description Cisco IOS Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware platform support. Currently operating on millions of active systems, ranging from the small home office router to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

Solution Summary Cisco IOS AAA network security services provide the primary framework to set up access control on a router or access server. Cisco IOS integrates with RSA SecurID via RADIUS AAA server group. This document covers RSA SecurID integration with IPSec VPN and terminal access. SSL VPN gateway has partial support for SecurID.* * See the Known Issues section of this document for more information. RSA Authentication Manager supported features Cisco 15.4 RSA SecurID Authentication via Native RSA SecurID Protocol RSA SecurID Authentication via RADIUS Protocol On-Demand Authentication via Native SecurID Protocol On-Demand Authentication via RADIUS Protocol Risk-Based Authentication Risk-Based Authentication with Single Sign-On RSA Authentication Manager Replica Support Secondary RADIUS Server Support RSA SecurID Software Token Automation RSA SecurID SD800 Token Automation RSA SecurID Protection of Administrative Interface Yes Yes Yes Yes - 2 -

Authentication Agent Configuration Authentication Agents are records in the RSA Authentication Manager database that contain information about the systems for which RSA SecurID authentication is provided. All RSA SecurID-enabled systems require corresponding Authentication Agents. Authentication Agents are managed using the RSA Security Console. The following information is required to create an Authentication Agent: Hostname IP Addresses for network interfaces Set the Agent Type to Standard Agent when adding the Authentication Agent. This setting is used by the RSA Authentication Manager to determine how communication with Cisco will occur. A RADIUS client that corresponds to the Authentication Agent must be created in the RSA Authentication Manager in order for the Cisco to communicate with RSA Authentication Manager. RADIUS clients are managed using the RSA Security Console. The following information is required to create a RADIUS client: Hostname IP Addresses for network interfaces RADIUS Secret te: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA documentation for additional information about creating, modifying and managing Authentication Agents and RADIUS clients. - 3 -

Partner Product Configuration Before You Begin This section provides instructions for configuring the Cisco with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Cisco components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configure AAA for User Authentication and Group Authorization Log in to a terminal on the Cisco router and enter the following commands: (config)# aaa new-model (config)# aaa authentication login userauthen group radius local (config)# aaa authorization network groupauthor local Create an entry for each of your RSA Authentication Manager servers. (config)# radius server radius-server-name (config-radius-server)# address ipv4 ip-address auth-port 1645 acct-port 1646 (config-radius-server)# timeout 120 (config-radius-server)# key yourkey (config-radius-server)# exit Configure Terminal Access for RSA SecurID Authentication Log in to a terminal on the Cisco router and enter following commands to enable RSA SecurID authentication for terminal access. te: You must complete the steps in the Configure AAA for user authentication and group authorization. (config)# aaa authentication login default group radius Configure IPSec VPN with RSA SecurID authentication Log in to a terminal on the Cisco router and enter following commands to configure a remote access IPSec VPN gateway with RSA SecurID authentication. te: You must complete the steps in the Configure AAA for user authentication and group authorization. 1. Create an ISAKMP protocol policy for phase 1 negotiation. (config)# crypto isakmp policy 3 (config-isakmp)# encryption 3des (config-isakmp)# authentication pre-share (config-isakmp)# group 2 (config-isakmp)# exit - 4 -

2. Create a group that will be used to specify network information to the client, along with the pre-shared key for authentication. (config)# crypto isakmp client configuration group vpngroup (config-isakmp-group)# key pre-shared key (config-isakmp-group)# dns ip-address (config-isakmp-group)# pool vpnpool (config-isakmp-group)# exit te: Settings configured for vpngroup and pre-shared key should match the group authentication settings configured in the Cisco VPN Client. 3. Create the phase 2 policy for data encryption. (config)# crypto ipsec transform-set myset esp-3des esp-sha-hmac (cfg-crypto-trans)# exit 4. Create a dynamic map and apply the transform set. (config)# crypto dynamic-map dymap 10 (config-crypto-map)# set transform-set myset (config-crypto-map)# exit 5. Create the crypto map and apply the AAA lists created in the previous section. (config)# crypto map clientmap client authentication list userauthen (config)# crypto map clientmap isakmp authorization list groupauthor (config)# crypto map clientmap client configuration address respond (config)# crypto map clientmap 10 ipsec-isakmp dynamic dymap 6. Apply your crypto map to the appropriate interface. (config)# interface GigabitEthernet 0/0 (config-if)# crypto map clientmap (config-if)# exit te: Refer to the RSA SecurID Ready Implementation guide for Cisco VPN client for instructions on configuring the Cisco VPN client for RSA SecurID. RSA Implementation guides can be found at: http://www.securedbyrsa.com - 5 -

Certification Checklist for RSA Authentication Manager Terminal Access Date Tested: January 27, 2014 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.0 Virtual Appliance Cisco 15.4(1)T IOS Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN N/A Force Authentication After New PIN System Generated PIN N/A System Generated PIN User Defined (4-8 Alphanumeric) N/A User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) N/A User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN N/A Deny 4 and 8 Digit PIN Deny Alphanumeric PIN N/A Deny Alphanumeric PIN Deny PIN Reuse N/A Deny PIN Reuse Passcode 16-Digit Passcode N/A 16-Digit Passcode 4-Digit Fixed Passcode N/A 4-Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode N/A Next Tokencode Mode On-Demand Authentication On-Demand Authentication N/A On-Demand Authentication On-Demand New PIN N/A On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A Failover RSA Authentication Manager N/A RSA Authentication Manager PEW = Pass = Fail N/A = t Applicable to Integration - 6 -

Certification Checklist for RSA Authentication Manager Cisco VPN Client Date Tested: January 27, 2014 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 8.0 Virtual Appliance Cisco 15.4(1)T IOS Cisco VPN Client 5.0.07.0440 Windows 7 Enterprise 64bit Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN N/A Force Authentication After New PIN System Generated PIN N/A System Generated PIN User Defined (4-8 Alphanumeric) N/A User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) N/A User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN N/A Deny 4 and 8 Digit PIN Deny Alphanumeric PIN N/A Deny Alphanumeric PIN Deny PIN Reuse N/A Deny PIN Reuse Passcode 16-Digit Passcode N/A 16-Digit Passcode 4-Digit Fixed Passcode N/A 4-Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode N/A Next Tokencode Mode On-Demand Authentication On-Demand Authentication N/A On-Demand Authentication On-Demand New PIN N/A On-Demand New PIN Load Balancing / Reliability Testing Failover (3-10 Replicas) N/A Failover RSA Authentication Manager N/A RSA Authentication Manager PEW = Pass = Fail N/A = t Applicable to Integration - 7 -

Known Issues The SSL VPN gateway component functions properly for single transaction authentications. When the RSA authentication server requires the user to be challenged (for new PIN or next Tokencode), authentication always fails. - 8 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback