RSA SecurID Ready Implementation Guide IOS Router Cisco VPN Auth Man6
User Manual: IOS Router
Open the PDF directly: View PDF 
.
Page Count: 8
| Download | |
| Open PDF In Browser | View PDF |
RSA SecurID Ready Implementation Guide Last Modified: April 6, 2005 Partner Information Product Information Partner Name Web Site Product Name Version & Platform Product Description Product Category Cisco Systems www.cisco.com Cisco IOS VPN Router 12.3(13) Cisco IOS IPsec functionality provides network data encryption at the IP packet level, offering a robust, standards-based, security solution. IPsec provides data authentication and anti-replay services, in addition to data confidentiality services. It is the only way to implement secure VPNs. Customers can combine IPsec with other Cisco IOS Software functionality to build scalable, robust, and secure Quality of Service-aware VPNs. Perimeter Defense (Firewalls, VPNs & Intrusion Detection) 1 Solution Summary The Cisco IOS VPN software, combines IPSec VPN enhancements with robust firewall, intrusion detection, and secure administration capabilities. The VPN provides users with a complete implementation of IPSec standards, including support for DES and Triple DES encryption, and authentication through RSA SecurID authentication, and pre-shared keys via RADIUS. Partner Integration Overview Authentication Methods Supported RADIUS List Library Version Used N/A RSA Authentication Manager Name Locking N/A RSA Authentication Manager Replica Support N/A Secondary RADIUS Server Support Yes/ (hardware dependent for number of servers) Location of Node Secret on Agent None stored RSA Authentication Agent Host Type Communication Server RSA SecurID User Specification Designated Users, All Users, Default Method RSA SecurID Protection of Administrative Users Yes RSA Software Token API Integration No Use of Cached Domain Credentials No 2 Product Requirements Partner Product Requirements: Cisco IOS VPN Router Firmware Version 12.3(13) Additional Software Requirements Application Cisco Secure VPN Client Additional Patches 4.6 3 Agent Host Configuration To facilitate communication between the Cisco IOS VPN Router and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Cisco IOS VPN Router within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information. • • • Hostname IP Addresses for all network interfaces RADIUS Secret, which must match the RADIUS Secret on the Cisco IOS VPN Router. When adding the Agent Host Record, you should configure the Cisco IOS VPN Router as a Communication Server. This setting is used by the RSA Authentication Manager to determine how communication with the Cisco IOS VPN Router will occur. Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network. Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records. 4 Partner Authentication Agent Configuration Before You Begin This section provides instructions for integrating the partners’ product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Cisco IOS VPN Router Log onto the Cisco remote access server and enter enable mode, by typing the word “enable” and giving the enable password. Then enter configuration mode by typing “config t”. You are now able to enter the commands below to turn on authentication. To turn off one of the commands put the word no in front of the command line and you will turn off that line. RADIUS configuration: aaa new-model aaa authentication login userauthen group local aaa authorization network groupauthor local radius-server host xxx.xxx.xxx.xxx auth-port 1645 acct-port 1646 radius-server timeout 120 radius-server key “your key” VPN Policy: crypto isakmp policy 3 encr 3des authentication pre-share group 2 crypto isakmp client configuration group vpngroup (Must match group name on vpn client) key password (Must match key on vpn client) crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto dynamic-map dymap 10 set transform-set myset crypto crypto crypto crypto map map map map clientmap clientmap clientmap clientmap client authentication list userauthen isakmp authorization list groupauthor client configuration address respond 10 ipsec-isakmp dynamic dymap Interface configuration: Apply the crypto map to the appropriate interface. interface Ethernet1/0 description connected to EthernatLAN crypto map clientmap 5 VPN Client Configuration • Install the Cisco VPN client. • Click the New button to create a RSA SecurID connection entry. Fill in the appropriate information for the connection. The group name and password must match the entry you create on the VPN server. • Click Save. 6 • • Highlight the connection created and click connect. The user will now be prompted for authentication information 7 Certification Checklist Date Tested: April 4, 2005 Product Name RSA Authentication Manager Cisco IOS VPN Router Cisco Secure VPN Client Certification Environment Version Information Operating System 6.0 12.3(13) 4.6 Windows 2003 IOS Windows 2003 Mandatory Functionality RSA Native Protocol RADIUS Protocol New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN PASSCODE 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Name Locking Enabled No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN N/A N/A 16 Digit PASSCODE 4 Digit Password N/A Next Tokencode Mode N/A N/A N/A Failover Name Locking Enabled No RSA Authentication Manager Additional Functionality RSA Software Token API Functionality System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Domain Credential Functionality Determine Cached Credential State Set Domain Credential Retrieve Domain Credential SWA N/A N/A N/A N/A System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode N/A N/A N/A Determine Cached Credential State Set Domain Credential Retrieve Domain Credential = Pass N/A N/A N/A N/A = Fail N/A = Non-Available Function 8
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : Yes Tagged PDF : Yes XMP Toolkit : 3.1-701 Producer : Acrobat Distiller 7.0 (Windows) Company : RSA Security, Inc. Manager : Partner Development Group Source Modified : D:20050419132951 Category : Implementation Guide Creator Tool : Acrobat PDFMaker 7.0 for Word Modify Date : 2005:04:19 09:30:16-04:00 Create Date : 2005:04:19 09:30:02-04:00 Metadata Date : 2005:04:19 09:30:16-04:00 Document ID : uuid:850194a8-e86a-47ca-bd3f-8f7b1df1c132 Instance ID : uuid:f5b61a51-a750-4c28-9745-5eeddf632d3e Version ID : 4 Format : application/pdf Title : RSA SecurID Ready Implementation Guide Creator : RSA Security, Inc., Description : RSA Authentication Manager Subject : Headline : RSA Authentication Manager Page Count : 8 Page Layout : OneColumn Author : RSA Security, Inc.,EXIF Metadata provided by EXIF.tools