Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Similar documents
WatchGuard Firebox and MUVPN. Quick Start Guide. Copyright CRYPTOCard Corporation All Rights Reserved

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

Checkpoint VPN-1 NG/FP3

Implementation Guide for Funk Steel-Belted RADIUS

Implementing CRYPTOCard Authentication. for. Whale Communications. e-gap Remote Access SSL VPN

F-Secure SSH and OpenSHH. VPN Authentication Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Citrix Access Gateway Implementation Guide

Ericom PowerTerm WebConnect

RADIUS for Multiple UDP Ports

Configuring RADIUS Clients

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

ISA 2006 and OWA 2003 Implementation Guide

Configuring Authorization

PT Activity: Configure AAA Authentication on Cisco Routers

Remote Support Security Provider Integration: RADIUS Server

AAA Configuration. Terms you ll need to understand:

co Configuring PIX to Router Dynamic to Static IPSec with

Configuring Security for the ML-Series Card

1.1 Configuring HQ Router as Remote Access Group VPN Server

Configure RADIUS DTLS on Identity Services Engine

Radius, LDAP, Radius used in Authenticating Users

Cisco IOS Firewall Authentication Proxy

Zebra Setup Utility, Zebra Mobile Printer, Microsoft NPS, Cisco Controller, PEAP and WPA-PEAP

MCSA Guide to Networking with Windows Server 2016, Exam

Security Provider Integration RADIUS Server

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Configuring Authentication, Authorization, and Accounting

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

Barracuda SSL VPN Integration

Fundamentals of Network Security v1.1 Scope and Sequence

Regular Expressions to Remove Passwords From IOS Configurations

Configuring Authentication Proxy

Lab Configuring and Verifying Extended ACLs Topology

Lab - Examining Telnet and SSH in Wireshark

Configuring Authentication Proxy

Support for policy-based routing applies to the Barracuda Web Security Gateway running version 6.x only.

Configuring Port-Based and Client-Based Access Control (802.1X)

Zebra Mobile Printer, Zebra Setup Utility, Cisco ACS, Cisco Controller PEAP and WPA-PEAP

PIX/ASA: PPPoE Client Configuration Example

Lab 5.6b Configuring AAA and RADIUS

Identity Firewall. About the Identity Firewall

Stonesoft Integration

Configuring Authentication Proxy

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

Web server Access Control Server

Configuring the CSS as a Client of a TACACS+ Server

How to Integrate RSA SecurID with the Barracuda Web Application Firewall

Configuring the SSG. Basic SSG Configuration APPENDIX

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Radius, LDAP, Radius, Kerberos used in Authenticating Users

isco Cisco Secure ACS for Windows Frequently Asked Quest

Implementation Guide for protecting Juniper SSL VPN with BlackShield ID

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

This document is intended to give guidance on how to read log entries from a Cisco PIX / ASA. The specific model in this case was a PIX 501.

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Configuring Lock-and-Key Security (Dynamic Access Lists)

Configuring the Cisco VPN 3000 Concentrator with MS RADIUS

This document is a tutorial related to the Router Emulator which is available at:

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

CCNA Security PT Practice SBA

Configuring L2TP over IPsec

GSS Administration and Troubleshooting

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

AAA Authorization and Authentication Cache

Examples of Cisco APE Scenarios

PPP Configuration Options

Configuring Authentication for Access Points

Lab 7 Configuring Basic Router Settings with IOS CLI

Configuring Secure Shell (SSH)

Network security session 9-2 Router Security. Network II

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Implementing Authentication Proxy

Configuring Basic AAA on an Access Server

Lab Securing Network Devices

Oracle 10g. Configuration Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Troubleshooting the Security Appliance

Chapter 12. AAA. Upon completion of this chapter, you will be able to perform the following tasks:

Lab Using the CLI to Gather Network Device Information Topology

Configuring Authorization

Data Structure Mapping

Authentication, Authorization, and Accounting Configuration on the Cisco PIX Firewall

Configuring Management Access

Administrative Tasks CHAPTER

Configuring RADIUS Servers

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Index. Numerics. Index 1

Security Setup CHAPTER

Configuring Security Features on an External AAA Server

tcp-map through type echo Commands

Secure ACS Database Replication Configuration Example

upgrade-mp through xlate-bypass Commands

RADIUS Configuration. Overview. Introduction to RADIUS. Client/Server Model

Configuring a Terminal/Comm Server

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

Transcription:

Cisco PIX Quick Start Guide Copyright 2006, CRYPTOCard Corporation, All Rights Reserved. 2006.08.23 http://www.cryptocard.com

Table of Contents PURPOSE... 1 PREREQUISITES... 1 CONFIGURE THE CRYPTO-SERVER... 2 RADIUSPROTOCOL NAS.# KEYS... 2 VERIFYING THE CRYPTO-SERVER RADIUS PROTOCOL SETTINGS... 3 CONFIGURE THE PIX... 3 SETTING THE AUTHENTICATION PROTOCOL... 4 DEFINING THE RADIUS SERVER... 4 CONFIGURING RADIUS AUTHENTICATION... 4 ADDING RADIUS ACCOUNTING... 5 TESTING THE AUTHENTICATION SERVER... 5 For assistance mailto:support@cryptocard.com i

