RSA SecurID Ready Implementation Guide

Similar documents
RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Cisco Systems, Inc. IOS Router

Cisco Systems, Inc. Wireless LAN Controller

Barracuda Networks SSL VPN

Cisco Systems, Inc. Aironet Access Point

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

RSA Ready Implementation Guide for

Cisco Systems, Inc. Catalyst Switches

Dell SonicWALL NSA 3600 vpn v

Apple Computer, Inc. ios

Barracuda Networks NG Firewall 7.0.0

VMware Identity Manager vidm 2.7

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

RSA SecurID Ready Implementation Guide

<Partner Name> RSA SECURID ACCESS. VMware Horizon View Client 6.2. Standard Agent Implementation Guide. <Partner Product>

RSA SecurID Implementation

Barron McCann Technology X-Kryptor

Cyber Ark Software Ltd Sensitive Information Management Suite

Citrix Systems, Inc. Web Interface

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

RSA SecurID Ready Implementation Guide. Last Modified: November 19, 2009

SecureW2 Enterprise Client

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

<Partner Name> <Partner Product> RSA SECURID ACCESS. Pulse Secure Connect Secure 8.3. Standard Agent Client Implementation Guide

Vanguard Integrity Professionals ez/token

Attachmate Reflection for Secure IT 8.2 Server for Windows

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

<Partner Name> <Partner Product> RSA SECURID ACCESS. VMware Horizon View 7.2 Clients. Standard Agent Client Implementation Guide

Rocket Software Strong Authentication Expert

Microsoft Unified Access Gateway 2010

RSA Ready Implementation Guide for. VMware vsphere Management Assistant 6.0

Open System Consultants Radiator RADIUS Server

Pulse Secure Policy Secure

Infosys Limited Finacle e-banking

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

RSA Ready Implementation Guide for. Checkpoint Mobile VPN for ios v1.458

Microsoft Forefront UAG 2010 SP1 DirectAccess

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

SSH Communications Tectia 6.4.5

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Cisco Adaptive Security Appliance 9.5(2)

RSA SecurID Ready Implementation Guide

RSA SECURID ACCESS PAM Agent Implementation Guide

RSA Ready Implementation Guide for. HelpSystems Safestone DetectIT Security Manager

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Security Access Manager 7.0

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

How to Configure the RSA Authentication Manager

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

McAfee Endpoint Encryption

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Fischer International Identity Fischer Identity Suite 4.2

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

How to RSA SecureID with Clustered NATIVE

Loading Internet Protocol Security (IPSec) (CDR-882/780/790/990 Cellular Router)

RSA Ready Implementation Guide for

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Intel Security Drive Encryption 7.1.3

Configuring Remote Access IPSec VPNs

Intel Security/McAfee Endpoint Encryption

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Configuration Summary

QUESTION: 1 An RSA SecurID tokencode is unique for each successful authentication because

LAN-to-LAN IPsec VPNs

RSA Exam 050-v71-CASECURID02 RSA SecurID Certified Administrator 7.1 Exam Version: 6.0 [ Total Questions: 140 ]

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. CyberArk Enterprise Password Vault

Configuring L2TP over IPsec

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Symantec Encryption Desktop

SailPoint IdentityIQ 6.4

Configuring LAN-to-LAN IPsec VPNs

Network Security CSN11111

RSA Ready Implementation Guide for

1.1 Configuring HQ Router as Remote Access Group VPN Server

RSA Ready Implementation Guide for

ipad in Business Security Overview

TalariaX sendquick Alert Plus

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Table of Contents. Cisco IPSec Tunnel through a PIX Firewall (Version 7.0) with NAT Configuration Example

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Remote Access IPsec VPNs

IPv6 over IPv4 GRE Tunnel Protection

Remote Access IPsec VPNs

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Table of Contents. Cisco Enhanced Spoke to Client VPN Configuration Example for PIX Security Appliance Version 7.0

