Saturday, September 26, 2009

Cisco ASA VPN and RSA SecurID Appliance

I recently set up an RSA SecurID Appliance as a authentication source for a Cisco ASA 5510 running 8.0.x firmware. The basic setup of the box was pretty straightforward. It runs a stripped down Linux distribution with a 2.6.24.x kernel.

Anyway, after setting up an authentication source using a Windows 2003/2008 Active Directory domain controller and importing a batch of time based RSA key token, I set up the ASA to authenticate off the Radius server. Here's the necessary config on the ASA:

aaa-server rsaapp protocol sdi
aaa-server rsaapp (INSIDE) host 10.14.14.50 MY_PASSWORD_FOR_RADIUS_CLIENT

tunnel-group employees type remote-access
tunnel-group employees general-attributes
address-pool employees-pool
authentication-server-group rsaapp
default-group-policy operations
tunnel-group operations ipsec-attributes
pre-shared-key *

Here are several important things to do:

1. set up DNS entries for the RSA box and the ASA, both forward and reverse/PTR. The box seems to be looking for its FQDN. You can use the host file for setup.

2. make sure the ASA, RSA box, and domain controller all have accurate time (via NTP, etc.)

3. setup a radius client on the RSA box and use the same pass phrase you used in the ASA aaa-server config

4. assign token devices to users... start off with one user for testing.

5. Re-synchronize the token. I'm not 100% sure this is necessary, but I tried several tokens, and this seemed necessary.

6. Have the user log into the self-service console:

https://myrsaappliance.mydomain.local:7004/console-selfservice

He or she should log into the console with their active directory username and password. He or she should then set a PIN on the token.

7. Wait for a minute or a two, and then have the user log into the VPN appliance with the Cisco client. This seemed to be necessary, as the token didn't seem to work at first. After running through the configuration again, I tried waiting, and this worked.


12 comments:

Vancouverappliancerepair said...

As soon as i saw the headline i couldn't wait to get to start reading
the comments.Thank you all so much for your comments and support.Great resource for educators as well!


appliance repair vancouver

Rivald said...

Wow! I'm stunned that anyone reads this blog. I've been posting for a while with no comments from anyone... I kind of used it like a personal wiki.

I hope you find it of some use. It is rather eclectic, as you can see. I try to update it at least once a month. You can follow the RSS feed, if you'd like. Thanks for commenting!

Tony said...

just wanted to pop in and say thanks. This post was exactly what i needed!

Rivald said...

Thanks, Tony. I'm glad that other people occasionally read this blog. I like to document things I find tedious or perplexing so I don't have to figure them out again.

Anonymous said...

Good document,this is what i wanted to read. Thanks keep up the good work. Now subscribed to yuoor site via RSS

Ahmed said...

Have you tried to configure different webvpn groups and authenticate with SecureID ?

Toko said...

Thank you for the nice post. Then I have a question about hot to restrict VPN users access ( using group lock) in different level when SDI protocol is used.

is there a way that Cisco ASA can receive the user attirbute from the ACE server via SDI protocol and do the group lock according to the user attributes?

I mean there are two groups for vpn users. every groups has different ACL.

Thanks again and waiting ....

Loppo said...

Hi Rivald,

one question to this topic:
we´re trying to use an RSA Server which is located at a different site, so the asa actually has to talk to the RSA Server through an existing VPN Tunnel. We don´t get it working... any ideas would be appreciated

thx

Rivald said...

Loppo:


How do you have the aaa configured on the ASA? Specifically, which interface does it use to query the remote RSA over VPN?

If it is the inside (or equivalent,) can you ping the rsa using the inside interface over the ipsec tunnel (i.e., ping inside rsa.ip.address)

Rivald said...

Toko:

I'll have to think about that one. I'm not doing group level acls using the RSA, currently. I've this using LDAP, but not an RSA appliance. At the very least, I can dig up the LDAP configuration I wrote as an example.

Anonymous said...

This article is a life saver, the resynchronize token is exactly what cause my problem. Thank a lot mate. Keep up the good work. Cheer :)

GreboUK said...

Excellent thanks for the post