RSA SecurID Ready Implementation Guide
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

RSA SecurID Ready Implementation Guide

on

  • 797 views

 

Statistics

Views

Total Views
797
Views on SlideShare
797
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

RSA SecurID Ready Implementation Guide Document Transcript

  • 1. RSA SecurID Ready Implementation Guide Last modified: December 23, 2003 1. Partner Information Partner Name Cisco Systems Web Site www.cisco.com Product Name PIX Product Description The Cisco PIX Firewall series delivers strong security in an easy-to- install, integrated hardware/software firewall appliance that offers outstanding performance. Cisco`s world-leading PIX Firewall family spans the entire user application spectrum, from compact, plug-n- play desktop firewalls for small/home offices to carrier-class gigabit firewalls for the most demanding enterprise and service provider environments. Cisco PIX Firewalls deliver superior performance of up to 500,000 simultaneous connections and nearly 1.7 Gigabits per second (Gbps) aggregate throughput—while providing Cisco customers world-class security, reliability and customer service. Product Category Perimeter Defense (Firewalls, VPNs & Intrusion Detection) 2. Contact Information Sales Support E-mail n/a cs-support-us@cisco.com Phone 1-800-553-6387 1-800-553-6387 Web www.cisco.com www.cisco.com
  • 2. 3. Solution Summary The PIX Firewall can be configured to authenticate users with RSA SecurID, that are trying to access services through the firewall (http, ftp, telnet), as well as trying to initiate a VPN tunnel from a system running Cisco’s VPN client. Feature Details Authentication Methods Supported RADIUS RSA ACE/Agent Library Version N/A RSA ACE 5 Locking N/A Replica RSA ACE/Server Support N/A Secondary RADIUS Server Support Yes (unlimited) Location of Node Secret on Client N/A RSA ACE/Server Agent Host Type Communication server RSA SecurID User Specification Designated users, all users RSA SecurID Protection of Partner Product No Administrators RSA Software Token Integration No 4. Product Requirements • PIX OS 4.2(2) and above for firewall functionality. • PIX OS 5.1(2) and above for VPN functionality. • Cisco VPN client 3.x
  • 3. 5. RSA ACE/Server configuration Perform the following steps to set up the PIX Firewall as an Agent Host within the RSA ACE/Server’s database. • On the RSA ACE/Server computer, click Start, click Programs, click RSA ACE/Server, and then click Database Administration - Host Mode. • On the Agent Host menu, click Add Agent Host.... o In Name, type the FQDN of the PIX Firewall device. o In Network address, type the IP address of the PIX Firewall device. o Under Assign/Change Encryption Key, enter the RADIUS secret. This must match the encryption key entered on the PIX Firewall device. o Under Secondary Nodes, define all hostname/IP addresses that resolve to the PIX Firewall device. Note: It is important that all hostname and IP addresses resolve to each other. Please reference the RSA ACE/Server documentation for detailed information on this and other configuration parameters within this screen. Subsequently, you can also select the ‘Help’ button at the bottom of the screen.
  • 4. 6. Partner RSA ACE/Agent configuration Before You Begin This section provides instructions for integrating the Cisco PIX with RSA SecurID. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of the two products to perform the tasks outlined in this section and access to the documentation for both in order to install the required software components. All products/components need to be installed and working prior to this integration. Perform the necessary tests to confirm that this is true before proceeding. Firewall configuration Log onto the Cisco PIX and enter enable mode, by typing the word “enable” and giving the enable password. Then enter configuration mode by typing “config t”. You are now able to enter the commands below to turn on authentication. Once you are done entering the commands type “write mem” <CR> “exit” <CR>. To turn off one of the commands, put the word ‘no’ in front of the command line and you will turn off that line. The “aaa” command lines turn on authentication, tells the communication server what to authenticate and what protocol to use. The RADIUS or TACACS commands inform the communication server what the IP address of the TACACS, or RADIUS server is, the time out value and what the encryption key is. The encryption key needs to be the same string on the TACACS or RADIUS server. 6.x IOS: aaa-server TACACS+ protocol tacacs+ aaa-server partner-auth protocol radius aaa-server partner-auth (inside) host 10.100.50.37 sharedsecret timeout 30 aaa authentication include ftp outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 partner-auth aaa authentication include http outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 partner-auth aaa authentication include telnet outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 partner-auth Prior to 6.x IOS: tacacs-server (inside) host xxx.xxx.xxx.xxx “your key” timeout 3 radius-server (inside) host xxx.xxx.xxx.xxx “your key” timeout 30 aaa authentication ftp inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 radius aaa authentication http inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+ aaa authentication telnet inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+ Note: You can also enter the word “any” in place of the service, ftp, telnet, etc, to have all services use authentication.
