Integrating Cisco ASA VPN
Clients with SafeWord Strong
Authentication
Version 1.0
Publication Date: June 2010





Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) SafeNet assumes no
responsibility or liability for the accuracy of the information contained in this presentation.

© 2010 SafeNet Inc. All rights reserved.

All attempts have been made to make the information in this document complete and accurate.
SafeNet is not responsible for any direct or indirect damages or loss of business resulting from
inaccuracies or omissions. The specifications in this document are subject to change without notice.


Date of Publication: June, 2010
Last update: Wednesday, June 02, 2010


© 2010 SafeNet Inc. All rights reserved.

1

Technical Support Information
SafeNet works closely with our reseller partners to offer the best worldwide Technical Support
services. Your reseller is the first line of support when you have questions about products and
services; however, if you require additional assistance, contact us directly.

Region Contact
USA
+1 (800) 545-6608
International
+1 (410) 931-7520
Web-based ticketing and
reporting

E-mail


About SafeNet and Aladdin Knowledge Systems
In 2007, SafeNet was acquired by Vector Capital, a $2 billion private equity firm specializing in the
technology sector.
Vector Capital acquired Aladdin in March of 2009, and placed it under common management with
SafeNet. Together, these global leading companies are the third largest information security company
in the world, which brings to market integrated solutions required to solve customers’ increasing
security challenges. SafeNet’s encryption technology solutions protect communications, intellectual
property and digital identities for enterprises and government organizations. Aladdin’s software
protection, licensing and authentication solutions protect companies’ information, assets and
employees from piracy and fraud. Together, SafeNet and Aladdin have a combined history of more
than 50 years of security expertise in more than 100 countries around the globe. Aladdin is expected
to be fully integrated into SafeNet in the future.
For more information, visit www.safenet-inc.com
or www.aladdin.com.










© 2010 SafeNet Inc. All rights reserved.

2


Table of Contents

Solution Summary 3
Product Requirements 4
RADIUS and Virtual Private Network Background 5
Integrating Cisco ASA with SafeWord 6
Configure the SafeWord RADIUS Server to accept Cisco ASA RADIUS authentication
requests 7
Configuring the ASA appliance for RADIUS authentication 8
Creating and configuring a RADIUS authentication server 8
Creating a VPN tunnel that requires strong authentication 12
Configuring the Cisco VPN Client and connecting to the Cisco ASA Appliance using two
factor authentication 17


© 2010 SafeNet Inc. All rights reserved.


3

Solution Summary
Today’s decentralized business environments demand open, flexible access into the corporate
network for a wide range of users. In this environment, simple username/password
approaches are insufficient. By combining Cisco ASA or ACS appliances with SafeWord
strong, two-factor authentication, enterprises can meet strict security requirements with an
elegant solution that ensures utmost network protection. This solution allows companies to
extend their application infrastructure with high confidence and surprising ease.

The Cisco ASA appliance integrates full support for SafeWord authentication through the
standards-based RADIUS AAA protocol directly with the platform. The Cisco ASA
appliance’s Java-based administration interface provides a “point and browse” capability to
configure the RADIUS client for SafeWord authentication. This approach means that Cisco
ASA appliance users can quickly and easily leverage SafeWord two-factor authentication
solutions from any location, providing the highest level of protection over critical network
resources.

© 2010 SafeNet Inc. All rights reserved.

4

Product Requirements
For the instructions in this guide to be successful, the following must be installed
and configured:
• Cisco ASA Appliance
• SafeWord Server with RADIUS Server Agent.
For the purpose of this guide, the following network layout was used:
• SafeWord RADIUS Server IP: 10.52.41.123/24

• Cisco ASA Internal IP Address: 10.52.41.252/24
• Cisco ASA External IP Address: 66.162.147.204/248
• Windows XP Workstation with Cisco VPN client installed: 66.162.147.203/248



© 2010 SafeNet Inc. All rights reserved.

5

RADIUS and Virtual Private Network Background
As networks grow and branch out to remote locations, network security increases in
importance and administration complexity. Customers need to protect networks and network
services from unauthorized access by remote users. RADIUS is one of the protocols
commonly used to provide these solutions in today's inter-networks.