Pass4sure CASECURID01.70 Questions

Internet Key Exchange

User Databases. ACS Internal Database CHAPTER

SecuRemote for Windows 32-bit/64-bit

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Lab 9: VPNs IPSec Remote Access VPN

CCNA Security 1.0 Student Packet Tracer Manual

Citrix XenApp. RSA Secured Implementation Guide for RSA DLP Endpoint VDI. Partner Information. Last Modified: March 28 th, 2014

Table of Contents. Cisco PIX/ASA 7.x Enhanced Spoke to Spoke VPN Configuration Example

Fundamentals of Network Security v1.1 Scope and Sequence

Transcription:

RSA SecurID Ready Implementation Guide Partner Information Last Modified: April 20, 2005 Product Information Partner Name Cisco Web Site www.cisco.com Product Name Cisco PIX Security Appliance Version & Platform PIX IOS 7.0.1 Product Description The market-leading Cisco PIX Security Appliance Series delivers robust user and application policy enforcement, mutlivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions. These purpose-built appliances provide multiple integrated security and networking services. Product Category Ranging from compact, plug-and-play desktop appliances for small and home offices to modular gigabit appliances with superior investment protection for enterprise and service-provider environments, Cisco PIX Security Appliances provide comprehensive security, performance, and reliability for network environments of all sizes. Perimeter Defense (Firewalls, VPNs & Intrusion Detection) 1

Solution Summary The Cisco PIX Security Appliance Series delivers robust user and application policy enforcement, multivector attack protection, and secure connectivity services in cost-effective, easy-to-deploy solutions. The Cisco PIX Security Appliance Series provides convenient methods for authenticating VPN users through native integration with popular authentication services, including RADIUS and RSA SecurID authentication (without requiring a separate RADIUS/TACACS+ server to act as an intermediary) Partner Integration Overview Authentication Methods Supported List Library Version Used Library Version # 5.02 RSA Authentication Manager Name Locking RSA Authentication Manager Replica Support Secondary RADIUS Server Support Location of Node Secret on Agent RSA Authentication Agent Host Type RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token API Integration Use of Cached Domain Credentials Native RSA SecurID Authentication, or RADIUS, Yes Full Replica Support Yes (hardware dependent for number of servers) In flash Communication Server Designated Users, All Users, Default Method No Yes No 2

Product Requirements Partner Product Requirements: Cisco PIX Security Appliance Memory See Cisco PIX Security Appliance documentation Firmware Version 7.0.1 Additional Software Requirements Application Additional Patches Cisco Secure VPN Client 4.6 3

Agent Host Configuration To facilitate communication between the Cisco PIX Security Appliance and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Cisco PIX Security Appliance within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol) When adding the Agent Host Record, you should configure the Cisco PIX Security Appliance as a Communication Server. This setting is used by the RSA Authentication Manager to determine how communication with the Cisco PIX Security Appliance will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. 4

Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating the partners product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Cisco PIX Security Appliance Log onto the Cisco PIX Security Appliance and enter enable mode, by typing the word enable and giving the enable password. Then enter configuration mode by typing config t. You are now able to enter the commands below to turn on authentication. RSA Native SecurID authentication configuration: RSA Authentication Manager: aaa-server AuthMan6 protocol sdi reactivation-mode timed aaa-server AuthMan6 host 10.100.50.37 retry-interval 3 timeout 13 VPN Policy: ip local pool test 173.16.16.1-173.16.16.254 crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 tunnel-group AuthMan6Group type ipsec-ra tunnel-group AuthMan6Group general-attributes address-pool test authentication-server-group AuthMan6 tunnel-group AuthMan6Group ipsec-attributes pre-shared-key * 5