  • 5. VPN configuration Log onto the Cisco PIX and enter enable mode, by typing the word “enable” and giving the enable password. Then enter configuration mode by typing “config t”. You are now able to enter the commands below to turn on authentication. Once you are done entering the commands type “write mem” <CR> “exit” <CR>. To turn off one of the commands, put the word ‘no’ in front of the command line and you will turn off that line. Below is a sample configuration that is used for token-based xauth by the PIX Firewall for the VPN clients using RSA ACE/Server and RSA SecurID as the AAA server to establish a secure connection. 1. Create a pool of IP addresses for your clients to use: ip local pool mypool 10.100.50.60-10.100.50.65 2. Create the RADIUS servers. The word "partner-auth" in the aaa-server command is a keyword that needs to match the keyword in the following crypto map command in Step 3. aaa-server partner-auth protocol radius aaa-server partner-auth (inside) host 10.100.50.37 MYSECRET timeout 20 3. Create an ISAKMP policy and define hash algorithm. The word "token" in the command crypto map newmap client token authentication partner-auth is optional for the Cisco VPN Client version 3.x, and the Cisco Secure VPN Client version 1.1. crypto ipsec transform-set myset esp-des esp-sha-hmac crypto dynamic-map mydynmap 10 set transform-set myset crypto map newmap 10 ipsec-isakmp dynamic mydynmap crypto map newmap client configuration address initiate crypto map newmap client configuration address respond crypto map newmap client token authentication partner-auth crypto map newmap interface outside isakmp enable outside isakmp key mysecretkey address 0.0.0.0 netmask 0.0.0.0 isakmp identity hostname isakmp client configuration address-pool local mypool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 4. For the Cisco VPN Client version 3.x and above, you may need to change the existing IKE/ISAKMP policy or add another policy depending on the requirements, using the following command: isakmp policy <policy number> vpngroup 5. For the Cisco VPN Client version 3.x, the vpngroup command configuration is also needed. vpngroup myvpngroup address-pool mypool vpngroup myvpngroup dns-server 10.100.8.250 vpngroup myvpngroup wins-server 10.100.8.21 vpngroup myvpngroup default-domain securitydynamics.com vpngroup myvpngroup split-tunnel myaccesslist vpngroup myvpngroup password mysecretkey
  • 6. VPN client configuration There are no parameters specific to SecurID authentication that you need to configure within the Cisco VPN client. • Install and launch the Cisco VPN client. • Click the New button to create a RSA SecurID connection entry. Fill in the appropriate information for the connection. The group name and password must match the configuration lines on the PIX from step 4 of the VPN configuration. • Click Save. • Highlight the connection created and click connect. The user will now be prompted for authentication information.
  • 7. 7. Certification Checklist Date Tested: December 23, 2003 Product Tested Version RSA ACE/Server 5.2 Cisco PIX 515 Firewall 6.3(3) Cisco VPN Client 4.0.3 and 4.0.3C Test HTTP(*1) FTP TELNET VPN 1st time auth. (node secret creation) New PIN mode: System-generated Non-PINPAD token N/A N/A Pass Pass PINPAD token N/A N/A Pass Pass User-defined (4-8 alphanumeric) Non-PINPAD token N/A N/A Pass Pass Password N/A N/A Pass Pass User-defined (5-7 numeric) Non-PINPAD token N/A N/A Pass Pass PINPAD token N/A N/A Pass Pass SoftID token N/A N/A Pass Pass Deny 4 digit PIN N/A N/A Pass Pass Deny Alphanumeric N/A N/A Pass Pass User-selectable Non-PINPAD token N/A N/A Pass Pass PINPAD token N/A N/A Pass Pass PASSCODE 16 Digit PASSCODE Pass Pass Pass Pass 4 Digit Password Pass Pass Pass Pass “Pin-less” TokenCode Pass Pass Pass Pass Next Tokencode mode Non-PINPAD token N/A N/A Pass Pass PINPAD token N/A N/A Pass Pass Software Token API Authentication New PIN ModeI N/A N/A N/A N/A *2 16 Digit PASSCODE N/A N/A N/A N/A *2 Failover Pass Pass Pass Pass User Lock Test (RSA ACE Lock Function) No RSA ACE/Server Pass Pass Pass Pass MPR / SWA N/A=Non-available function (*)=See Known Issues section
  • 8. 8. Known Issues 1. As shown in the Checklist in Section 7, basic configuration of the PIX firewall to support RSA SecurID authentication of HTTP and FTP service access does not allow for New Pin and Next Tokencode modes. You can however, configure the use of virtual servers on the PIX, to allow the use of New Pin and Next Tokencode modes via HTTP. Please reference the PIX documentation for more information on how this is done. The Cisco PIX Firewall Command Reference document has some good information on this subject under the command virtual. The Appendix below references how it works, but does not get into the specifics of the configuration. 2 The Cisco VPN client is integrated with the RSA Software Token API only when used with the Cisco VPN 3000 Series concentrator. This support will be added for the PIX Firewall VPN in a later release. Contact Cisco for more information. Appendix The PIX Firewall can support New PIN and/or Next Tokencode via HTTP authentication by configuring a ‘virtual server’ on the PIX. New PIN/Next Tokencode modes require the PIX to issue two authentication challenges. One for user/pass, and a second for next token or new pin. Essentially it redirects the browser to the virtual telnet. In other words, it won't work with http by default. But it will work if you configure both virtual http and virtual telnet. The way it works is the user is first authenticated using the WWW-Authenticate directive of the HTTP protocol. If the RSA ACE/Server comes back with a subsequent challenge for next token or new pin, then the PIX will redirect the browser to the virtual telnet server and the browser will automatically open up a telnet window for the next token / new pin prompt. 1. Don't configure both virtual http and virtual telnet at the same time. Configure and test each one separately. First enable virtual http and test basic authentication using a browser (not next token mode). If virtual http is working, configure and test virtual telnet using a telnet client-- clear uauth, then simply telnet to the virtual address and authenticate. Once they are both working, then test next token / new pin using a browser. 2. Choose a unique address for each virtual server. Each address should be routable from the clients to the PIX and should not be in use by any devices on the network. Do not choose the same address for virtual http and virtual telnet. Two separate addresses are required. 3. If you have trouble after enabling either virtual http or virtual telnet, keep in mind that certain versions of the PIX may require static routes to be added for the virtual addresses. The virtual address has to be routed by the PIX to some other interface than the one the clients come in on. Again, newer versions of the PIX will do this automatically; older versions may need static routes.