RADIUS protocol
Authentication is the process of identifying and verifying a user. Several methods can be
used to authenticate a user, but the most common includes a combination of user name and
password. Once a user is authenticated,authorization to various network resources and
services can be granted. Authorization determines what a user can do, and accounting is the
action of recording what a user is doing or has done.
The RADIUS protocols define the exchange of information between these components in
order to provide authentication, authorization, and accounting functionality. The RADIUS
protocol, as published by Livingston, is a method of managing the exchange of
authentication, authorization, and accounting information in the network. RADIUS draft was
submitted to the Internet Engineering Task Force (IETF) as a draft standard in June, 1996.
RADIUS is a fully open protocol.

The RADIUS Server

The RADIUS Server is an authentication protocol server daemon that has been interfaced
with SafeWord through the EASSP protocol. It supports all of the RADIUS functionality
documented in Internet RFC 2138, and all functionality as documented in SafeWord
publications, with minor restrictions on multiple simultaneous dynamic password
authenticators. The RADIUS Server can be located on a separate computer, distinct from any
computer that houses the SafeWord AAA Server. It can also be located on the same
computer as the AAA Server.

RADIUS Server features
• Fully RFC 2138 compliant The RADIUS Server is fully RFC 2138 compliant.
• Supports group authorization
• User-specific attributes support
• CHAP support
• Vendor-Specific Attributes support
• RADIUS Proxy support
• RADIUS accounting support
• Extensive diagnostics level
Please refer to the SafeWord 2008 Administration Guide chapter: “Managing the RADIUS
Servers”.

© 2010 SafeNet Inc. All rights reserved.

6

The RADIUS Server and the RADIUS Client (in this case a VPN device) should know about
each other. The RADIUS Server will know the client’s IP address and the RADIUS Client
will know about the RADIUS Server IP address. Both should know one specific and unique
piece of information, a secret phrase. The RADIUS Server validates the client’s
authentication request by verifying that it is it is a known IP client and that the secret shared
between them matches.


VPN (Virtual Private Network)
VPN is defined as a network that uses a public telecommunication infrastructure, such as the
Internet, to provide remote offices or individual users with secure access to their
organization's network. A virtual private network can be contrasted with an expensive system
of owned or leased lines that can only be used by one organization. The goal of a VPN is to
provide the organization with the same capabilities, but at a much lower cost.
A VPN works by using the shared public infrastructure while maintaining privacy through
security procedures and tunneling protocols such as the Layer Two Tunneling Protocol
(L2TP). In effect, the protocols, by encrypting data at the sending end and decrypting it at the
receiving end, send the data through a "tunnel" that cannot be "entered" by data that is not
properly encrypted. An additional level of security involves encrypting not only the data, but
also the originating and receiving network addresses.
Integrating Cisco ASA with SafeWord
This section provides instructions for integrating the partners’ product with SafeWord two-
factor authentication. This document is not intended to suggest optimum installations or
configurations.

It is assumed that the reader has both working knowledge of all products involved, and the
ability to perform the tasks outlined in this section. Administrators should have access to the
product documentation for all products in order to install the required components.

All vendor products and components must be installed and working prior to the integration.
Perform the necessary tests to confirm that this is true before proceeding.

All the administrative tasks to be performed on the Cisco ASA appliance are accomplished
through the Cisco ASDM Console v5.2 or higher.
© 2010 SafeNet Inc. All rights reserved.

7


Configure the SafeWord RADIUS Server to accept Cisco
ASA RADIUS authentication requests
To ensure the SafeWord RADIUS Server accepts the RADIUS authentication of the VPN
device, follow the instructions below:
1. On the server hosting the SafeWord RADIUS Server, click on Start > Programs >
Aladdin > SafeWord > Configuration > RADIUS Server Configuration. The
configuration wizard opens using Internet Explorer.
2. Right click on the ActiveX pop-up that displays at the top of your browser under the
address bar to accept the warning and allow blocked content.
3. Click Yes.
4. Click the RADIUS Client button. The RADIUS Client Wizard window opens.
5. Add the internal IP address of the Cisco ASA device and choose a secret phrase:
a. IP: 10.52.41.252 (ASA)
b. Secret: 123456 (Please note that it is imperative the shared secret match on the
ASA and the RADIUS configuration).

6. Click OK.
© 2010 SafeNet Inc. All rights reserved.

8

Configuring the ASA appliance for RADIUS
authentication
The following are the general, high-level steps required to activate SafeWord RADIUS
authentication within the Secure Access appliance.
• Create and configure a RADIUS authentication server within the Cisco ASA
ASDM administrator console.
• Create and configure an Authentication Server Group.
• Add RADIUS Servers to the newly created group.

