Saturday, September 26, 2009

Cisco ASA VPN and RSA SecurID Appliance

I recently set up an RSA SecurID Appliance as a authentication source for a Cisco ASA 5510 running 8.0.x firmware. The basic setup of the box was pretty straightforward. It runs a stripped down Linux distribution with a 2.6.24.x kernel.

Anyway, after setting up an authentication source using a Windows 2003/2008 Active Directory domain controller and importing a batch of time based RSA key token, I set up the ASA to authenticate off the Radius server. Here's the necessary config on the ASA:

aaa-server rsaapp protocol sdi
aaa-server rsaapp (INSIDE) host 10.14.14.50 MY_PASSWORD_FOR_RADIUS_CLIENT

tunnel-group employees type remote-access
tunnel-group employees general-attributes
address-pool employees-pool
authentication-server-group rsaapp
default-group-policy operations
tunnel-group operations ipsec-attributes
pre-shared-key *

Here are several important things to do:

1. set up DNS entries for the RSA box and the ASA, both forward and reverse/PTR. The box seems to be looking for its FQDN. You can use the host file for setup.

2. make sure the ASA, RSA box, and domain controller all have accurate time (via NTP, etc.)

3. setup a radius client on the RSA box and use the same pass phrase you used in the ASA aaa-server config

4. assign token devices to users... start off with one user for testing.

5. Re-synchronize the token. I'm not 100% sure this is necessary, but I tried several tokens, and this seemed necessary.

6. Have the user log into the self-service console:

https://myrsaappliance.mydomain.local:7004/console-selfservice

He or she should log into the console with their active directory username and password. He or she should then set a PIN on the token.

7. Wait for a minute or a two, and then have the user log into the VPN appliance with the Cisco client. This seemed to be necessary, as the token didn't seem to work at first. After running through the configuration again, I tried waiting, and this worked.