Purpose The intent of this document is to present the necessary steps to configure a Cisco PIX Firewall for use with CRYPTOCard authentication. Prerequisites In order to successfully be able to authenticate remote users using CRYPTOCard tokens, the following items must be properly installed and configured. A PIX Firewall using PIX OS 5.3 or higher configured to authenticate users via external AAA server CRYPTO-Server acting as a RADIUS server to the Cisco PIX OR Cisco Secure 3.0+, Funk Steel Belted Radius 3.0+, Microsoft IAS 2003, configured to use the CRYPTO-Server An End-user client able to connect to a network service through the PIX A valid CRYPTOCard token assigned to a user in the CRYPTO-Server database The following information is also required. IP Address of the RADIUS server: Port number used by the RADIUS server: RADIUS Shared Secret: For assistance mailto:support@cryptocard.com 1

Configure the CRYPTO-Server If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that it is configured to accept RADIUS communication from the Cisco PIX. Connect to the CRYPTO-Server using the Console, and choose Server -> System Configuration & Status from the menu. In the Entity column, choose RadiusProtocol. Next, look at the Value corresponding to the key NAS.2. The value of this key defines which RADIUS clients are allowed to connect to the CRYPTO- Server, and the shared secret they must use. RadiusProtocol NAS.# Keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of testing123. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO- Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: For assistance mailto:support@cryptocard.com 2

<First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. <Shared Secret>: A string used to encrypt the password being sent between the CRYPTOServer and the RADIUS client (i.e. the PIX). You will need to enter the exact same string into the PIX in the section Configure the PIX below. The <Shared Secret> string can be any combination of numbers, and uppercase and lowercase letters. <Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely. <Authentication Protocols>: There are many different authentication protocols that can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients. NOTE: After changing or adding a NAS.# entry, click the Apply button. Verifying the CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log 1 on the CRYPTO-Server will include information about its RADIUS configuration. Each time the Protocol Server starts, the following information is logged: Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099 RADIUS Receiver Started: listening on port 1812 UDP. RADIUS Receiver Started: listening on port 1813 UDP. This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed. Configure the PIX 1 On Windows this file is located under Program Files\CRYPTOCard\CRYPTO-Server\bin For assistance mailto:support@cryptocard.com 3

In order for the PIX Firewall to authenticate CRYPTOCard token users, the RADIUS server associated with the CRYPTO-Server must be included in the PIX configuration. That RADIUS server must then be associated with the desired service that we wish to protect with CRYPTOCard token authentication. Setting the Authentication Protocol To define RADIUS as an authentication method, add the following to the PIX configuration: aaa-server CRYPTOCARD protocol radius where CRYPTOCARD is the name given to this authentication scheme, and the scheme will use the RADIUS protocol. Defining The RADIUS Server Add the following to the PIX configuration: aaa-server CRYPTOCARD (inside) host 192.168.10.12 testing123 timeout 30 This defines the authentication server for the authentication scheme defined above. The IP address of the RADIUS authentication server is 192.168.10.12, the shared secret is testing123, and the timeout is 30 seconds. Note: By default, PIX is configured to send RADIUS authentication requests to UDP port 1645 of the RADIUS server, and accounting requests are sent to port 1646. Some RADIUS servers (such as CRYPTO-Server) default to port 1812 for authentication and 1813 for accounting. To configure the PIX to use these ports instead of the defaults, issue the following commands to the PIX: aaa-server radius-authport 1812 aaa-server radius-acctport 1813 Note: The PIX firewall must be configured as a client to the RADIUS server. The RADIUS server must have a configuration that matches the one listed above to be able to receive Authentication Requests from the PIX firewall. See the documentation for your particular RADIUS server for details on how to set up a RADIUS client. Configuring RADIUS Authentication For every service that should be protected by CRYPTOCard authentication, add a line to the PIX configuration: aaa authentication ftp inbound 0 0 0 0 CRYPTOCARD Later versions of PIX OS use the following syntax: aaa authentication include ftp outside 0 0 0 0 CRYPTOCARD In this case, we are specifying that a connection attempt to any inside host from any outside host for the File Transfer Protocol (FTP) service will require authentication using the CRYPTOCARD authentication profile (see above). For assistance mailto:support@cryptocard.com 4

Adding RADIUS Accounting In order to log accounting packets for users authenticated by the RADIUS server, add the following to the PIX configuration: aaa accounting any inbound 0 0 0 0 CRYPTOCARD Later versions of PIX OS use the following syntax: aaa accounting include any outside 0 0 0 0 CRYPTOCARD In this case, we are specifying that accounting information for connections from any host on the external network to any service will be logged to the server defined in the CRYPTOCARD profile (see above). Testing the Authentication server Once the PIX has been configured as specified above, test the configuration by connecting from the outside host to a service on the inside host. In the example below, we have created a CRYPTOCard user account TestToken. We are using that account to connect to a Telnet server on the inside (protected) network from an outside host. The outside network is at 192.168.50.x, and the NAT address to the Telnet server is 192.168.50.4. When we open a Telnet connection to 192.168.50.4 we are prompted for a username and password. We enter TestToken as the username and we provide the one-time password generated by our token as the password (in this case the password is not echoed to the screen when typed). Once we are authenticated by the CRYPTO-Server, we are then passed through to the Telnet login, where we enter our regular Telnet account information (as required by the Telnet server). For assistance mailto:support@cryptocard.com 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback