Cisco PIX Quick Start Guide Copyright 2006, CRYPTOCard Corporation, All Rights Reserved. 2006.08.23 http://www.cryptocard.com
Table of Contents PURPOSE... 1 PREREQUISITES... 1 CONFIGURE THE CRYPTO-SERVER... 2 RADIUSPROTOCOL NAS.# KEYS... 2 VERIFYING THE CRYPTO-SERVER RADIUS PROTOCOL SETTINGS... 3 CONFIGURE THE PIX... 3 SETTING THE AUTHENTICATION PROTOCOL... 4 DEFINING THE RADIUS SERVER... 4 CONFIGURING RADIUS AUTHENTICATION... 4 ADDING RADIUS ACCOUNTING... 5 TESTING THE AUTHENTICATION SERVER... 5 For assistance mailto:support@cryptocard.com i
Purpose The intent of this document is to present the necessary steps to configure a Cisco PIX Firewall for use with CRYPTOCard authentication. Prerequisites In order to successfully be able to authenticate remote users using CRYPTOCard tokens, the following items must be properly installed and configured. A PIX Firewall using PIX OS 5.3 or higher configured to authenticate users via external AAA server CRYPTO-Server acting as a RADIUS server to the Cisco PIX OR Cisco Secure 3.0+, Funk Steel Belted Radius 3.0+, Microsoft IAS 2003, configured to use the CRYPTO-Server An End-user client able to connect to a network service through the PIX A valid CRYPTOCard token assigned to a user in the CRYPTO-Server database The following information is also required. IP Address of the RADIUS server: Port number used by the RADIUS server: RADIUS Shared Secret: For assistance mailto:support@cryptocard.com 1
Configure the CRYPTO-Server If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that it is configured to accept RADIUS communication from the Cisco PIX. Connect to the CRYPTO-Server using the Console, and choose Server -> System Configuration & Status from the menu. In the Entity column, choose RadiusProtocol. Next, look at the Value corresponding to the key NAS.2. The value of this key defines which RADIUS clients are allowed to connect to the CRYPTO- Server, and the shared secret they must use. RadiusProtocol NAS.# Keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of testing123. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO- Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: For assistance mailto:support@cryptocard.com 2
<First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. <Shared Secret>: A string used to encrypt the password being sent between the CRYPTOServer and the RADIUS client (i.e. the PIX). You will need to enter the exact same string into the PIX in the section Configure the PIX below. The <Shared Secret> string can be any combination of numbers, and uppercase and lowercase letters. <Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely. <Authentication Protocols>: There are many different authentication protocols that can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients. NOTE: After changing or adding a NAS.# entry, click the Apply button. Verifying the CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log 1 on the CRYPTO-Server will include information about its RADIUS configuration. Each time the Protocol Server starts, the following information is logged: Adding IP range 127.0.0.1 to 127.0.0.1 to ACL with reverse lookup set to false Adding IP range 192.168.21.1 to 192.168.21.254 to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp://192.168.21.5:1099 RADIUS Receiver Started: listening on port 1812 UDP. RADIUS Receiver Started: listening on port 1813 UDP. This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range of 192.168.21.1 to 192.168.21.254. As well, no reverse lookup is being performed. Configure the PIX 1 On Windows this file is located under Program Files\CRYPTOCard\CRYPTO-Server\bin For assistance mailto:support@cryptocard.com 3
In order for the PIX Firewall to authenticate CRYPTOCard token users, the RADIUS server associated with the CRYPTO-Server must be included in the PIX configuration. That RADIUS server must then be associated with the desired service that we wish to protect with CRYPTOCard token authentication. Setting the Authentication Protocol To define RADIUS as an authentication method, add the following to the PIX configuration: aaa-server CRYPTOCARD protocol radius where CRYPTOCARD is the name given to this authentication scheme, and the scheme will use the RADIUS protocol. Defining The RADIUS Server Add the following to the PIX configuration: aaa-server CRYPTOCARD (inside) host 192.168.10.12 testing123 timeout 30 This defines the authentication server for the authentication scheme defined above. The IP address of the RADIUS authentication server is 192.168.10.12, the shared secret is testing123, and the timeout is 30 seconds. Note: By default, PIX is configured to send RADIUS authentication requests to UDP port 1645 of the RADIUS server, and accounting requests are sent to port 1646. Some RADIUS servers (such as CRYPTO-Server) default to port 1812 for authentication and 1813 for accounting. To configure the PIX to use these ports instead of the defaults, issue the following commands to the PIX: aaa-server radius-authport 1812 aaa-server radius-acctport 1813 Note: The PIX firewall must be configured as a client to the RADIUS server. The RADIUS server must have a configuration that matches the one listed above to be able to receive Authentication Requests from the PIX firewall. See the documentation for your particular RADIUS server for details on how to set up a RADIUS client. Configuring RADIUS Authentication For every service that should be protected by CRYPTOCard authentication, add a line to the PIX configuration: aaa authentication ftp inbound 0 0 0 0 CRYPTOCARD Later versions of PIX OS use the following syntax: aaa authentication include ftp outside 0 0 0 0 CRYPTOCARD In this case, we are specifying that a connection attempt to any inside host from any outside host for the File Transfer Protocol (FTP) service will require authentication using the CRYPTOCARD authentication profile (see above). For assistance mailto:support@cryptocard.com 4
Adding RADIUS Accounting In order to log accounting packets for users authenticated by the RADIUS server, add the following to the PIX configuration: aaa accounting any inbound 0 0 0 0 CRYPTOCARD Later versions of PIX OS use the following syntax: aaa accounting include any outside 0 0 0 0 CRYPTOCARD In this case, we are specifying that accounting information for connections from any host on the external network to any service will be logged to the server defined in the CRYPTOCARD profile (see above). Testing the Authentication server Once the PIX has been configured as specified above, test the configuration by connecting from the outside host to a service on the inside host. In the example below, we have created a CRYPTOCard user account TestToken. We are using that account to connect to a Telnet server on the inside (protected) network from an outside host. The outside network is at 192.168.50.x, and the NAT address to the Telnet server is 192.168.50.4. When we open a Telnet connection to 192.168.50.4 we are prompted for a username and password. We enter TestToken as the username and we provide the one-time password generated by our token as the password (in this case the password is not echoed to the screen when typed). Once we are authenticated by the CRYPTO-Server, we are then passed through to the Telnet login, where we enter our regular Telnet account information (as required by the Telnet server). For assistance mailto:support@cryptocard.com 5