• Test the configuration.
Creating and configuring a RADIUS authentication server
To create a RADIUS authentication server for use with SafeWord, do the following:

1. Log into the Cisco ASA administration console.
2. Click the Configuration icon at the top to expand the AAA Setup option, and then
select AAA Server Groups.



© 2010 SafeNet Inc. All rights reserved.

9


3. Click Add. The Add AAA Server Group wizard appears. Enter a name in the Server
Group field, and then click OK.


4. Add RADIUS Servers to the SafeWord AAA Server Group by selecting SafeWord
AAA Server Group, and then clicking Add in the Servers in the Selected Group .




© 2010 SafeNet Inc. All rights reserved.

10



5. The Add AAA Server Wizard opens.
a. Select the Interface Name: Inside
b. Enter the Server Name or IP address: 10.52.41.123
c. Set the Timeout: The default is 10 seconds
d. Enter the Server Authentication Port: 1812
e. Enter the Server Accounting Port: (If using the SafeWord Accounting
Server, use port 1813)
f. Enter the Retry Interval: The default is 10 seconds
g. Enter the Server Secret: 123456



6. Click OK. Apply all changes.

Testing the authentication server using Cisco ASA test utility

1. Using the Administration Console, select AAA Setup > AAA Server Groups,
and then highlight the SafeWord Server Group.
2. Select the RADIUS server in the selected group, and then click Test.
© 2010 SafeNet Inc. All rights reserved.

11



3. The Test Wizard window opens. Select the Authentication radio button, and then
enter a valid SafeWord user and a one time passcode.




Cisco ASA and SafeWord RADIUS are configured properly, and authentication requests sent
from the Cisco ASA appliance are passing.

© 2010 SafeNet Inc. All rights reserved.

12

Creating a VPN tunnel that requires strong authentication
The following are general instructions for creating a VPN tunnel:
1. Open the Cisco ASA administration console.
2. Click on the VPN icon on the left column. The VPN wizard appears.

3. Select the VPN Tunnel Type and the VPN Tunnel Interface as follows:

© 2010 SafeNet Inc. All rights reserved.

13

4. Select the Client Type: Cisco VPN client, Release 3.x or higher.
5. Enter the Pre-Shared Key and the Tunnel Group Name. This is the key that will
be shared with all VPN clients connecting to this appliance. To keep it simple, in
this example, we will use the following phrase: myciscovpn.

6. In the Client Authentication window, click the Authenticate using an AAA
server group, and then click on the drop down menu and select the SafeWord
server group.

© 2010 SafeNet Inc. All rights reserved.

14



7. All the VPN clients will need an IP address assigned. You can either use a
preconfigured IP pool or click New to create a new IP pool. We will create a new
pool as follows: Network 192.168.10.0/24 IP Ranges 192.168.10.100 – 200.



8. Click OK.



© 2010 SafeNet Inc. All rights reserved.

15

9. Fill in all the attributes provided to push DNS, Wins, domain name, etc. to
connecting clients.



10. Select IKE Policy. If you do not understand this option, leave the default values.



11. IPSec Rule: This is another configuration window that if unclear, should be left
set to the default.
© 2010 SafeNet Inc. All rights reserved.

16




12. Address Translation Exceptions. To expose the entire private network without
using NAT, leave the Selected Hosts/Networks list blank.



13. Click Finish.

© 2010 SafeNet Inc. All rights reserved.

17

Configuring the Cisco VPN Client and connecting to the
Cisco ASA Appliance using two factor authentication
Installing and configuring the Cisco VPN Client will be the last step to deploy a Remote
Access system using two factor authtentication. To configure the client and succesfully
logon using SafeWord One Time Passwords, follow the steps below.
1. At the Windows workstation, launch the Cisco VPN Client. The Cisco VPN
Client opens.

2. Click New. The Create a New VPN Client opens.
3. Use the values entered before to create the VPN tunnel at the Cisco ASA
appliance as shown below.

© 2010 SafeNet Inc. All rights reserved.

18



4. Click Save.
5. Cisco VPN Shows a New Connection Entry.

6. Click Connect. The User Authentication Window opens.
7. Enter the user name and SafeWord passcode as shown below, and then click OK.
© 2010 SafeNet Inc. All rights reserved.

19

© 2010 SafeNet Inc. All rights reserved.


8. Cisco ASA succesfully authenticates the user using a one-time passcode against
our SafeWord RADIUS Server, and the tunnel is created.