RADIUS authentication configuration: RADIUS Server: aaa-server inauth protocol radius aaa-server inauth host 10.100.50.37 key secret aaa-server inauth host 10.100.50.36 key secret aaa-server inauth host 10.100.50.35 key secret VPN Policy: ip local pool test 173.16.16.1-173.16.16.254 group-policy ScottRAD internal group-policy ScottRAD attributes crypto ipsec transform-set RADIUSset esp-3des esp-sha-hmac crypto dynamic-map RADIUSmap 30 set transform-set RADIUSset crypto map newmap 30 ipsec-isakmp dynamic RADIUSmap crypto map newmap interface outside isakmp enable outside isakmp policy 30 authentication pre-share isakmp policy 30 encryption 3des isakmp policy 30 hash sha isakmp policy 30 group 2 isakmp policy 30 lifetime 86400 tunnel-group ScottRAD type ipsec-ra tunnel-group ScottRAD general-attributes address-pool test authentication-server-group inauth default-group-policy ScottRAD tunnel-group ScottRAD ipsec-attributes pre-shared-key * trust-point torque 6

VPN Client Configuration Install the Cisco VPN client. Click the New button to create a RSA SecurID connection entry. Fill in the appropriate information for the connection. The group name and password must match the entry you create on the VPN server. In the above example the group name was ScottRAD. Click Save. 7

Highlight the connection created and click connect. The user will now be prompted for authentication information 8

Certification Checklist Date Tested: April 20, 2005 Certification Environment Product Name Version Information Operating System RSA Authentication Manager 6.0 Windows 2003 RSA Software Token 3.0.4 Windows 2000 Cisco Pix Security Appliance 7.0.1 IOS Cisco VPN Client 4.6 Windows 2000 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN Force Authentication After New PIN System Generated PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Defined (5-7 Numeric) User Selectable User Selectable Deny 4 and 8 Digit PIN Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Alphanumeric PIN PASSCODE 16 Digit PASSCODE 16 Digit PASSCODE 4 Digit Password 4 Digit Password Next Tokencode Mode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Failover Name Locking Enabled Name Locking Enabled No RSA Authentication Manager No RSA Authentication Manager Additional Functionality RSA Software Token API Functionality System Generated PIN System Generated PIN User Defined (8 Digit Numeric) User Defined (8 Digit Numeric) User Selectable User Selectable Next Tokencode Mode Next Tokencode Mode Domain Credential Functionality Determine Cached Credential State N/A Determine Cached Credential State Set Domain Credential N/A Set Domain Credential Retrieve Domain Credential N/A Retrieve Domain Credential SWA = Pass = Fail N/A = Non-Available Function 9

Known Issues 1. Failed PIN creation via RADIUS with VPN Client. When a user fails to enter a PIN that matches the PIN criteria they will be prompted to enter their password again but will always fail as the information the user enters will not be sent to the RADIUS Server. The user needs to disconnect and reconnect to attempt to create the PIN again. 10

Appendix Node Secret: The Node Secret file is stored in flash on the Cisco PIX Security Appliance. To see this file run show flash. The Node Secret file will be named with the IP Address of the Primary RSA Authentication Server with a.sdi extention. Example 10-10-10-2.sdi RSA Software Token: If the Cisco VPN client detects that the RSA Software Token is installed (through the presence of stauto32.dll), users will be prompted for their PIN only. The tokencode displayed on the RSA Software Token is automatically coupled with the PIN and passed along to the RSA Authentication Manager. Cisco VPN Client software should be upgraded to version 2.5 if using RSA Software Token. You can enable and disable the ability of the Cisco VPN client 4.x and above to only prompt the user for their PIN when using the RSA Software Token adding the following setting in your profile file. This file is located by default in Program Files\Cisco Systems\VPN Client\Profiles. The file name is the name of the connection entry with a.pcf extension. SDIUseHardwareToken = 0 or 1 0 = Yes use RSA Software Token (default) 1 = No, ignore RSA Software Token installed on the PC. You can also change the prompts displayed to a user that is authenticating using RADIUS to better resemble a RSA SecurID authentication by setting the following parameter in the profile file. Setting this parameter will also enable the ability of a RADIUS authentication to use the PIN only prompt. RadiusSDI = 0 or 1 0 = No (default) 1 = Yes See the Cisco VPN client documentation for more information on these and other settings that can be used. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback